MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5430394ea19a7c57dea6d2d07c389bb5fd12bb4e3e64f98911148ae0f870dfdf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	5430394ea19a7c57dea6d2d07c389bb5fd12bb4e3e64f98911148ae0f870dfdf
SHA3-384 hash:	cf427b1c2bcbc1fa6d208e138de47c695bdf05f97746c5f0ca72973610fea31605e5948ff4d0c8d0017cfe33c58ebe89
SHA1 hash:	514ca38e20826863eac766857f97c05f269df219
MD5 hash:	b84464a09e8d707d1d1d60be6158224d
humanhash:	alaska-bacon-december-uniform
File name:	Telegram中文1版.exe
Download:	download sample
File size:	2'216'448 bytes
First seen:	2022-05-03 10:41:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ec5bff8621035738ea190bd3a332b4b7
ssdeep	49152:o+oUnUNekVtjJC0mz0tBS7mvmZu8qzP5LON1F/syyryiOfNxKrWAi:/ooUNnVtjJCL08mOuRzgN1hfiOfNAi
Threatray	148 similar samples on MalwareBazaar
TLSH	T123A53330A6C9E9CCC54EE971550F4B2DC6380D1D70E5AB14834D7AA3AA327C4A37DB7A
TrID	52.9% (.EXE) Win32 Executable (generic) (4505/5/1) 23.5% (.EXE) Generic Win/DOS Executable (2002/3) 23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	e09a676060678ee0 (14 x AsyncRAT, 5 x ValleyRAT, 4 x Formbook)
Reporter	obfusor
Tags:	exe Farfli RAT

Intelligence

File Origin

# of uploads :

# of downloads :

301

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Telegram中文1版.exe

Verdict:

No threats detected

Analysis date:

2022-05-03 10:44:46 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/98f0a789-9dda-4fed-a75e-324b748faf53

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/268349/

Detection(s):

SecuriteInfo.com.W32.AIDetect.malware2.26898.17991.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

Launching a service

Launching a process

Creating a file

Creating a process from a recently created file

Changing a file

Searching for the window

Enabling the 'hidden' option for recently created files

Sending a UDP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/627107370d3e2bd52d24667d/reports/45f0886f-67d0-40fd-9136-14f6e903ad26/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2352838c-3c0e-436e-8d6f-24ec083dda9b

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/987006

Signature

Antivirus / Scanner detection for submitted sample

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5430394ea19a7c57dea6d2d07c389bb5fd12bb4e3e64f98911148ae0f870dfdf/

Threat name:

Win32.Trojan.Antavmu

Status:

Malicious

First seen:

2022-05-03 07:19:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Verdict:

malicious

15de7f8defad6bace8c44bd3bd7725c10c0dc8336a58a7e8d92075a651fd61d0

1948cbc56b010af69cab63977edb0dfb76de1520291fd9eac8777a887f006adc

3fb7ee49dcc8efa9cb3eb8ed2b5a36457b19a5ec0e20f715c90a0823c3f2a53e

56133c0d017af35f49253926e3583cf72c36146ab7faa65b6058971685166652

5b318a71a891d9f64fff9de8dc4868c9d1e563701a8272a6b281f295c7bdd43d

75b388003cc32b680abc3d9b41bc6c435af723de235eaab36a323fddcb906f62

799b7395c9f279d8cd1cd24657788ecb37db7ae03c0dddeb3344a95a551d1325

d003e8350d5dc3823f7c415c4b901a24c5731307bb3d0f464b3630bb1e0cb2ba

e6902e5efb53a1de2af93809a5103603aa8115e0f80fa95ade2461947bff4c7e

+ 138 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220503-mrnkfsfffj/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Unpacked files

SH256 hash:

5430394ea19a7c57dea6d2d07c389bb5fd12bb4e3e64f98911148ae0f870dfdf

MD5 hash:

b84464a09e8d707d1d1d60be6158224d

SHA1 hash:

514ca38e20826863eac766857f97c05f269df219

Link:

https://www.unpac.me/results/eda33a35-817d-4ee3-893a-201b0da0042b/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5430394ea19a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.10

Link:

https://yomi.yoroi.company/submissions/5430394ea19a7c57dea6d2d07c389bb5fd12bb4e3e64f98911148ae0f870dfdf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_MPress Create hunting rule
Author:	ditekSHen
Description:	Detects executables built or packed with MPress PE compressor

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/268349/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample