MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5579d51b343f1b16ee7f6533f18e7d513c90a330500b68a48541e891258cc8ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5579d51b343f1b16ee7f6533f18e7d513c90a330500b68a48541e891258cc8ff
SHA3-384 hash: 20778ddc2acd8edbea79f7985ed08cde58a639232dc2a6dc993147b8217ca14d29002ec73d2376ac4cfe7c74dfa61060
SHA1 hash: 650411bc70fc9e9ccb72cf939eee35bef500e6cc
MD5 hash: 862309f22b7667056aca7d4d3f9f1296
humanhash: two-mountain-oscar-cat
File name:Ldrp.dll
Download: download sample
File size:112'640 bytes
First seen:2023-01-23 16:03:50 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 504e07031691ec0854e7084c0a3240a7
ssdeep 3072:bTivAcDhA7F5GfqM2pHNC8PNne1GEb/yNlO:bTivAmK7Fg6C5ryvO
Threatray 17 similar samples on MalwareBazaar
TLSH T1FCB312687764E6B9E1591674AF9A0B828AD52264B3500CE3C0F30C4F2D686E5FD3EB4C
TrID 54.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
8.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.8% (.EXE) Win32 Executable (generic) (4505/5/1)
3.5% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter 1ZRR4H
Tags:dll download-cdn.com TA505

Intelligence

File Origin
# of uploads :
1
# of downloads :
194
Origin country :
CL CL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355959/
Detection(s):
Win.Packed.Lazy-9983625-0
Create hunting rule

Win.Packed.Lazy-9983626-0
Create hunting rule

Win.Packed.Lazy-9983627-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63ceaff31c9cbf7d6251af1d/reports/7c5c1049-9d87-41c5-a651-e08afe5aee3e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d277263f-d7ae-49ba-8d6b-f2332da6ea41
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1157169
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 789909 Sample: Ldrp.dll Startdate: 23/01/2023 Architecture: WINDOWS Score: 76 81 Multi AV Scanner detection for domain / URL 2->81 83 Antivirus detection for URL or domain 2->83 85 Multi AV Scanner detection for submitted file 2->85 8 loaddll32.exe 1 2->8         started        10 explorer.exe 2->10         started        12 rundll32.exe 2->12         started        14 3 other processes 2->14 process3 process4 16 cmd.exe 1 8->16         started        18 regsvr32.exe 8 8->18         started        22 rundll32.exe 2 8->22         started        34 2 other processes 8->34 24 cmd.exe 1 10->24         started        26 rundll32.exe 12->26         started        28 cmd.exe 1 14->28         started        30 cmd.exe 14->30         started        32 rundll32.exe 14->32         started        dnsIp5 37 rundll32.exe 2 16->37         started        67 C:\Users\user\AppData\Local\...\B123.tmp.bat, ASCII 18->67 dropped 87 Self deletion via cmd or bat file 18->87 41 explorer.exe 1 18->41         started        69 C:\Users\user\AppData\Local\...\B152.tmp.bat, ASCII 22->69 dropped 43 explorer.exe 1 22->43         started        45 rundll32.exe 24->45         started        47 conhost.exe 24->47         started        89 System process connects to network (likely due to code injection or exploit) 26->89 49 rundll32.exe 28->49         started        51 conhost.exe 28->51         started        53 rundll32.exe 30->53         started        55 conhost.exe 30->55         started        73 64.190.113.123, 443, 49715, 49716 TRAVELCLICKCORP1US United States 34->73 75 download-cdn.com 152.89.196.75, 443, 49713, 49714 NEXTVISIONGB United Kingdom 34->75 file6 signatures7 process8 file9 71 C:\Users\user\AppData\Local\...\B162.tmp.bat, ASCII 37->71 dropped 91 System process connects to network (likely due to code injection or exploit) 37->91 93 Self deletion via cmd or bat file 37->93 57 explorer.exe 1 37->57         started        60 rundll32.exe 45->60         started        63 rundll32.exe 49->63         started        65 rundll32.exe 53->65         started        signatures10 process11 dnsIp12 77 192.168.2.1 unknown unknown 57->77 79 download-cdn.com 60->79 95 System process connects to network (likely due to code injection or exploit) 60->95 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5579d51b343f1b16ee7f6533f18e7d513c90a330500b68a48541e891258cc8ff/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2023-01-23 16:16:23 UTC
File Type:
PE (Dll)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kv45kgzuh4nrn3t7muz7ddt5ke6jbizqkafwrjefihujcjmmzd7q._file
Verdict:
malicious
Similar samples:
10a251bed7a69a801631dd3764c671ce03f407861855de1555a3d1f5037309c4
129d230573fdb00a681a7f0c507bc16d2efcd08c4408f544f1d7653162b2cd92
28c67cdcd4523ca934a1b72c6c8f5ed39874b6b8f66e3f679cb1095f859f6e83
4b53141faa0056a011e8fa713851d73929ac70b6add0146333181c1bd598b96c
727bc43e3d9cdf3e79c2232cf3f647bdf94ad2012c31403434c17e5bbeb3c339
7e0e7def3be7f9bc7793bf155935d16a9db631dd99b71ab51295338315129cce
91c9e06e0ff399a4eff06cbd2a5512a6144af70de685a26239b02194412faa28
d3501787751324e615bd13ed80417360fbd7558385662ac34c51b34802f9b9d4
e4edb4cc8f35c7bab6e89774a279593d492714fce9865e53879f87d3704ad96c
f836093baf3255830126881722dc2edd86fd615fc922f86d177b0ccb0e3d2941
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230123-thx6vseb32/
Behaviour
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
5579d51b343f1b16ee7f6533f18e7d513c90a330500b68a48541e891258cc8ff
MD5 hash:
862309f22b7667056aca7d4d3f9f1296
SHA1 hash:
650411bc70fc9e9ccb72cf939eee35bef500e6cc
Link:
https://www.unpac.me/results/630aa196-f1cf-4c0f-a32a-f1eec33720e4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.21
Link:
https://yomi.yoroi.company/submissions/5579d51b343f1b16ee7f6533f18e7d513c90a330500b68a48541e891258cc8ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/355959/

Comments