MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57dd1c061bd9e0eefa380eea2cf859cdd692438fd09786e425b7f19e6ba41337. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Merlin


Vendor detections: 5


Intelligence 5 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57dd1c061bd9e0eefa380eea2cf859cdd692438fd09786e425b7f19e6ba41337
SHA3-384 hash: 1dbe20e0d774a024acb2876b569b342a015f3253cee2408095fbfe3819ed0e54d6c95ddcfaeac99aaf0c6a87b802ebdc
SHA1 hash: 4ba07989deae4c4624c88d12a366846b37c6a344
MD5 hash: e5c6342a19d1d8139d854612e45ab67d
humanhash: helium-iowa-pasta-black
File name:57dd1c061bd9e0eefa380eea2cf859cdd692438fd09786e425b7f19e6ba41337
Download: download sample
Signature Merlin
Create hunting rule
File size:7'060'960 bytes
First seen:2022-07-02 09:14:59 UTC
Last seen:2022-07-02 09:23:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep 98304:Q+tB3/wZUAkyv6OKNDaQQdq9EhYSELSImnFcHngmyOXk3Oq3:7h06N9QjhYSEOnnGgGk3p3
Threatray 26 similar samples on MalwareBazaar
TLSH T1C1668C03F84460F9C6EAD231CA75C2527B717889033127C77B65AAB66B63BC85F79390
gimphash 9b1fed7bcac0a7b2dc6db04698aa86dda4ceca8af6f1214113f306ba6a65b09f
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter cyb3rops
Tags:exe Merlin signed

Code Signing Certificate

Organisation:Exivity B.V.
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2021-10-18T00:00:00Z
Valid to:2022-10-18T23:59:59Z
Serial number: b68216b9b5929bf8d4a2d5ebcce78c1b
Intelligence: 8 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 635a2ce0ae29ab85c7dc63193f7458f6afd83b3ef3e246e0433d1f3b7a7e3922
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
310
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/285066/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
golang overlay packed
Link:
https://www.filescan.io/uploads/62c00cda87c294f96f8ee69d/reports/fc21aaea-8b58-45af-a4e1-4e4e7d7398fc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/27d789e3-936d-4a0f-9f5e-6419eff41a92
Result
Threat name:
Unknown
Detection:
clean
Classification:
n/a
Score:
2 / 100
Link:
https://www.joesandbox.com/analysis/1023488
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57dd1c061bd9e0eefa380eea2cf859cdd692438fd09786e425b7f19e6ba41337/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k7orybq33hqo56ryb3vcz6czzxljeq4p2clynzbfw7yz425ecm3q._file
Verdict:
unknown
Similar samples:
117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464
Merlin
4d3cf423de6f720602c72cf570b0746e2cafd32083ed77b73dd1efa36eb055a5
Merlin
53e95f5ab8f18a70baf702d59c2b308fb998de4cdc06d4d7d30c450e4cdfd4e3
Merlin
5cbea0c2d3f18aafe1c3ab60b3d670bcc47e4001f26c8923c3e4735e6964708c
Merlin
651d7c6201d1ae3bd43152d499f0fda0a99ab919fdea6c4291863cf9edc3f5c5
Merlin
664543a2800a9d4d0ebae4f742350251bb0df2a447a302032c1fe22c7c1e7398
Merlin
6cc8e13f66166e615a847f9444a0258b0e7a01fb8e607c49c482b2b4d50cd829
Merlin
d37eff5e61865aa3cae865e60c443db13027a1c2a01d24caa00da99b43042c6c
Merlin
e0fb2a5d5d690e565b3430badf82d97a84b6c3e89dc1a56c53794831f5aa87fe
Merlin
+ 16 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220702-k7wvnaedfk/
Unpacked files
SH256 hash:
57dd1c061bd9e0eefa380eea2cf859cdd692438fd09786e425b7f19e6ba41337
MD5 hash:
e5c6342a19d1d8139d854612e45ab67d
SHA1 hash:
4ba07989deae4c4624c88d12a366846b37c6a344
Detections:
win_hive_auto
Create hunting rule
Link:
https://www.unpac.me/results/d8bbfb98-6e95-4906-a603-8885888499ee/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID
Rule name:win_hive_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.hive.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://github.com/Ne0nd0g/merlin-agent
Cape
Cape
https://www.capesandbox.com/analysis/285066/

Comments