MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5965b95d229ed2d8491d0b5430ba46c750198ad1d496288ccbce5bb4b00682df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5965b95d229ed2d8491d0b5430ba46c750198ad1d496288ccbce5bb4b00682df
SHA3-384 hash: d8eb95622e4a93db091eaf74a1fc76ac31f1440d5a12238c49683b6f8002a9b1ceb4e91f77a78f5eef1b233efe2d1f31
SHA1 hash: 4c8f9b4d42aa99684c4500ebd6758f7c5aabaaf3
MD5 hash: 770099db5dbccd008a1889bbe4a7e5d8
humanhash: jupiter-ack-white-alabama
File name:Lazzarus.exe
Download: download sample
File size:34'741'248 bytes
First seen:2023-03-10 13:57:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f0486e7e054aa57188c99b0f71783b75 (3 x NodeLoader, 2 x LummaStealer, 1 x DiscordTokenStealer)
ssdeep 393216:+QgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mg796l+ZArYsFRlW5u:+3on1HvSzxAMN7FZArYs4A
Threatray 6 similar samples on MalwareBazaar
TLSH T1D4779D03B2A60195E4B7D138CAA74103D7B2B8635731DACF325D02161FBBAE49A7F725
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
dhash icon a2a1c186a6641332
Reporter Anonymous
Tags:exe signed

Code Signing Certificate

Organisation:TestCert
Issuer:TestCert
Algorithm:sha1WithRSA
Valid from:2019-12-30T06:22:24Z
Valid to:2039-12-31T23:59:59Z
Serial number: 39059e0ec525d6aa43746a661e974b23
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 495e04d7c5c0f090a9f3a9deaa27859b7108e96e49763787b2bb9c4adf72c654
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Lazzarus.exe
Verdict:
No threats detected
Analysis date:
2023-03-10 13:58:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b46b4bd8-f796-41ac-959b-eaf32e974a16

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Creating a file
Using the Windows Management Instrumentation requests
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/72571/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckNumberOfProcessor
CheckScreenResolution
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug greyware overlay packed
Link:
https://www.filescan.io/uploads/640b376df4df8e73ab781604/reports/58ab3073-a080-4c9a-af57-52b7b65fc293/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/5965b95d229ed2d8491d0b5430ba46c750198ad1d496288ccbce5bb4b00682df
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.expl
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1191272
Signature
Found potential ransomware demand text
Sigma detected: Dot net compiler compiles file from suspicious location
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 824152 Sample: Lazzarus.exe Startdate: 10/03/2023 Architecture: WINDOWS Score: 52 34 Sigma detected: Dot net compiler compiles file from suspicious location 2->34 36 Found potential ransomware demand text 2->36 8 Lazzarus.exe 1 2->8         started        process3 process4 10 powershell.exe 26 8->10         started        13 cmd.exe 1 8->13         started        15 powershell.exe 31 8->15         started        17 conhost.exe 8->17         started        file5 32 C:\Users\user\AppData\...\goh3pmmr.cmdline, Unicode 10->32 dropped 19 csc.exe 3 10->19         started        22 conhost.exe 13->22         started        24 chcp.com 1 13->24         started        26 conhost.exe 15->26         started        process6 file7 30 C:\Users\user\AppData\Local\...\goh3pmmr.dll, PE32 19->30 dropped 28 cvtres.exe 1 19->28         started        process8
Gathering data
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-17 23:55:22 UTC
File Type:
PE+ (Exe)
Extracted files:
10
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lfs3sxjct3jnqsi5bnkdbosgy5ibtcwr2slcrdglzzn3jmagqlpq._file
Verdict:
unknown
Similar samples:
7b2bcaa3723a8198c9a6f0878b77c7887554079e77e5c9b8f444570be1d744f6
8120be0c1f1898fd6e923efbc135e96c60136219790c0b69714e9d9468906a86
9365c34ac64bccdf316421eb7036d4e8ff8f928161423fae14f1dc5bfda48b66
9dd2beb7cc84848cd0555fa33febf4d06d7b81e8f6927d0df074cb26559a21e4
cd538d6c9101cb1ee74257d4540d167ef2fbd4bf9649778d3c669d0d3bf67453
e2d63f9f87c6a50b4c63d2a4d5620ad81e9438278883f8de7c92ca2204e753bb
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230310-q9vchafg6z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5965b95d229ed2d8491d0b5430ba46c750198ad1d496288ccbce5bb4b00682df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:APT_Bitter_ZxxZ_Downloader
Create hunting rule
Author:SECUINFRA Falcon Team (@SI_FalconTeam)
Description:Detects Bitter (T-APT-17) ZxxZ Downloader
Reference:https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh
Rule name:attack_India
Create hunting rule
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Mimikatz_Generic
Create hunting rule
Author:Still
Description:attempts to match all variants of Mimikatz
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Pkg
Create hunting rule
Author:nwunderly
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 5965b95d229ed2d8491d0b5430ba46c750198ad1d496288ccbce5bb4b00682df

(this sample)

  
URLhaus
https://lazzaruss.blogspot.com/2023/01/lazzarus.html
  
Delivery method
Distributed via web download

Comments