MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b318a71a891d9f64fff9de8dc4868c9d1e563701a8272a6b281f295c7bdd43d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b318a71a891d9f64fff9de8dc4868c9d1e563701a8272a6b281f295c7bdd43d
SHA3-384 hash: e75544644bb0ac964b17aa40f1ab7175d3eece3b9516e1563ae678a741c9c4eccc166a0fde5568c614b138f102490eea
SHA1 hash: 58c29c10f7fc270677c7c95889c01ef27366f1d9
MD5 hash: 99016e780758b039d29ff6cf6c9b9595
humanhash: may-virginia-johnny-sink
File name:公司内部入款明细.exe
Download: download sample
File size:3'264'512 bytes
First seen:2021-04-18 14:43:24 UTC
Last seen:2021-04-18 15:55:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f17df15445f203fec18b50cd94148ccd
ssdeep 98304:ibGv8cwVaMnMU14uHzzfkinJTrZp1JYUAQR:iCviVaiauTzcinRVN
TLSH C7E5338AF8C1DE9CDD169E7D57A549D07E70AF8E0928E59E3AD4B284F57BD03032E210
Reporter mickeyftnt1


Avatar
mickeyftnt
Via Telegram

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/137776/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.8559.9999.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Changing a file
Searching for the window
Searching for many windows
Launching a process
Changing settings of the browser security zones
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/685138
Signature
Detected VMProtect packer
Installs Task Scheduler Managed Wrapper
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect debuggers by setting the trap flag for special instructions
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b318a71a891d9f64fff9de8dc4868c9d1e563701a8272a6b281f295c7bdd43d/
Gathering data
Verdict:
suspicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
vmprotect
Link:
https://tria.ge/reports/210418-c294zt4srj/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
VMProtect packed file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/137776/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-18 15:03:12 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [F0001.010] Anti-Behavioral Analysis::VMProtect