MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b70972c72bf8af098350f8a53ec830ddbd5c2c7809c71649c93f32a8a3f1371. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Lazarus


Vendor detections: 8


Intelligence 8 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b70972c72bf8af098350f8a53ec830ddbd5c2c7809c71649c93f32a8a3f1371
SHA3-384 hash: a8dc34e7a6e21444cbcc6d8553c11aa89e5868f3108e3a415d3d7b3952a536f032296006d996462d236c43c15d3f89d0
SHA1 hash: 248795453ceb95e39db633285651f7204813ea3a
MD5 hash: d9f15227fefb98ba69d98542fbe7e568
humanhash: coffee-bluebird-alanine-alabama
File name:5b70972c72bf8af098350f8a53ec830ddbd5c2c7809c71649c93f32a8a3f1371
Download: download sample
Signature Lazarus
Create hunting rule
File size:4'038'720 bytes
First seen:2025-02-20 07:41:13 UTC
Last seen:2026-03-28 00:26:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 98304:4FuXMFkEMXhX1cjJZWp51o1xCw3YnoBWr+/vf8A:4FuXMFkdXZMJu5ujb3YnosSXf8A
TLSH T12C16339A87E05452EA2F1EB503B2351052B44CDE672112127D93F668F9FBF3A6E4BF40
TrID 45.5% (.EXE) Win64 Executable (generic) (10522/11/4)
19.4% (.EXE) Win32 Executable (generic) (4504/4/1)
8.9% (.ICL) Windows Icons Library (generic) (2059/9)
8.7% (.EXE) OS/2 Executable (generic) (2029/13)
8.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
File icon (PE):PE icon
dhash icon 489669d8d8699648 (53 x AgentTesla, 24 x SnakeKeylogger, 23 x AnyDesk)
Reporter TheRavenFile
Tags:exe Lazarus marstech signed

Code Signing Certificate

Organisation:philandro Software GmbH
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2021-12-13T00:00:00Z
Valid to:2025-01-08T23:59:59Z
Serial number: 0dbf152deaf0b981a8a938d53f769db8
Intelligence: 9 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 9d7620a4ceba92370e8828b3cb1007aeff63ab36a2cbe5f044fdde14abab1ebf
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
RakeshKrish12
Source: https://github.com/TheRavenFile/Daily-Hunt/blob/main/Lazarus/Marstech.txt

Intelligence

File Origin
# of uploads :
64
# of downloads :
483
Origin country :
IN IN
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AnyDesk.exe
Verdict:
Malicious activity
Analysis date:
2023-05-16 19:40:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9b059483-2aa8-4d9b-b179-12e358667cc5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Malware.PDB-938.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Score:
50%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b6ddd728ab76d43a5c21aa
Tags:
obfusc crypt blic
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a window
Restart of the analyzed sample
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Labled as:
Revoked.CRT.AnyDesk_Compromise
Link:
https://www.hybrid-analysis.com/sample/5b70972c72bf8af098350f8a53ec830ddbd5c2c7809c71649c93f32a8a3f1371
Malware family:
AnyDesk Software GmbH
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9166f459-20ac-440d-bf46-13165c59c810
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad.troj
Score:
54 / 100
Link:
https://www.joesandbox.com/analysis/1237165
Signature
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
Score:
1%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/5b70972c72bf8af098350f8a53ec830ddbd5c2c7809c71649c93f32a8a3f1371
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b70972c72bf8af098350f8a53ec830ddbd5c2c7809c71649c93f32a8a3f1371/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lnyjoldsx6fpbgbvb6ffh3edbxn5lqwhqcohcze4spzsvcr7cnyq._file
Verdict:
malicious
Label(s):
admintool_anydesk
Create hunting rule
Similar samples:
error
Lazarus
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250220-jh8x9azkgy/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
trojan
YARA:
PUA_AnyDesk_Compromised_Certificate_Revoked_Jan24
Link:
https://app.threat.zone/submission/defc439e-12c6-48fa-a060-c517c995f832
Unpacked files
SH256 hash:
992a961ab00e60745031e156b227cdf3327f92c452a0637bc50b6a3aab42e480
MD5 hash:
1d3b3f062b8263615b157e8cb0786db8
SHA1 hash:
ee98852a35c1f15e04946c97e738c7d485b7c594
Link:
https://www.unpac.me/results/7539dc18-4dd5-4469-8524-ba516344928f/
SH256 hash:
4db2091aad27d3cd4ce8d4065f92be104418b25a57c9387d32f12b65393e846b
MD5 hash:
1dfeea385a3c62b5342d6e09ed7cb9fc
SHA1 hash:
bdb50e02559e12a8fb0f040fd0fe788583b9c942
Link:
https://www.unpac.me/results/7539dc18-4dd5-4469-8524-ba516344928f/
SH256 hash:
3c8c43acd3b57256c97817f13a2359979e671206607f8a06dd0be1c115f7474f
MD5 hash:
dd3f160e330e0f5debf44fe14414f6ee
SHA1 hash:
1dcfbc497a467e137f1565783de803c8f9744923
Link:
https://www.unpac.me/results/7539dc18-4dd5-4469-8524-ba516344928f/
SH256 hash:
6ad91f015329bd8cbdfda97a3f6c8961ba8fea89ccbbdaa6e2b6abf6f92b345d
MD5 hash:
d14b8b714f76ef6379a17de681353dee
SHA1 hash:
59a48749db0722d32e076aef243c6e0fbf1e3050
Link:
https://www.unpac.me/results/7539dc18-4dd5-4469-8524-ba516344928f/
SH256 hash:
22fe7d4c5606417510ed1e7b372ea39b6ad0091e6b70670d9054e889ef94c863
MD5 hash:
18400eec7d8723718e95023cd14aafc1
SHA1 hash:
7af652f8218a9ea7db8daaedb7d76fe0ded6f428
Link:
https://www.unpac.me/results/7539dc18-4dd5-4469-8524-ba516344928f/
SH256 hash:
5b70972c72bf8af098350f8a53ec830ddbd5c2c7809c71649c93f32a8a3f1371
MD5 hash:
d9f15227fefb98ba69d98542fbe7e568
SHA1 hash:
248795453ceb95e39db633285651f7204813ea3a
Link:
https://www.unpac.me/results/7539dc18-4dd5-4469-8524-ba516344928f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5b70972c72bf8af098350f8a53ec830ddbd5c2c7809c71649c93f32a8a3f1371

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Anydesk
Create hunting rule
Author:CD_R0M_
Description:Anydesk is commonly used by threat actors for remote access. This rule aims to identify legitimate anydesk, renamed binaries and trojanized versions.
Reference:https://www.crowdstrike.com/blog/falcon-complete-disrupts-malvertising-campaign-targeting-anydesk/
Rule name:dl_shadow
Create hunting rule
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:Old_Code__Signature_AnyDesk_Feb2024
Create hunting rule
Author:Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:PUA_AnyDesk_Compromised_Certificate_Revoked_Jan24
Create hunting rule
Author:Florian Roth
Description:Detects binaries signed with a compromised signing certificate of AnyDesk (philandro Software GmbH, 0DBF152DEAF0B981A8A938D53F769DB8) after it was revoked. This is not a threat detection. It detects an outdated version of AnyDesk that was signed with a certificate that has been revoked.
Reference:https://anydesk.com/en/public-statement
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Lazarus

Executable exe 5b70972c72bf8af098350f8a53ec830ddbd5c2c7809c71649c93f32a8a3f1371

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3088170/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (uiAccess:None)high

Comments