MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c03d43bf03feb867d7738b2697d9d44fe09fc2d97e681559f09cfa998ec0d77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c03d43bf03feb867d7738b2697d9d44fe09fc2d97e681559f09cfa998ec0d77
SHA3-384 hash: bfd804a02e4c93e81420e1d5e39050b0deff2c1c0e72bcaaa3961d8135cd01622d7d77d6947bc3f4653896ff2c7c971c
SHA1 hash: 15d6a9b88b85eca7671c3b337347badedb12931e
MD5 hash: 2a048a7d6c0dab891aa81ee249bbb9a6
humanhash: batman-fourteen-march-zebra
File name:16946187077d5a55717401963e9a187640d096855b4786a0d8f1aac1819dc5463a39066979851.dat-decoded
Download: download sample
File size:73'728 bytes
First seen:2023-09-13 15:25:09 UTC
Last seen:2023-09-14 03:42:42 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 768:sag5iqImBLv2w+J/lxeD9ygg87DzexJV5I0P35yDyzblEDwt7J3FwwT/tj9lYRs8:k4mBLv7IeRP3EF3t7J1ZT/tBlZaQOt
Threatray 6 similar samples on MalwareBazaar
TLSH T115734B0277DBC621C59806B6D0F3442503F6EBD76673EB4A7E88138D5F137E68A48B4A
TrID 87.2% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:base64-decoded dll


Avatar
abuse_ch
Malware dropped as base64 encoded payload

Intelligence

File Origin
# of uploads :
2
# of downloads :
276
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448441/
Detection(s):
Win.Trojan.Bulz-9889478-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin packed replace
Link:
https://www.filescan.io/uploads/6501d48f9bae8a3785559a26/reports/425c319d-730e-4a53-b2e0-953a2e257dd6/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/5c03d43bf03feb867d7738b2697d9d44fe09fc2d97e681559f09cfa998ec0d77
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/41b6775f-8bcd-411e-9bd3-756b9e1c143b
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1308016
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Execute DLL with spoofed extension
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1308016 Sample: 16946187077d5a55717401963e9... Startdate: 14/09/2023 Architecture: WINDOWS Score: 72 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Sigma detected: Execute DLL with spoofed extension 2->19 21 2 other signatures 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c03d43bf03feb867d7738b2697d9d44fe09fc2d97e681559f09cfa998ec0d77/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-09-13 04:40:25 UTC
File Type:
PE (.Net Dll)
Extracted files:
4
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lqb5io7qh7vym7lxhczgs7m5it7at7bns7ticvm7bhh2tghmbv3q._file
Verdict:
malicious
Similar samples:
784cda9f8d5a1f70a189644e78f76d69c5b41434ac8ee66f77dff5141f0c4fb2
89ee49574b483077f00317a988fe5443ee4b3b3485b2b775e411f4d0235dc8ba
8a839a1497379639e18a64b3f69f8f1a5d70341a666c91d5a13d24fecd05799f
cacad3326fba09f60283210655c8e9cafddaae194e156cc680db4f98d4920e5c
e5fa48dcc0604fb10d844d476df30106684af28205a7c150142e0b3bf4ef8687
fa7b173ac1477fca66559947e5989ce2747465e1715f4d6a1e0bbcc72259ca58
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230913-st7n1adb2y/
Unpacked files
SH256 hash:
5c03d43bf03feb867d7738b2697d9d44fe09fc2d97e681559f09cfa998ec0d77
MD5 hash:
2a048a7d6c0dab891aa81ee249bbb9a6
SHA1 hash:
15d6a9b88b85eca7671c3b337347badedb12931e
Link:
https://www.unpac.me/results/696801b6-f55a-45e2-979d-755b2bce106b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/5c03d43bf03feb867d7738b2697d9d44fe09fc2d97e681559f09cfa998ec0d77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla
Create hunting rule
Author:Harish Kumar P
Description:Yara Rule to Detect AgentTesla
Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

7d5a55717401963e9a187640d096855b4786a0d8f1aac1819dc5463a39066979

DLL dll 5c03d43bf03feb867d7738b2697d9d44fe09fc2d97e681559f09cfa998ec0d77

(this sample)

  
Dropped by
SHA256 7d5a55717401963e9a187640d096855b4786a0d8f1aac1819dc5463a39066979
  
Dropped by
MD5 1668bba16e17070605e63c0a3807fd1c
  
URLhaus
https://urlhaus.abuse.ch/url/2711540/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/448441/

Comments