MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c206b4dc2d3a25205176da9a1129c9f814c030a7bac245e3aaf7dd5d3ca4fbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Lazarus


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments 1

SHA256 hash: 5c206b4dc2d3a25205176da9a1129c9f814c030a7bac245e3aaf7dd5d3ca4fbe
SHA3-384 hash: bf8a7311d5833fd3c266e56dbe32f419821beba2f39c8ed3c9193c50df49e11905f0b3735ff916694bb5b93c20eac83f
SHA1 hash: b2dfcbd8c3966ebed9275db7b14e359412db9963
MD5 hash: 1417f890248f193bb241f6b458ae4a97
humanhash: robin-iowa-jersey-stream
File name:DriverGFX.tmp
Download: download sample
Signature Lazarus
File size:132'608 bytes
First seen:2021-05-10 19:35:01 UTC
Last seen:2021-05-10 20:44:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 46e1f68bd4bdbe70b7424fd6e16885e6 (1 x Lazarus)
ssdeep 3072:lSAQPGJU7xU3+FKMI3iUbhO3CVs4jNnOvh7JWn:CPGJU7xU3+F/UROSVNYW
TLSH 30D36C17B3A400BBE0B6C639C5635A16E7B678121661DB9F03A4435B2F237D19E3EF21
Reporter 0x3c7
Tags:Lazarus pedll X64

Intelligence


File Origin
# of uploads :
2
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rheinmetall job requirements.doc
Verdict:
Malicious activity
Analysis date:
2021-05-06 07:30:26 UTC
Tags:
macros macros-on-open generated-doc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 410128 Sample: DriverGFX.tmp Startdate: 10/05/2021 Architecture: WINDOWS Score: 60 48 Multi AV Scanner detection for submitted file 2->48 50 Machine Learning detection for sample 2->50 10 loaddll64.exe 1 2->10         started        12 rundll32.exe 6 2->12         started        process3 dnsIp4 15 rundll32.exe 6 10->15         started        19 rundll32.exe 6 10->19         started        21 cmd.exe 1 10->21         started        38 wicall.ir 12->38 23 WerFault.exe 9 12->23         started        process5 dnsIp6 42 wicall.ir 138.201.169.73, 443, 49708, 49710 HETZNER-ASDE Germany 15->42 46 System process connects to network (likely due to code injection or exploit) 15->46 25 WerFault.exe 20 9 15->25         started        27 WerFault.exe 9 19->27         started        29 rundll32.exe 6 21->29         started        44 192.168.2.1 unknown unknown 23->44 signatures7 process8 dnsIp9 40 wicall.ir 29->40 32 WerFault.exe 9 29->32         started        process10 process11 34 MpCmdRun.exe 1 32->34         started        process12 36 conhost.exe 34->36         started       
Threat name:
Win64.Trojan.Bingoml
Status:
Malicious
First seen:
2021-05-05 02:46:38 UTC
AV detection:
25 of 47 (53.19%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Behaviour
Modifies system certificate store
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:apt_Lazarus_Job_DLL_May2021_1
Author:Nils Kuhnert
Description:Triggers on strings used in Lazarus DLL during on of their "job" campaigns.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Lazarus

Executable exe 5c206b4dc2d3a25205176da9a1129c9f814c030a7bac245e3aaf7dd5d3ca4fbe

(this sample)

Comments



Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-10 19:59:47 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0030.002] Command and Control::Receive Data
1) [C0002.012] Communication Micro-objective::Create Request::HTTP Communication
2) [C0002.017] Communication Micro-objective::Get Response::HTTP Communication
3) [C0002.004] Communication Micro-objective::Open URL::HTTP Communication
4) [C0052] File System Micro-objective::Writes File
5) [C0040] Process Micro-objective::Allocate Thread Local Storage
6) [C0038] Process Micro-objective::Create Thread
7) [C0041] Process Micro-objective::Set Thread Local Storage Value
8) [C0018] Process Micro-objective::Terminate Process