MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c9106490619ef294e77900e55f81a756e68b5b117458b2c6df8eac742b6ebf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c9106490619ef294e77900e55f81a756e68b5b117458b2c6df8eac742b6ebf8
SHA3-384 hash: e6ad9338b6cc360b40705f6f6dca5296bb7f85aec3bb9086e5a4f6f1071116bd548acf454dbf4bf8c054513358792aa9
SHA1 hash: 46568704d146cf27a4b364a8838e24fb3fddc8ac
MD5 hash: 18337a5ab0cd9c6244657872a6769619
humanhash: hawaii-ink-winter-hotel
File name:5c9106490619ef294e77900e55f81a756e68b5b117458b2c6df8eac742b6ebf8.bin
Download: download sample
File size:5'021'616 bytes
First seen:2021-09-28 06:58:50 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 610c70cb984439107cd4b7d6e2cd761c
ssdeep 49152:WhY5yStuk/TGbOARoDxQVyHjNfdtohXnXvZZEYXtFkRqxNTdMpoHzQcBIXO3/ZpJ:0RkaPaDiVSNEXrEYXtFkRqxHMk8XO3Rn
Threatray 5'720 similar samples on MalwareBazaar
TLSH T130369E226384503FD45B0F3B8A7FA664993EBF613A22CC9BA3F4195C5F356403929397
Reporter JAMESWT_WT
Tags:dll HOLDING LA LTD

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192416/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Moving a file to the %temp% directory
Unauthorized injection to a system process
Forced shutdown of a system process
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/37748a61-91a4-4bdc-a220-80a87711a6de
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/859571
Signature
Allocates memory in foreign processes
Hijacks the control flow in another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492002 Sample: gqHw0umkJs.bin Startdate: 28/09/2021 Architecture: WINDOWS Score: 72 39 rottinculospattha.pw 2->39 41 ipv4.imgur.map.fastly.net 2->41 43 i.imgur.com 2->43 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Multi AV Scanner detection for submitted file 2->49 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 59 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->59 61 Hijacks the control flow in another process 9->61 12 cmd.exe 1 9->12         started        14 rundll32.exe 9->14         started        17 rundll32.exe 9->17         started        19 5 other processes 9->19 process6 signatures7 21 rundll32.exe 12->21         started        63 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->63 65 Hijacks the control flow in another process 14->65 67 Writes to foreign memory regions 14->67 24 notepad.exe 14->24         started        69 Allocates memory in foreign processes 17->69 26 notepad.exe 1 17->26         started        28 notepad.exe 1 19->28         started        31 notepad.exe 1 19->31         started        33 notepad.exe 19->33         started        35 notepad.exe 19->35         started        process8 dnsIp9 51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->51 53 Hijacks the control flow in another process 21->53 55 Writes to foreign memory regions 21->55 57 Allocates memory in foreign processes 21->57 37 notepad.exe 21->37         started        45 192.168.2.1 unknown unknown 28->45 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c9106490619ef294e77900e55f81a756e68b5b117458b2c6df8eac742b6ebf8/
Threat name:
Win32.Trojan.NsisInject
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 03:49:33 UTC
AV detection:
13 of 45 (28.89%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
525d3b180847b425e376157caabbf860b421078903228d919d1e5e0fcce5741c
5b9eef2199515e5bf4cd00a176b35747f8bc9984183213fec864aca2c1918a70
6f8fc539952555b057adf7810aca782a29f8f624e1d46a0f4732db3763130725
9ccce653cb66833e9396151f5bc65f6c2744d955a9eaedad81eccd3da252803e
9e9ad2a3d696f2327d702b58c5f0329caddce1571d842ecc9ca02f3f23677ae3
c5f1d96b75d6ed0846fac4d2ddfada97927dbcebc6fbd015cc08ac78387b28fd
d8eb5792d969c21c364da69eca1322ab5f63e0a39b0e542bad4ee95be873c296
df3dabd031184b67bab7043baaae17061c21939d725e751c0a6f6b7867d0cf34
+ 5'710 additional samples on MalwareBazaar
Result
Malware family:
parallax
Create hunting rule
Score:
  10/10
Tags:
family:parallax rat suricata
Link:
https://tria.ge/reports/210928-hr3l6aahgp/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
ParallaxRat
ParallaxRat payload
suricata: ET MALWARE Parallax CnC Response Activity M14
Unpacked files
SH256 hash:
a3f2297fd4f8a6bccdf5f85b96a867ef2fcd2c8c18de9624f4a92277ce6db2bd
MD5 hash:
62bfb0928b654d69be43b756d9b4eb2e
SHA1 hash:
698e15b0971ab540acfde60af4277bd805488609
Link:
https://www.unpac.me/results/1b89c76d-3e2b-4f1e-a492-fd71f606bb5a/
SH256 hash:
c708a3edaf1a43c4250a07513104f330d09acfbd692a45c6471bf96d7e0cb5a6
MD5 hash:
93747367d844bb5a028eb6fba26c27e4
SHA1 hash:
66b7f6f6e8b5c82ce694f40a32c53e2554df47ab
Link:
https://www.unpac.me/results/1b89c76d-3e2b-4f1e-a492-fd71f606bb5a/
SH256 hash:
5c9106490619ef294e77900e55f81a756e68b5b117458b2c6df8eac742b6ebf8
MD5 hash:
18337a5ab0cd9c6244657872a6769619
SHA1 hash:
46568704d146cf27a4b364a8838e24fb3fddc8ac
Link:
https://www.unpac.me/results/1b89c76d-3e2b-4f1e-a492-fd71f606bb5a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5c9106490619/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5c9106490619ef294e77900e55f81a756e68b5b117458b2c6df8eac742b6ebf8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Adsterra_Adware_DOM
Create hunting rule
Author:IlluminatiFish
Description:Detects Adsterra adware script being loaded without the user's consent
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/192416/

Comments