MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d34b1f77abd61c463bd6ed97eb0b12bed29ac712445fa9d1dd6abe1029fed94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	5d34b1f77abd61c463bd6ed97eb0b12bed29ac712445fa9d1dd6abe1029fed94
SHA3-384 hash:	e00f66e016400e7d96c3c4efbe37205529fed4305520f19ed67a047587692fb0815d0a28ac1b41feb0bd1b17f599f078
SHA1 hash:	2f0edb2b634b4fdc28006ed2f9f625be22394da8
MD5 hash:	6d59f9a1b09eabe0d6e2acfbb0ddec9c
humanhash:	fourteen-eleven-carbon-ink
File name:	Loader.exe
Download:	download sample
File size:	9'766'516 bytes
First seen:	2022-10-12 01:19:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a56f115ee5ef2625bd949acaeec66b76 (53 x Stealc, 48 x PureHVNC, 35 x CoinMiner)
ssdeep	196608:CSZ/v61t+KYsi9DfV6Tf7QHbu9T27/ToqWVKuIolO64kxMraAp55G:H6u/55V6Tfubu9TkTTuIolpIRp55G
Threatray	1'669 similar samples on MalwareBazaar
TLSH	T1D4A63330EB715193F44BE1BEA5869D95B393E1B2CE271BAC648D33270E77481F1241B9
TrID	45.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.3% (.EXE) OS/2 Executable (generic) (2029/13) 18.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	4229d6dbd96d9248
Reporter	Anonymous
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

229

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/319107/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Searching for analyzing tools

Using the Windows Management Instrumentation requests

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

80%

Tags:

packed

Link:

https://www.filescan.io/uploads/6346164533e66132ed02bd58/reports/5233f04e-8173-4aa4-b61d-158ea03daf71/overview

Result

Verdict:

MALICIOUS

Malware family:

Plasma RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0f9786af-11c8-4059-b139-30fbcff66217

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1088430

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5d34b1f77abd61c463bd6ed97eb0b12bed29ac712445fa9d1dd6abe1029fed94/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2022-03-23 03:08:35 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

8 of 26 (30.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lu2ld532xvq4iy55n3mx5mfrfpwstldrerc7vhi522v6cau75wka._file

Verdict:

unknown

437f639d05da27e1909877e3f8c39f70ee5d525a8be7c631e69f4141db287ab6

47fc82f745787ef02d2e51a15e7ce14ab2a1a278b82a49840a48cc337782aac1

51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6

54dc032c3503998eaa404dde9c677851856838e737edb3d198fb7c173562859e

965de9a48decafacbffec3e87e3585769025a114117f06d5cbaa1b02c5e11d18

99306ce091ffc74939ea41621dd8e947086f6728083a2ff24aa02e3ae91905bd

d63c19155af0a329cd61cd832d7c4d2d5bbcb61067ea764283b664605979864f

+ 1'659 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion themida trojan

Link:

https://tria.ge/reports/221012-bp4m4scag2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks whether UAC is enabled

Checks BIOS information in registry

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/8b2fa94e-9fdf-4583-9d02-16684562d387

Unpacked files

SH256 hash:

5d34b1f77abd61c463bd6ed97eb0b12bed29ac712445fa9d1dd6abe1029fed94

MD5 hash:

6d59f9a1b09eabe0d6e2acfbb0ddec9c

SHA1 hash:

2f0edb2b634b4fdc28006ed2f9f625be22394da8

Link:

https://www.unpac.me/results/8d7aed6c-c791-4651-8360-4fc5cafbb853/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.20

Link:

https://yomi.yoroi.company/submissions/5d34b1f77abd61c463bd6ed97eb0b12bed29ac712445fa9d1dd6abe1029fed94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/319107/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample