MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d6ae98ae540507f758287d80f4379e529b912e00a629968a5a86807fd39d7b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d6ae98ae540507f758287d80f4379e529b912e00a629968a5a86807fd39d7b7
SHA3-384 hash: a42fdde741f0abbe5379aceb88f417ac1339a1421274a764bdfded107c4c36b0e49fdfe4f3efd56c6d2d83a20da78ce8
SHA1 hash: 431918d95fac75dba419c358039007b554257ac5
MD5 hash: 3d5b46a9ccf53c49f03a7235cdc4b7c4
humanhash: thirteen-leopard-xray-single
File name:5d6ae98ae540507f758287d80f4379e529b912e00a629968a5a86807fd39d7b7.exe
Download: download sample
File size:117'294 bytes
First seen:2020-07-29 08:59:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 87bed5a7cba00c7e1f4015f1bdae2183 (3'034 x Jadtre, 23 x IcedID, 17 x Blackmoon)
ssdeep 3072:uR1+aJe1mgawzxsBub861jIHxowE2W5ziBaD9s+/fKVdZguvDD7zKYdjQ:uRUTV5nP2WcBaW+/fwdmunKN
Threatray 16 similar samples on MalwareBazaar
TLSH 65B3F190D687A5D8D4E812B66D73CE8131F6CF02845BA7040DD4BBBFBBF69970422C99
Reporter JoulK
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34707/
Detection(s):
PUA.Win.Packer.Winupack-9
Create hunting rule

PUA.Win.Packer.Winupack-10
Create hunting rule

PUA.Win.Packer.Upack-38
Create hunting rule

PUA.Win.Packer.Upack-47
Create hunting rule

PUA.Win.Packer.Upack-36
Create hunting rule

PUA.Win.Packer.Upack-15
Create hunting rule

PUA.Win.Packer.Upack-4
Create hunting rule

PUA.Win.Packer.Upack-3
Create hunting rule

PUA.Win.Packer.Upack-41
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows directory
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Launching a process
Creating a window
Setting a global event handler
Connection attempt
Creating a file in the %temp% directory
Deleting a recently created file
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/402202
Signature
Allocates memory in foreign processes
Creates an undocumented autostart registry key
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Injects code into the Windows Explorer (explorer.exe)
Injects files into Windows application
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 253472 Sample: CJdYRiB9uJ.exe Startdate: 29/07/2020 Architecture: WINDOWS Score: 80 46 g.msn.com 2->46 72 Machine Learning detection for sample 2->72 11 CJdYRiB9uJ.exe 2 2->11         started        signatures3 process4 file5 42 C:\Windows\t2serv.exe, PE32 11->42 dropped 44 C:\Users\user\Desktop\2DA7.tmp, data 11->44 dropped 76 Tries to detect virtualization through RDTSC time measurements 11->76 15 t2serv.exe 1 19 11->15         started        20 notepad.exe 11->20         started        signatures6 process7 dnsIp8 54 98.136.96.74, 25, 49744 YAHOO-NE1US United States 15->54 56 104.47.18.161, 25, 49746 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->56 58 10 other IPs or domains 15->58 34 C:\Windows\t2serv.dll, PE32 15->34 dropped 36 C:\Windows\SysWOW64\vdieserw.dll, PE32 15->36 dropped 38 C:\Windows\SysWOW64\p2psdrpr.exe, PE32 15->38 dropped 40 2 other files (none is malicious) 15->40 dropped 60 Creates an undocumented autostart registry key 15->60 62 Machine Learning detection for dropped file 15->62 64 Injects code into the Windows Explorer (explorer.exe) 15->64 70 3 other signatures 15->70 22 explorer.exe 3 15->22 injected 25 WerFault.exe 20 5 15->25         started        66 DLL side loading technique detected 20->66 68 Injects files into Windows application 20->68 file9 signatures10 process11 signatures12 74 Drops executables to the windows directory (C:\Windows) and starts them 22->74 27 t2serv.exe 15 22->27         started        process13 dnsIp14 48 mta6.am0.yahoodns.net 67.195.204.73, 25, 49739 YAHOO-3US United States 27->48 50 hotmail-com.olc.protection.outlook.com 104.47.56.161, 25, 49741 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->50 52 8 other IPs or domains 27->52 30 WerFault.exe 5 27->30         started        process15 process16 32 WerFault.exe 1 5 30->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d6ae98ae540507f758287d80f4379e529b912e00a629968a5a86807fd39d7b7/
Threat name:
Win32.Worm.Stration
Create hunting rule
Status:
Malicious
First seen:
2011-06-10 15:07:00 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lvvotcxfibih65mcq7ma6q3z4uu3sexabjrjs2ffvbuap7jz263q._file
Verdict:
suspicious
Similar samples:
280fedf6fd7e0964222ac9b21bcc289c222c7ea91d7bad6350741bdf8c1f0938
29c222f82d9db373ee755ac832c22540afb8f8708eafe8e96266a02b80759066
42bb5eae534eb2cea979c300b797a65febf291b28aea0b9d8bbea7d0a41bffa2
45e9959441e6e30c4c7a4dd8b3d56b88ad09d2ad253851ea79be62ec9c1c8f68
a51d5fe8c5f9ea9c4af866b7b6669845433934e4b4528995a3ac1702e7002c0e
a81932797aa7e6324dc3390718163035c75620e6a0fa29c146c13c33b654a283
a97b7b2353dc9012b6cb914f6665d0e93f557859411d2e08b942316c09d7b07f
c8b452572f409a7d0752734334371c900983c8e15cbf8299bda7fe7a33a1047e
df2524f89b7247e931a13644d2c00bbc94095eb8e4755a9db2421bd46f365f7c
ef0e8df5c700e64d5d2e8dde4c9b5c117abfc919c676ff383019c585e8e367b0
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/200729-hw832z45dx/
Behaviour
Suspicious use of WriteProcessMemory
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Program crash
Drops file in Windows directory
Drops file in Windows directory
Drops file in System32 directory
Drops file in System32 directory
Adds Run key to start application
Adds Run key to start application
Reads user/profile data of web browsers
Loads dropped DLL
Loads dropped DLL
Modifies AppInit DLL entries
Executes dropped EXE
Executes dropped EXE
Modifies AppInit DLL entries
Suspicious use of NtCreateProcessExOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34707/

Comments