MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e6c5a9fda2d20125f6f24e37e8a217a39ff0a5cfddc07ddfdb18049d9ea4597. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Hive

Vendor detections: 7

Intelligence 7 IOCs YARA 5 File information Comments

SHA256 hash:	5e6c5a9fda2d20125f6f24e37e8a217a39ff0a5cfddc07ddfdb18049d9ea4597
SHA3-384 hash:	c16025a16710faad739ef9eb888fda30f91c1e8554ea91d5b6e84e04f357a63063252bcb893b7f0cb0879fe3f38f483c
SHA1 hash:	c479683fde7a6737a6f7d72a043167f3a42296e3
MD5 hash:	0ad93a96179c6fbcec12a5849ffbc5bb
humanhash:	delta-hamper-johnny-indigo
File name:	5e6c5a9fda2d20125f6f24e37e8a217a39ff0a5cfddc07ddfdb18049d9ea4597
Download:	download sample
Signature	Hive Create hunting rule
File size:	9'607'168 bytes
First seen:	2022-05-12 11:14:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep	98304:fk8ic3+bMyjx+MEDSpEbfPS8tIOIc6K9JtjCvf0hK6NHCGyex:fuFbEX16AI3KNcex
Threatray	81 similar samples on MalwareBazaar
TLSH	T15FA6BE47F85150E9F0AED230CA669262BA317894473023D32F50EBB62F76BC46F79356
gimphash	007d5476ae66b2986e8eaeb8c9e74bfc43fb19b004c98da576dbe0d1477bd0ae
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	JAMESWT_WT
Tags:	exe fernandestechnical Hive NerbianRAT

Intelligence

File Origin

# of uploads :

# of downloads :

830

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/270077/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/627cec3cae83652f0e9b0012/reports/6d125f01-9051-45f2-bd88-b5913822cca1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Elephant

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4aa0e0f9-415e-4326-a27f-2a40e0f18f83

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/992676

Signature

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5e6c5a9fda2d20125f6f24e37e8a217a39ff0a5cfddc07ddfdb18049d9ea4597/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2022-04-30 01:07:00 UTC

File Type:

PE+ (Exe)

Extracted files:

1956

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lzwfvh62fuqbex3petrx5crbpi476cs47xoapxp5wgaetwpkiwlq._file

Verdict:

suspicious

Hive

460b096aaf535b0b8f0224da0f04c7f7997c62bf715839a8012c1e1154a38984

Hive

5d1db413bbb7540633fef0e40a0a8fbb2e1c309623d80503b07eec0f5b5d5a57

Hive

76960749ed11d97582923e31d59115910ae74d8753c8e92f918f604ca8a0d26d

Hive

8abaa521a014cdbda2afe77042f21947b147197d274bf801de2df55b1e01c904

Hive

b4ffbe78b7bd2372e77b05ebc0c7ae4ae463f5e85185778dc03b32abaaab572f

Hive

cd9077bf07eb4183aa5d7093cd32c9fddc43e2ecba91a682d666b041c39a4cd2

Hive

+ 71 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/220512-ncjtdscdb7/

Behaviour

Program crash

Unpacked files

SH256 hash:

5e6c5a9fda2d20125f6f24e37e8a217a39ff0a5cfddc07ddfdb18049d9ea4597

MD5 hash:

0ad93a96179c6fbcec12a5849ffbc5bb

SHA1 hash:

c479683fde7a6737a6f7d72a043167f3a42296e3

Link:

https://www.unpac.me/results/a7697e6a-5d72-4e01-962d-36b26d7bd9a4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.30

Link:

https://yomi.yoroi.company/submissions/5e6c5a9fda2d20125f6f24e37e8a217a39ff0a5cfddc07ddfdb18049d9ea4597

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/270077/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample