MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 609a0f03c1d4c15e6bb79b59749aed44d7e778bf88f71080fdf5f31ccaabcd05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 609a0f03c1d4c15e6bb79b59749aed44d7e778bf88f71080fdf5f31ccaabcd05
SHA3-384 hash: 3e8f7e91d68cd38085330acbebcc52ba51a6d741e5eb529c3f7dd003a5a881eb331b171c6f72d329ab2f472fd1eea7af
SHA1 hash: 59255ec615795d31b793d2dc8f50f7577d5415cf
MD5 hash: bbbf0de4a530df9b790dd69c7c76b2b2
humanhash: london-happy-blue-foxtrot
File name:echo-7ea15b.exe
Download: download sample
File size:7'273'888 bytes
First seen:2021-03-04 13:13:48 UTC
Last seen:2021-03-05 16:57:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 610495213f5565124ec2721bc9d05394
ssdeep 196608:cLB3sQLzWEf9yiNqJ2YwT1c2OHHxI7RH7BokD//5:QB3lP9fkcT1cx2V7zX5
TLSH 8976014A73A4C0F9D1B78138C55686EBE6717C0587209ACB22D07BAA3F337D15E7A721
Reporter Anonymous

Intelligence

File Origin
# of uploads :
3
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://cdn.discordapp.com/attachments/807888339852197929/814908878797275156/volt.exe
Verdict:
No threats detected
Analysis date:
2021-02-26 17:22:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bbb445cc-3106-482a-b11e-65b186412867

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/122268/
Detection(s):
SecuriteInfo.com.Trojan.Heur.012100A3.8689.27364.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Searching for analyzing tools
Searching for the window
Sending a custom TCP request
Sending an HTTP GET request
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a window
Deleting a recently created file
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
45 / 100
Link:
https://www.joesandbox.com/analysis/628632
Signature
Hides threads from debuggers
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/609a0f03c1d4c15e6bb79b59749aed44d7e778bf88f71080fdf5f31ccaabcd05/
Verdict:
unknown
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/210304-fgt825vzqj/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
themida
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
609a0f03c1d4c15e6bb79b59749aed44d7e778bf88f71080fdf5f31ccaabcd05
MD5 hash:
bbbf0de4a530df9b790dd69c7c76b2b2
SHA1 hash:
59255ec615795d31b793d2dc8f50f7577d5415cf
Link:
https://www.unpac.me/results/93b00659-5bf5-4a90-9b1a-bb87d3617f84/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/609a0f03c1d4c15e6bb79b59749aed44d7e778bf88f71080fdf5f31ccaabcd05

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/122268/

Comments