MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 612140e7557e3936961100270c51e5943e256f375934c28d2ea3496475d473dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 612140e7557e3936961100270c51e5943e256f375934c28d2ea3496475d473dc
SHA3-384 hash: e46976ed798a0f9516560c0e13b962a4341f071274329a55390c5f3fd99d1c7c0c755c47841496cf5ee34734ecc6b481
SHA1 hash: 873162f9a7c14faed0153face3f8a13ef28a48f9
MD5 hash: 3789115c0dfaa5ad30995c3648064e16
humanhash: seventeen-mirror-idaho-pennsylvania
File name:612140e7557e3936961100270c51e5943e256f375934c28d2ea3496475d473dc
Download: download sample
File size:1'694'481 bytes
First seen:2021-03-01 22:24:59 UTC
Last seen:2021-03-01 23:38:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 845afb2b5d7999c716962677637e454b
ssdeep 24576:dBSXLlvmJ1YImVS4DBYD1NNRPIlcJVyZLtgONCyvNlRhfXJRhtiNIYPFwndjs5go:Uqmo4DB0NbPIlHFaQTjXJRUIsF5XX
TLSH 477501ECABA8DE40C0BE1371A4C9202857F9BA86DDA2C7DC0DD574D539233B7649168F
Reporter c3rb3ru5d3d53c2


Avatar
c3rb3ru5d3d53c
@c3rb3ru5d3d53c Live Hunt

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
612140e7557e3936961100270c51e5943e256f375934c28d2ea3496475d473dc
Verdict:
No threats detected
Analysis date:
2021-03-01 22:27:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/670b100c-1b1d-4956-8dc6-7f86e84c10e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
EnigmaStub
Create hunting rule
Link:
https://www.capesandbox.com/analysis/120430/
Detection(s):
SecuriteInfo.com.Variant.Barys.101505.15014.27683.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/622968
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/612140e7557e3936961100270c51e5943e256f375934c28d2ea3496475d473dc/
Threat name:
Win32.Packed.EnigmaProtector
Create hunting rule
Status:
Malicious
First seen:
2021-03-01 08:51:50 UTC
AV detection:
28 of 47 (59.57%)
Threat level:
  1/5
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210301-x14mg72xxj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
612140e7557e3936961100270c51e5943e256f375934c28d2ea3496475d473dc
MD5 hash:
3789115c0dfaa5ad30995c3648064e16
SHA1 hash:
873162f9a7c14faed0153face3f8a13ef28a48f9
Link:
https://www.unpac.me/results/6a5edcdc-2a53-456d-ba7d-f6e65fec7339/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/612140e7557e3936961100270c51e5943e256f375934c28d2ea3496475d473dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.virustotal.com/gui/file/612140e7557e3936961100270c51e5943e256f375934c28d2ea3496475d473dc/details
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/120430/

Comments