MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65e8672493d253d4f4fa6c88a6008752b1144e3995d12b515bd5eeda22c930c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65e8672493d253d4f4fa6c88a6008752b1144e3995d12b515bd5eeda22c930c8
SHA3-384 hash: df9bac5a1942309f987c73bbb1b2eda01afb5df6832b235b4c968c1208b5d7e04cec00a203625ba144c601d15fbc3f53
SHA1 hash: 13b81fdffe6c5c7098798ffb0d753543e52953c1
MD5 hash: 0ddfb511418427767e22ec3259c7fddd
humanhash: arizona-network-vermont-oven
File name:Dll2.dll
Download: download sample
File size:31'744 bytes
First seen:2025-02-26 00:36:42 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash c1c8014e50bff25ac277c0a3b7a505da
ssdeep 384:6iWt8/Y3RK5n8QhZx3Ve45kLg6eIvmdx7uBTkfVTE2+YR0ReSGUym:6iWm/iYn86ZaZP+DGoNUiQePt
TLSH T112E23B17335198B9C37F23362D97535B83BCBD500AF1B6179F8A64981F3989AF232056
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter skocherhan
Tags:dll


Avatar
skocherhan
http://154.198.49.151/Dll2.dll

Intelligence

File Origin
# of uploads :
1
# of downloads :
649
Origin country :
GB GB
Vendor Threat Intelligence
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67be627e28ab76d43a5d2617
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm hacktool microsoft_visual_cc obfuscated
Link:
https://www.filescan.io/uploads/67be62383afc3763bec6bfdb/reports/8b92ace2-dc5e-4753-84df-4c79a223d58a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/65e8672493d253d4f4fa6c88a6008752b1144e3995d12b515bd5eeda22c930c8
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ac5caac8-17de-4a06-9e29-028137f64407
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1624217
Signature
Adds a directory exclusion to Windows Defender
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found API chain indicative of debugger detection
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Rundll32 Execution Without CommandLine Parameters
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1624217 Sample: Dll2.dll Startdate: 26/02/2025 Architecture: WINDOWS Score: 76 54 Joe Sandbox ML detected suspicious sample 2->54 56 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->56 58 Sigma detected: Rundll32 Execution Without CommandLine Parameters 2->58 9 loaddll32.exe 1 2->9         started        process3 process4 11 rundll32.exe 9->11         started        14 cmd.exe 1 9->14         started        16 rundll32.exe 9->16         started        18 conhost.exe 9->18         started        signatures5 68 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->68 70 Found API chain indicative of debugger detection 11->70 72 Modifies Windows Defender protection settings 11->72 74 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->74 20 powershell.exe 23 11->20         started        23 powershell.exe 23 11->23         started        25 WerFault.exe 22 16 11->25         started        27 rundll32.exe 14->27         started        76 Adds a directory exclusion to Windows Defender 16->76 29 powershell.exe 16->29         started        31 powershell.exe 16->31         started        33 WerFault.exe 16 16->33         started        process6 signatures7 60 Loading BitLocker PowerShell Module 20->60 35 conhost.exe 20->35         started        37 conhost.exe 23->37         started        62 Modifies Windows Defender protection settings 27->62 64 Adds a directory exclusion to Windows Defender 27->64 39 powershell.exe 27->39         started        42 powershell.exe 27->42         started        44 WerFault.exe 16 27->44         started        46 conhost.exe 29->46         started        48 conhost.exe 31->48         started        process8 signatures9 66 Loading BitLocker PowerShell Module 39->66 50 conhost.exe 39->50         started        52 conhost.exe 42->52         started        process10
Score:
10%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/65e8672493d253d4f4fa6c88a6008752b1144e3995d12b515bd5eeda22c930c8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65e8672493d253d4f4fa6c88a6008752b1144e3995d12b515bd5eeda22c930c8/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mxugojet2jj5j5h2nsekmaehkkyritrzsxiswuk32xxnuiwjgdea._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250226-ayjhvsxkw8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
65e8672493d253d4f4fa6c88a6008752b1144e3995d12b515bd5eeda22c930c8
MD5 hash:
0ddfb511418427767e22ec3259c7fddd
SHA1 hash:
13b81fdffe6c5c7098798ffb0d753543e52953c1
Link:
https://www.unpac.me/results/514d92f7-4896-42b4-9670-96c633b2a309/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/65e8672493d253d4f4fa6c88a6008752b1144e3995d12b515bd5eeda22c930c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Debugger
Create hunting rule
Rule name:Check_FindWindowA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DLL dll 65e8672493d253d4f4fa6c88a6008752b1144e3995d12b515bd5eeda22c930c8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3452749/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
WIN_USER_APIPerforms GUI ActionsUSER32.dll::FindWindowA

Comments