MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b90e2a3f0ad8819b5afe67bf13451c9782af26a9f2bdac3a0e042569054e5fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Lazarus


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b90e2a3f0ad8819b5afe67bf13451c9782af26a9f2bdac3a0e042569054e5fd
SHA3-384 hash: 487df61bd10028a1bdd372a4207ec7e20b4a1984874859285317ef9d72fca8c92ec37fbb11fea58ccae8c17349171b45
SHA1 hash: aeb0b1a850b3d0ccd6ae17dc065ee2d3e4e7927e
MD5 hash: d7a722cb4fa08a84831bd688033c2004
humanhash: lamp-ten-island-mexico
File name:6b90e2a3f0ad8819b5afe67bf13451c9782af26a9f2bdac3a0e042569054e5fd.bin
Download: download sample
Signature Lazarus
Create hunting rule
File size:186'368 bytes
First seen:2022-04-26 08:08:00 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 556d5ca305809ad2ba5bfe1c2e86d9a6 (1 x Lazarus)
ssdeep 3072:cyz8IoObzO6YVIVw76HBYN7/YrHnUROAg0FuhghF2FOkz:Qw5YG44BMjYrHnUgAOhZFx
Threatray 1 similar samples on MalwareBazaar
TLSH T16F048D1172A1C03BD0B61134B9AB47BA193CB43013B984E3B7D45EBD2E607D1ABB9767
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter Arkbird_SOLG
Tags:apt dll Lazarus old

Intelligence

File Origin
# of uploads :
1
# of downloads :
325
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/266685/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.32109333.1046.14093.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6267a86779c6c1e67d30267f/reports/e8da1238-bf8f-4ccb-93f5-0cbe8ea66c5f/overview
Malware family:
Lazarus
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/47d44332-f113-4a45-a130-ad7e7bf8b8aa
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/983034
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b90e2a3f0ad8819b5afe67bf13451c9782af26a9f2bdac3a0e042569054e5fd/
Threat name:
Win32.Trojan.Manuscrypt
Create hunting rule
Status:
Malicious
First seen:
2019-07-02 11:03:04 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
33 of 42 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=noiofi7qvwebtnnp4z57cncrzf4cv4tkt4v5vq5a4bbfnecu4x6q._file
Verdict:
malicious
Similar samples:
19f9a9f7a0c3e6ca72ea88c655b6500f7da203d46f38076e6e8de0d644a86e35
Lazarus
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220426-j1jfbafgbl/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
6b90e2a3f0ad8819b5afe67bf13451c9782af26a9f2bdac3a0e042569054e5fd
MD5 hash:
d7a722cb4fa08a84831bd688033c2004
SHA1 hash:
aeb0b1a850b3d0ccd6ae17dc065ee2d3e4e7927e
Detections:
win_taintedscribe_auto
Create hunting rule
Link:
https://www.unpac.me/results/351c98d2-7a6b-49a7-80d7-ad88d6c78528/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b90e2a3f0ad8819b5afe67bf13451c9782af26a9f2bdac3a0e042569054e5fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_taintedscribe_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.taintedscribe.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/ESETresearch/status/1518847150880440320
Cape
Cape
https://www.capesandbox.com/analysis/266685/

Comments