MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cfd239899f3900e6eaa1c1b2a11ddb8b082ee224fb1014bdc9baadb61611135. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DiskWriter


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cfd239899f3900e6eaa1c1b2a11ddb8b082ee224fb1014bdc9baadb61611135
SHA3-384 hash: 5a098825442b777bc8ac342a6bcf31911187c1b286dbec8294c547bbee8ec6508004d69c67f638ae714f95b30e39f51b
SHA1 hash: f34d5de55c690bed79f6f859147b264ecdf4f1bf
MD5 hash: baeef8f9695769097cdf9fe4258c0884
humanhash: thirteen-nitrogen-florida-batman
File name:BAEEF8F9695769097CDF9FE4258C0884.exe
Download: download sample
Signature DiskWriter
Create hunting rule
File size:926'720 bytes
First seen:2022-06-19 14:34:55 UTC
Last seen:2022-06-19 15:47:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ac75686146574797057644f616b74446 (1 x DiskWriter)
ssdeep 12288:M5yxiRwPb2wyCRK2K4p9luUFHvc3U/MiKmec3qCgd:ziEb8CRXKe9luEHvccf6C4
Threatray 4 similar samples on MalwareBazaar
TLSH T1DE152A1FF7A344EEC67AC17046579372BA30F86512306A3E2F56CB351F21E609A6DB24
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter obfusor
Tags:DiskWriter exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/281302/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.10106.14701.25159.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Rewriting of the hard drive's master boot record
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21971/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug
Link:
https://www.filescan.io/uploads/62af3423c07f2e38a15dff8a/reports/7ced076c-d83d-453d-b2d9-8f385f634f25/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/39dfb9f8-dc0a-48ab-bc58-5a2acc257bda
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1015917
Signature
Contains functionality to infect the boot sector
Infects the VBR (Volume Boot Record) of the hard disk
Multi AV Scanner detection for submitted file
Writes directly to the primary disk partition (DR0)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6cfd239899f3900e6eaa1c1b2a11ddb8b082ee224fb1014bdc9baadb61611135/
Threat name:
Win64.Trojan.DiskWriter
Create hunting rule
Status:
Malicious
First seen:
2022-06-13 00:54:00 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nt6shgez6oia43vkdqnsueo5xcyif3rcj6yqcs64tovnwylbce2q._file
Verdict:
malicious
Similar samples:
23ee36c32f198966a793d71f9e2f0b4e0b8c1429202f38f2fab3a25c692c5c64
DiskWriter
ce07b1122ef0305ce0dd1588394295073545df0b5a91c63f6ab6eaf5b7f74091
DiskWriter
ce309a2f5d17fa9dc0957947d401699492ca6f9d63206486d947aea54c65c589
DiskWriter
de85e7754cdb6c18d93f074d58406b4b4e91466cb53e82f962535452ebc2b9d9
DiskWriter
Result
Malware family:
n/a
Score:
  6/10
Tags:
bootkit persistence
Link:
https://tria.ge/reports/220619-rxz8naehbl/
Behaviour
Writes to the Master Boot Record (MBR)
Unpacked files
SH256 hash:
6cfd239899f3900e6eaa1c1b2a11ddb8b082ee224fb1014bdc9baadb61611135
MD5 hash:
baeef8f9695769097cdf9fe4258c0884
SHA1 hash:
f34d5de55c690bed79f6f859147b264ecdf4f1bf
Link:
https://www.unpac.me/results/172f83ac-0fdd-4f58-84fd-78a6377f4e3b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6cfd239899f3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/6cfd239899f3900e6eaa1c1b2a11ddb8b082ee224fb1014bdc9baadb61611135

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/281302/

Comments