MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d7b896ce389f5cb0c385bfdfd033fb9a8af53de02bb18cc75c80370a6085148. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MyDoom

Vendor detections: 17

Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash:	6d7b896ce389f5cb0c385bfdfd033fb9a8af53de02bb18cc75c80370a6085148
SHA3-384 hash:	bf43c22191c5bd394186461079cde52592c3791f187133c806a3a6ddafdf93791a2a02159605a9a29a54fac31262b688
SHA1 hash:	d01bbca5df6b16e8d1611d02bdb7231c6f018331
MD5 hash:	521f96dc9c83f2c1ff27b9735968ee27
humanhash:	oregon-vegan-uniform-lima
File name:	FILE.COM
Download:	download sample
Signature	MyDoom Create hunting rule
File size:	22'020 bytes
First seen:	2025-02-14 10:25:06 UTC
Last seen:	2025-02-14 16:21:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	5d02f6de12eb07fb22fe87e05e50d6a0 (131 x MyDoom)
ssdeep	384:FZcpzCIqdG3A3WUkx38GZDJuJbf1+o44u8gHzU4Yk+:SCIqdH/k1ZVcT194jp44YD
Threatray	47 similar samples on MalwareBazaar
TLSH	T18DA2C09737BBA8C5C15442764963ED70386A3C342DF9832B3F50FBAF7A39A581D44126
TrID	34.7% (.EXE) UPX compressed Win32 Executable (27066/9/6) 34.1% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 8.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.7% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	b270e0d292c0c482 (80 x MyDoom)
Reporter	TeamDreier
Tags:	exe Mydoom

Intelligence

File Origin

# of uploads :

# of downloads :

514

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

FILE.COM

Verdict:

Malicious activity

Analysis date:

2025-02-14 10:28:07 UTC

Tags:

mydoom upx

Link:

https://app.any.run/tasks/832002ea-5aea-4990-9307-0c537371df04

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Worm.Mydoom-5

Win.Worm.Mydoom-98

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67af1a2628ab76d43a5ae609

Tags:

virus spam smtp worm

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the Windows directory

Delayed reading of the file

Creating a file in the %temp% directory

Connection attempt

Launching a process

Creating a window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

masquerade obfuscated overlay packed packed packed packer_detected upx

Link:

https://www.filescan.io/uploads/67af1a06c24a487ec9d1e9b4/reports/64266438-be54-4c0c-8d87-71546ccd3599/overview

Verdict:

Malicious

Labled as:

Worm.Mydoom

Link:

https://www.hybrid-analysis.com/sample/6d7b896ce389f5cb0c385bfdfd033fb9a8af53de02bb18cc75c80370a6085148

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

MYDOOM

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/68ea3849-4ff5-4492-b7b3-abb7640b0cc6

Result

Threat name:

MyDoom

Detection:

malicious

Classification:

spre.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1614966

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Drops PE files with benign system names

Found evasive API chain (may stop execution after checking mutex)

Found suspicious ZIP file

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Sigma detected: Windows Binaries Write Suspicious Extensions

Yara detected MyDoom

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6d7b896ce389f5cb0c385bfdfd033fb9a8af53de02bb18cc75c80370a6085148

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6d7b896ce389f5cb0c385bfdfd033fb9a8af53de02bb18cc75c80370a6085148/

Threat name:

Win32.Worm.MyDoom

Status:

Malicious

First seen:

2025-02-14 10:25:33 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nv5ys3hdrh24wdbylp672az7xguk6u66ak5rrtdvzabxbjqikfea._file

Verdict:

malicious

Label(s):

mydoom

Result

Malware family:

mydoom

Score:

10/10

Tags:

family:mydoom discovery persistence upx worm

Link:

https://tria.ge/reports/250214-mf433aspfq/

Behaviour

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Drops file in Program Files directory

Drops file in Windows directory

UPX packed file

Adds Run key to start application

Downloads MZ/PE file

Detects MyDoom family

MyDoom

Mydoom family

Verdict:

Malicious

Tags:

Win.Worm.Mydoom-5

YARA:

n/a

Link:

https://app.threat.zone/submission/048d9d97-301f-42ee-8997-ccb110413ffb

Unpacked files

SH256 hash:

6d7b896ce389f5cb0c385bfdfd033fb9a8af53de02bb18cc75c80370a6085148

MD5 hash:

521f96dc9c83f2c1ff27b9735968ee27

SHA1 hash:

d01bbca5df6b16e8d1611d02bdb7231c6f018331

Link:

https://www.unpac.me/results/dbff529b-01ff-4e1d-b8a5-06ef1c2fdf43/

SH256 hash:

0791586e7dcc9bf342fd9104bba6cf5abeb32bce9a6f9e9eff08a725fdb2437e

MD5 hash:

6432149c7ea21e833a6201a6dc06c7ed

SHA1 hash:

90bb75ac3f1511cdb10f5faca358beefa56db0ed

Detections:

MyDoom

Link:

https://www.unpac.me/results/dbff529b-01ff-4e1d-b8a5-06ef1c2fdf43/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6d7b896ce389f5cb0c385bfdfd033fb9a8af53de02bb18cc75c80370a6085148

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_3 Create hunting rule
Author:	Kevin Falcoz
Description:	UPX 3.X

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

MyDoom

exe 6d7b896ce389f5cb0c385bfdfd033fb9a8af53de02bb18cc75c80370a6085148

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN_BASE_API	Uses Win Base API	KERNEL32.DLL::LoadLibraryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample