MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7883df070b501cf6d4f167ac030820d2fa5d90bd6f48b7feacbe17e612e0475b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7883df070b501cf6d4f167ac030820d2fa5d90bd6f48b7feacbe17e612e0475b
SHA3-384 hash: 54c262b3367177387a0f87674345a53425eb1a214f4b53479928a5e64a02eac0df387bf6707e51646041b7529d09e179
SHA1 hash: a0e8de46e0b0aaed6bc83ea6954491e70c130b31
MD5 hash: 1a9dc5b25be9f7b87c2466076e4bc91e
humanhash: montana-blossom-two-august
File name:67.dll
Download: download sample
File size:251'392 bytes
First seen:2021-11-30 19:08:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4e0d9a7737a22848b48dac3b7af204bc
ssdeep 3072:u3n294W8z9p3PEGZTUMg/YP10GwX0uNmxqgHg6vOGCzg4xbCLQ7w0AjY8O7YC3AZ:uiyz/EGZTwYOxChSxbCLQk0b7L3xU
Threatray 37 similar samples on MalwareBazaar
TLSH T17A34D00723D90D7BD43286B985A3499AD3B6B8201721EEEF0364539D1F637C19D3AF61
Reporter Kostastsale
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
67.dll
Verdict:
No threats detected
Analysis date:
2021-11-30 19:28:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/34fc0412-043b-4097-8c35-46f10597c7fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/210066/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61a676d0effcae2254f5cc60/reports/c9bdaa2a-ecc1-4c70-9dc4-3a462dde0e35/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ff72c886-9850-4846-9916-c2c1021e7b46
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/898973
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Sigma detected: UNC2452 Process Creation Patterns
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 531451 Sample: 67.dll Startdate: 30/11/2021 Architecture: WINDOWS Score: 60 54 Sigma detected: UNC2452 Process Creation Patterns 2->54 10 loaddll64.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        process3 process4 16 rundll32.exe 10->16         started        18 cmd.exe 1 10->18         started        21 rundll32.exe 10->21         started        23 rundll32.exe 10->23         started        signatures5 25 cmd.exe 1 16->25         started        56 Uses ping.exe to sleep 18->56 58 Uses ping.exe to check the status of other devices and networks 18->58 28 rundll32.exe 18->28         started        process6 signatures7 60 Uses ping.exe to sleep 25->60 30 rundll32.exe 25->30         started        32 PING.EXE 1 25->32         started        35 conhost.exe 25->35         started        process8 dnsIp9 37 cmd.exe 1 30->37         started        39 cmd.exe 1 30->39         started        52 192.0.2.26 unknown Reserved 32->52 process10 process11 41 reg.exe 1 1 37->41         started        44 conhost.exe 37->44         started        46 conhost.exe 39->46         started        48 timeout.exe 1 39->48         started        50 rundll32.exe 39->50         started        signatures12 62 Creates an autostart registry key pointing to binary in C:\Windows 41->62
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7883df070b501cf6d4f167ac030820d2fa5d90bd6f48b7feacbe17e612e0475b/
Threat name:
Win64.Trojan.BazarLoader
Create hunting rule
Status:
Malicious
First seen:
2021-11-30 19:09:12 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
100ab1a8d68493c43a477aa54948803f96a31b4c7854840a505de009d6c360a8
2a2b204b3d8df0388dd42a8fa5b7e9652f262c15b92de6ff13fec8778a6aac3f
58bef95d2f1dc3d23b16d982a452e982d4812eee455bc90b2c8694e5e58eec28
69c6638c277af7f94f34c6f1ea1cee9d7cf5ee7a1e8ef0d2df527f8d6a529f5f
880e2c5548284e08c44028f419a98350fa58e9f758a57f4ddb7b5d6e48fc7eb9
b163e34d8490c0b567d788e997d9693c9da120a21dff06de9d400c6e66386437
b35e23599a0c1f88bc04a1a656aa158fda2fc46750d810bfe6801f96cdbec0fa
bec7fb70521beab8f861f0d0c5c2996c48bd26626546b12d8c08265dcbc546d7
e192593ff1df7a3d24cc9463fdcde0b39b49a26816da608d50960da3131e2e36
f0718e4578b67fc0c73b03762a91abd62a071758074ac8f108a00c4cf612474f
+ 27 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/211130-xtsbjagagn/
Behaviour
Runs ping.exe
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
7883df070b501cf6d4f167ac030820d2fa5d90bd6f48b7feacbe17e612e0475b
MD5 hash:
1a9dc5b25be9f7b87c2466076e4bc91e
SHA1 hash:
a0e8de46e0b0aaed6bc83ea6954491e70c130b31
Link:
https://www.unpac.me/results/9a60ae33-d461-42b6-8739-d42e462c73cb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7883df070b501cf6d4f167ac030820d2fa5d90bd6f48b7feacbe17e612e0475b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/210066/

Comments