MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e8969374479fedde873a2de183ed311d69eb2567847b173b0f79135b3dd5fb2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e8969374479fedde873a2de183ed311d69eb2567847b173b0f79135b3dd5fb2
SHA3-384 hash: 094721675cc1f26287c3a878c1b8997af26d1ed744dee2dcca661773d15626c87b363a7ef68eb74287baf1f4445f6093
SHA1 hash: 80ea7337de3b1732246032cbf6cc73f233c512e0
MD5 hash: 14d2ba04412f17a7767e10418bbb4395
humanhash: quiet-alaska-fruit-hydrogen
File name:DaumCrashHandler.dll
Download: download sample
File size:11'865'600 bytes
First seen:2022-05-31 13:35:57 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dd73182ea24a6abeef6801d9539098b3
ssdeep 196608:TXpD/Yd/o/gb14Z2UDKwPEHR8Wfyi82V1liEW6O472cnkuw3PUrE29+:T5DgiIbqkxEL81lU9UkhPOE2
Threatray 256 similar samples on MalwareBazaar
TLSH T1E3C6335362F20049E4F6CC3C8B377EF932F703274652D879599EABC579214B4E64AA23
TrID 54.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
18.3% (.EXE) Win64 Executable (generic) (10523/12/4)
8.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.8% (.EXE) Win32 Executable (generic) (4505/5/1)
3.5% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter obfusor
Tags:dll dropper rootkit

Intelligence

File Origin
# of uploads :
1
# of downloads :
681
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/275742/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.21754.13569.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/629619c39bfd7f19bcdc8a08/reports/f7da346c-dcf6-4d91-8cdd-7e2cd783630b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8f52aaa6-f4d2-4dc8-9b6e-d29b3341a14f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1004302
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Performs DNS queries to domains with low reputation
Sample is not signed and drops a device driver
Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 636798 Sample: DaumCrashHandler.dll Startdate: 31/05/2022 Architecture: WINDOWS Score: 100 66 Multi AV Scanner detection for domain / URL 2->66 68 Antivirus detection for URL or domain 2->68 70 Antivirus detection for dropped file 2->70 72 6 other signatures 2->72 7 loaddll32.exe 1 2->7         started        11 svchost.exe 2->11         started        13 svchost.exe 9 1 2->13         started        15 10 other processes 2->15 process3 dnsIp4 52 vvrfhgtn2eljaor.gvv9qiir5epdzowgc.xyz 7->52 54 gtrsszbxi9jq.ktqg6j4sc.xyz 7->54 58 2 other IPs or domains 7->58 84 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->84 86 Performs DNS queries to domains with low reputation 7->86 88 Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 7->88 17 rundll32.exe 16 1 7->17         started        22 cmd.exe 1 7->22         started        24 rundll32.exe 7->24         started        28 3 other processes 7->28 90 Changes security center settings (notifications, updates, antivirus, firewall) 11->90 26 MpCmdRun.exe 1 11->26         started        56 127.0.0.1 unknown unknown 13->56 signatures5 process6 dnsIp7 38 aspool.qwioud11121.com 103.219.177.209, 13799, 16889 CHINATELECOM-FUJIAN-XIAMEN-IDC1XiamenCN China 17->38 48 2 other IPs or domains 17->48 36 C:\Windows\System32\drivers\18f71fc3.sys, PE32+ 17->36 dropped 74 System process connects to network (likely due to code injection or exploit) 17->74 76 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->76 78 Performs DNS queries to domains with low reputation 17->78 80 Sample is not signed and drops a device driver 17->80 30 rundll32.exe 22->30         started        40 222.187.238.245, 18962, 49749, 49750 CHINANET-BACKBONENo31Jin-rongStreetCN China 24->40 42 no4labykrztapv.m1s9n.xyz 24->42 50 2 other IPs or domains 24->50 82 Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 24->82 34 conhost.exe 26->34         started        44 103.107.191.123, 48952 CHINANET-JS-AS-APASNumberforCHINANETjiangsuprovinceba China 28->44 46 ts6vdit-ax5kd0h.04jufgp39tlqcewto.xyz 28->46 file8 signatures9 process10 dnsIp11 60 103.107.191.184, 13799, 16889 CHINANET-JS-AS-APASNumberforCHINANETjiangsuprovinceba China 30->60 62 58.218.66.191, 13799, 18962, 49755 CHINANET-JIANGSU-CHANGZHOU-IDCChinaNetJiangsuChangzhouID China 30->62 64 3 other IPs or domains 30->64 92 System process connects to network (likely due to code injection or exploit) 30->92 94 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 30->94 96 Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 30->96 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e8969374479fedde873a2de183ed311d69eb2567847b173b0f79135b3dd5fb2/
Threat name:
Win32.Trojan.ProxyChanger
Create hunting rule
Status:
Malicious
First seen:
2022-05-31 13:36:25 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p2ewsn2eph7n32dtulpbqpwtchlj5mswpbd3c45q66itlm65l6za._file
Verdict:
unknown
Similar samples:
044c4e0f1bc9b09ac252d12645a9c38a549944688609dacd3960cb0652314983
05a3028bc4f10ff3387b486c171178f7d5a4864de59f6693d2dcbdae035820d1
095721924420baff3670898412fc911ff32540544e8fad5495d334cded931270
2ace0be70434934b6e140f679a0c1551dd589abedfb1f6abeb5ceffaf0a1b9d9
2c9e0f6e90b663293874332acd2cab44b8a28011337c99e828e86e3b9d1585c2
36318442bbfa58a7dfa39620245f9e0fa3c672c0c9e63c267150c03fed4bb550
46878cf16c919445a9e5ada3ff03ca3465c03323a3e8b31c2de38eae1c9259e4
5940fd97a28d3ee232155231fe70af70be462aa144d0b625470fe46a01a3bd1b
e134f20c16c2d118f95738897fc6c8f3be4ec46563ad7e1c243c3d7595a0ea68
fc0eee220cef0c364edb4cb6ff45e12b2d3c035b2be1072c627e40c4a298ea72
+ 246 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220531-qv8atafadp/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
7e8969374479fedde873a2de183ed311d69eb2567847b173b0f79135b3dd5fb2
MD5 hash:
14d2ba04412f17a7767e10418bbb4395
SHA1 hash:
80ea7337de3b1732246032cbf6cc73f233c512e0
Link:
https://www.unpac.me/results/99e3881b-54cc-44bf-ba4d-043ea3ed3900/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Rootkit
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/7e8969374479fedde873a2de183ed311d69eb2567847b173b0f79135b3dd5fb2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/275742/

Comments