MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8179d0b5e1307621aa793c502a89ac3b7aba833f3b4fc815f99d0dbc85aa7c06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 5 File information Yara 2 Comments

SHA256 hash: 8179d0b5e1307621aa793c502a89ac3b7aba833f3b4fc815f99d0dbc85aa7c06
SHA3-384 hash: 44ada27d8242b0d41f2b66d9392c9e61c366975170c7fc69877baafa5834db11e2848237432d8806317ecb19ae2c4808
SHA1 hash: 519870c71a1ae3c12300284139d1e311e16ea416
MD5 hash: 49b71eb3c4e9b9f5f4d58722e6bcdfa4
humanhash: bulldog-minnesota-stream-magnesium
File name:SecuriteInfo.com.Trojan.Inject2.57861.24408.7581
Download: download sample
Signature n/a
File size:64'512 bytes
First seen:2020-08-01 19:34:42 UTC
Last seen:2020-08-02 07:34:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:xJGjdJIlBFF1NH2r4VdWbJ49Hf31uIz22EEEEEEEE5:xJcUF1NHI4oJ49/FuIz22EEEEEEEE
TLSH ED535B51F043C5FDE7F019B62EAFB989A05ED6361B6E3DE3B2D01C5169304E17A36882
Reporter @SecuriteInfoCom

Intelligence


File Origin
# of uploads :
2
# of downloads :
33
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Moving of the original file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Signature
Contains functionality to infect the boot sector
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Ruandmel
Status:
Malicious
First seen:
2018-01-14 21:36:54 UTC
AV detection:
42 of 48 (87.50%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Adds Run key to start application

Yara Signatures


Rule name:win_gaudox_a0
Author:Slavo Greminger
Rule name:win_gaudox_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8179d0b5e1307621aa793c502a89ac3b7aba833f3b4fc815f99d0dbc85aa7c06

(this sample)

  
Delivery method
Distributed via web download

Comments