MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 829eceee720b0a3e505efbd3262c387b92abdf46183d51a50489e2b157dac3b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Lazarus


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 829eceee720b0a3e505efbd3262c387b92abdf46183d51a50489e2b157dac3b1
SHA3-384 hash: 45478ecd6dd4777dfd9ef56004642a99744d4a1dd1526184450e71cb5883a510cc3750339f77232eb0ac603aab61ceb9
SHA1 hash: 294690c1aee8dc7723858dafcb2a0ed273296641
MD5 hash: 490c885dc7ba0f32c07ddfe02a04bbb9
humanhash: kilo-kansas-kilo-carolina
File name:wuaueng.dll
Download: download sample
Signature Lazarus
Create hunting rule
File size:232'936 bytes
First seen:2022-01-28 09:47:16 UTC
Last seen:2022-03-20 18:41:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c85366c575f613a77056fbe024287687 (1 x Lazarus)
ssdeep 6144:frSYfjhA5JgZ9fAcb7PNblIbRGCAOJquFDue2ZmrYnp:TSYa5eZ9fAc/PBquOdchZjnp
Threatray 1'798 similar samples on MalwareBazaar
TLSH T19C346C17B2E500BBE5778639C8A35A06D772B8121670DFAF03A4425A1F637915E3EF32
Reporter Jirehlov
Tags:apt dll exe Lazarus signed

Code Signing Certificate

Organisation:SAMOYAJ LIMITED
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2021-11-24T00:00:00Z
Valid to:2022-11-24T23:59:59Z
Serial number: 029bf7e1cb09fe277564bd27c267de5a
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 2b18684a4b1348bf78f6d58d3397ee5ca80610d1c39b243c844e08f1c1e0b4bf
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
wuaueng.dll
Verdict:
No threats detected
Analysis date:
2022-01-28 10:32:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/63461404-be90-40c1-a8f3-27123540f60d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/224983/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.48147231.3396.2653.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Searching for synchronization primitives
Possible injection to a system process
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5402/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
EnumerateProcesses
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
explorer.exe greyware overlay packed update.exe
Link:
https://www.filescan.io/uploads/61f3bbd96a7929f66a1ef04c/reports/b988a0f7-f4a1-43d2-9906-923f914e951c/overview
Malware family:
Unlabeled
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/67207f36-9c20-4da8-a788-fd0fa65a24f3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/929565
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/829eceee720b0a3e505efbd3262c387b92abdf46183d51a50489e2b157dac3b1/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-22 07:24:37 UTC
File Type:
PE+ (Dll)
Extracted files:
3
AV detection:
20 of 43 (46.51%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qkpm53tsbmfd4uc67pjsmlbypojkxx2gda6vdjierhrlcv62yoyq._file
Verdict:
malicious
Similar samples:
1e123a6c5d65084ca6ea78a26ec4bebcfc4800642fec480d1ceeafb1cacaaa83
Lazarus
28a1206e5a8f79a94835e929ebef98ed896293513afbe427efe14371d6a8134f
Lazarus
55d95d9486d77df6ac79bb25eb8b8778940bac27021249f779198e05a2e1edae
Lazarus
5a888d05804d06190f7fc408bede9da0423678c8f6eca37ecce83791de4df83d
Lazarus
7984df6018af3f340757e48e5fb6105c6476c1832c23cb3ec9e0b8a08623436e
Lazarus
835edf1ec33ff1436d354aa52e2e180e3e8f7500e9d261d1ff26aa6daddffc55
Lazarus
8423fefddbb9197ebe12a5e51fb8f06e6dc2c02d6ef68b254faba0d6a63866c5
Lazarus
b23504990949945298994fe36a74f143e6534c45c9b7186451f46891e117da6e
Lazarus
ca8194e9a1232e508619269bdf9a9c71c4b76e7852d86ed18f02088229b0f7c7
Lazarus
ce478fdbd03573076394ac0275f0f7027f44a62a306e378fe52beb0658d0b273
Lazarus
+ 1'788 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220128-lssecsafgp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
829eceee720b0a3e505efbd3262c387b92abdf46183d51a50489e2b157dac3b1
MD5 hash:
490c885dc7ba0f32c07ddfe02a04bbb9
SHA1 hash:
294690c1aee8dc7723858dafcb2a0ed273296641
Link:
https://www.unpac.me/results/6abcc8c9-45a1-4a89-8510-3b3caf24abe8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.13
Link:
https://yomi.yoroi.company/submissions/829eceee720b0a3e505efbd3262c387b92abdf46183d51a50489e2b157dac3b1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
Cape
Cape
https://www.capesandbox.com/analysis/224983/

Comments