MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 862e13feab6936cf835fc226e167a499a09600068eefcf039239eee2db4f098b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	862e13feab6936cf835fc226e167a499a09600068eefcf039239eee2db4f098b
SHA3-384 hash:	c23449a56896635c56401b0d3d4c61d4ca01dd2bf2a921ad6d854257268ef68b232a1e65eadfa555f19794ab6f81cd3e
SHA1 hash:	e8ceb3531ee93f98fc7a7b6b01f050e2958a1bb2
MD5 hash:	8c998bbc10e36ab04ca6e18e19b661a4
humanhash:	low-march-nitrogen-pluto
File name:	8c998bbc10e36ab04ca6e18e19b661a4.exe
Download:	download sample
File size:	404'016 bytes
First seen:	2021-11-21 10:17:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ac3c3560127b72abd0e1eee4b5a913ec
ssdeep	12288:A3/9o2b604YjjntmYrXed7IB6Rvqv5/tH+i0H:AeC60JjbtNPB6Qjm
Threatray	109 similar samples on MalwareBazaar
TLSH	T1D284230259D411F3F9FA5A32BD7E6867670897770ED20AE83247A6D47F60EB1809334E
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

8c998bbc10e36ab04ca6e18e19b661a4.exe

Verdict:

No threats detected

Analysis date:

2021-11-21 10:20:16 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4e4c654b-d993-4dea-b3cd-cd9546f45d3d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Searching for analyzing tools

Searching for the window

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Searching for synchronization primitives

DNS request

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

60%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/619a1cdd398e2553d2ffac3d/reports/1d81a611-e2e6-495b-ac15-c04cd7cd88c0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0f5d0760-600c-4b94-b333-8d7f510201e0

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/893250

Signature

Antivirus / Scanner detection for submitted sample

Contain functionality to detect virtual machines

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to infect the boot sector

Detected unpacking (changes PE section rights)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade analysis by execution special instruction which cause usermode exception

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/862e13feab6936cf835fc226e167a499a09600068eefcf039239eee2db4f098b/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-11-21 10:18:08 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Verdict:

malicious

6ee7395df98613294d9cf0effd03c5312682dbe2551360b697d8dfe0f8dc9c9a

7af038d2f4f41c0d130aaa1e4557d821e2b7f4c6bda2be44300e229cd5c721df

91647ac947d5d5d3a0dc69e98070bfc2f9841d7839b579d69c524b02869a497f

a99dfa4b60347edac3d2083c96df817bc3dfdc3c206be400723abb594cdb510b

ad5592929818b5ee09b99dddb8a652d84621e0b70efe51c2f2b6ca54aeaa3713

c3fc24261e7c6dd2f0545f8c394089ebd13d32ace2b7f2d62f1d93fe41166df2

dc0715adb07b65af47d660aa7582f9ecdfc770606f1a852fe1aa7a643bba7543

e934da8d0b455bcdf23e6e9c2fa5580982bf2f9b39a5d0246b2f462bbf1ae141

fc25512ebc702b7b64fe49986b457e95884386944560d4fbdcf8a573e612629e

+ 99 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/211121-mbyqgsggc3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

6106a2a47b681d40becf48eceaf5c8cbf392ed42204627bb27ee15d7707bda32

MD5 hash:

3835fde7118811808a3c53bb92c3616e

SHA1 hash:

43219f97f8351a753f46a8105a1e77a9df8fa3b8

Link:

https://www.unpac.me/results/be82779d-bb0b-4ffe-8bd2-857c3b9e226f/

SH256 hash:

99e3f627f4702d18bd0ff181a368e74c226d5afbe53a6cdf23cd44000815446d

MD5 hash:

7855716a5ac3b60d5c47caf23df182f0

SHA1 hash:

ce0386bb4becd2d3124700fe21f0a5ce55d01f6d

Link:

https://www.unpac.me/results/be82779d-bb0b-4ffe-8bd2-857c3b9e226f/

SH256 hash:

862e13feab6936cf835fc226e167a499a09600068eefcf039239eee2db4f098b

MD5 hash:

8c998bbc10e36ab04ca6e18e19b661a4

SHA1 hash:

e8ceb3531ee93f98fc7a7b6b01f050e2958a1bb2

Link:

https://www.unpac.me/results/be82779d-bb0b-4ffe-8bd2-857c3b9e226f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/862e13feab6936cf835fc226e167a499a09600068eefcf039239eee2db4f098b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 862e13feab6936cf835fc226e167a499a09600068eefcf039239eee2db4f098b

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1799814/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/207861/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample