MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 87881f84676ff10ab3f51519748d1799468def9f10dab79588b1d655d0eddb71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 3
| SHA256 hash: | 87881f84676ff10ab3f51519748d1799468def9f10dab79588b1d655d0eddb71 |
|---|---|
| SHA3-384 hash: | 9d4f0607a95b581241c89bbba4642bb3c134c8e291e32a117a2e237c593cbfec47ce6dcfc008d2bd976c60c5d5926b97 |
| SHA1 hash: | 8db0281f699d5614c866df477e256c06192ec03f |
| MD5 hash: | 8c7948bfcfd1c888aad45ff254de1470 |
| humanhash: | island-eleven-georgia-crazy |
| File name: | 87881f84676ff10ab3f51519748d1799468def9f10dab79588b1d655d0eddb71 |
| Download: | download sample |
| File size: | 542'088 bytes |
| First seen: | 2020-03-23 18:47:45 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 3c98c11017e670673be70ad841ea9c37 (5 x HawkEye, 5 x NanoCore, 4 x Plugx) |
| ssdeep | 12288:BK2mhAMJ/cPlJlJ2rTrGLvRrLv4wVGG7KYKF78IPj0:w2O/GlJlWTEvRnJVVe8Wj0 |
| Threatray | 49 similar samples on MalwareBazaar |
| TLSH | 14B4121277E540BEE6A250306EFF16A4E6B4FA3965F9A50EE351060E3BB04E2C517733 |
| Reporter |  Marco_Ramilli |
| Tags: | exe |
Intelligence
File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Gathering data
Threat name:
Win32.Trojan.Delf
Status:
Malicious
First seen:
2014-07-26 09:48:00 UTC
File Type:
PE (Exe)
Extracted files:
35
AV detection:
27 of 31 (87.10%)
Threat level:
5/5
Verdict:
malicious
Similar samples:
+ 39 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
exe 87881f84676ff10ab3f51519748d1799468def9f10dab79588b1d655d0eddb71
(this sample)
Delivery method
Distributed via web download
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_PIE | Missing Position-Independent Executable (PIE) Protection | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| AUTH_API | Manipulates User Authorization | ADVAPI32.dll::SetFileSecurityA |
| COM_BASE_API | Can Download & Execute components | ole32.dll::CoCreateInstance ole32.dll::CreateStreamOnHGlobal |
| SECURITY_BASE_API | Uses Security Base API | ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::SetFileSecurityW |
| SHELL_API | Manipulates System Shell | SHELL32.dll::ShellExecuteExW SHELL32.dll::SHFileOperationW SHELL32.dll::SHGetFileInfoW |
| WIN32_PROCESS_API | Can Create Process and Threads | ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle |
| WIN_BASE_API | Uses Win Base API | KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetCommandLineW |
| WIN_BASE_IO_API | Can Create Files | KERNEL32.dll::CreateDirectoryA KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileMappingW KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileA KERNEL32.dll::DeleteFileW KERNEL32.dll::DeleteFileA |
| WIN_BASE_USER_API | Retrieves Account Information | ADVAPI32.dll::LookupPrivilegeValueW |
| WIN_REG_API | Can Manipulate Windows Registry | ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW |
| WIN_USER_API | Performs GUI Actions | USER32.dll::FindWindowExW USER32.dll::PeekMessageW USER32.dll::CreateWindowExW |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.