MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8794893f687e487bfafaf085154a5b932612d9de0825a3b392931d414b2c1985. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments

SHA256 hash: 8794893f687e487bfafaf085154a5b932612d9de0825a3b392931d414b2c1985
SHA3-384 hash: f955a6002f72e538ca5b7df03bc060ab285ed749e0b5e2cc7a0e7a0d565059ea37fb959be2e321f592a3f05a0a5d7587
SHA1 hash: f75ad2980002d655410e7270825d51dcc53de0cc
MD5 hash: 0562f10f0c926a05eb28d3579fc86663
humanhash: magnesium-twelve-autumn-oranges
File name:8794893f687e487bfafaf085154a5b932612d9de0825a3b392931d414b2c1985
Download: download sample
Signature n/a
File size:4'919'296 bytes
First seen:2021-01-30 13:16:18 UTC
Last seen:2021-01-30 14:59:35 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash c046337d6f2b7d6f6998381b0c3e7501
ssdeep 98304:42fbNEOO9ojnF+x6Fk+1mKi7SVSVSRDEdxA0L6EwSlyZ/9kXUVje32:46htO9oz2umKESVSVSR/i6Ewx98d2
Threatray 12 similar samples on MalwareBazaar
TLSH 8536D001F770C035F5D700FA86BA427DAAB47631131495C7A3C06A9AAFA6BE17E36713
Reporter @JAMESWT_MHT
Tags:Mingloa

Intelligence


File Origin
# of uploads :
2
# of downloads :
138
Origin country :
IT IT
Mail intelligence
Gathering data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346323 Sample: V7F2H10gJw Startdate: 30/01/2021 Architecture: WINDOWS Score: 64 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Machine Learning detection for sample 2->64 66 PE file has a writeable .text section 2->66 14 loaddll32.exe 1 2->14         started        process3 process4 16 rundll32.exe 14->16         started        18 rundll32.exe 14->18         started        20 rundll32.exe 14->20         started        22 WerFault.exe 3 9 14->22         started        process5 24 rundll32.exe 16->24         started        26 rundll32.exe 18->26         started        28 rundll32.exe 20->28         started        process6 30 rundll32.exe 24->30         started        32 rundll32.exe 26->32         started        34 rundll32.exe 28->34         started        process7 36 rundll32.exe 30->36         started        38 rundll32.exe 32->38         started        40 rundll32.exe 34->40         started        process8 42 rundll32.exe 36->42         started        44 rundll32.exe 38->44         started        process9 46 rundll32.exe 42->46         started        48 rundll32.exe 44->48         started        process10 50 rundll32.exe 46->50         started        52 rundll32.exe 48->52         started        process11 54 rundll32.exe 50->54         started        56 rundll32.exe 52->56         started        process12 58 rundll32.exe 54->58         started       
Threat name:
Win32.Trojan.Mingloa
Status:
Malicious
First seen:
2020-11-25 05:45:53 UTC
File Type:
PE (Dll)
Extracted files:
201
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Behaviour
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
8794893f687e487bfafaf085154a5b932612d9de0825a3b392931d414b2c1985
MD5 hash:
0562f10f0c926a05eb28d3579fc86663
SHA1 hash:
f75ad2980002d655410e7270825d51dcc53de0cc

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:APT34_PICKPOCKET
Rule name:Email_stealer_bin_mem
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:Ping_Del_method_bin_mem
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:with_sqlite
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments