MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87e69df644cf7fa95ced9c33e3fcd4a88356baea18ac20c2aac042d223d7c4b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 2

Intelligence 2 IOCs YARA File information Comments

SHA256 hash:	87e69df644cf7fa95ced9c33e3fcd4a88356baea18ac20c2aac042d223d7c4b8
SHA3-384 hash:	cc05b639cfc43db93c50d86409cc3308f3f2daa1637be30105d43773ba99ac9ec6f2b979217a6bdeea1260a260ecc968
SHA1 hash:	86dc8a7546be3ec54d660d694d1a218293a5e5c5
MD5 hash:	779f2991a9631c36426ccb48453fa5d2
humanhash:	grey-louisiana-stairway-king
File name:	SecuriteInfo.com.Win32.DH_gnFbJRN9.27574.8321
Download:	download sample
File size:	151'552 bytes
First seen:	2020-03-28 11:00:45 UTC
Last seen:	2020-05-06 17:17:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1da18fc5a1e3ff31bb49f3f4c7f89f3e
ssdeep	3072:o2yyXiNJIJfQibGPsk00bWu9lJyUMVhq28xY:4jIJfQuGPssWilJyUMrB
Threatray	9 similar samples on MalwareBazaar
TLSH	A3E3091B73E70CF9C657E13482EAE773A532F0141324BE1E1A95CF331EA9C245B6A958
Reporter	SecuriteInfoCom

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Win32.DH_gnFbJRN9.27574.8321.UNOFFICIAL

Gathering data

Threat name:

Win64.Trojan.Tfr

Status:

Malicious

First seen:

2020-03-27 01:39:11 UTC

File Type:

PE+ (Exe)

AV detection:

22 of 31 (70.97%)

Threat level:

2/5

Verdict:

suspicious

4c4881464fd7d95cfe2d60dfd7beff8dd9c3426c15c945500db1e8714374556c

5355c506c4e860b1c35c4eade8e462ccea8b4da1ff5dfc2bd70437176a9217b5

5f6adcdc4b4d6b876c33b57ed612ca3707c49eb8b56d0b325ec79c6f0616c107

8a80a763b2921dfeeeec8a9c75b06af7b37f4281541f959e6229b835b46f1185

8def2806af1018108aea2523b671471051aa156f4d837d16369b7f1154c0a5a7

a57337366ce7dc7b059633a944b048c25457841f2916573062973003793a0b0c

e424e9bbd3853459d205936d047a3bd08529ffb857dcc47a279e5c2c9fa820f1

ebd0a53672107762483efcef26bcca3f35bc148136c2424083aae6273165868c

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 87e69df644cf7fa95ced9c33e3fcd4a88356baea18ac20c2aac042d223d7c4b8

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/331295/

URLhaus

https://urlhaus.abuse.ch/url/331297/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/358907/

URLhaus

https://urlhaus.abuse.ch/url/358911/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::FreeSid
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::CheckTokenMembership
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle WININET.dll::InternetCloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::GetStartupInfoA
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameA ADVAPI32.dll::GetUserNameA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample