MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb
SHA3-384 hash:	46dbb5a1b1608f4a11e9565203c2513071a86b5238fb39c8138bb01bcc9823dae023f50d80efb1bd6edd3551f82999b3
SHA1 hash:	e243975bde2276b48b74025cf5c27b3b0c8ea198
MD5 hash:	8aec9363db389e4b18e5e25e17bc7da7
humanhash:	lake-north-network-solar
File name:	update.exe
Download:	download sample
File size:	9'874'752 bytes
First seen:	2023-04-04 15:56:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ba5546933531fafa869b1f86a4e2a959 (10 x DCRat, 3 x RedLineStealer, 2 x RemcosRAT)
ssdeep	196608:ufzKCnCsXDjDyfeNJm3AqkdJolpPgToa10/472EbPxFOnJPlm2b:SzKcCEDd/m3paJ83a10w7hDxsJlmG
Threatray	27 similar samples on MalwareBazaar
TLSH	T1AAA633468AD02DEDFD77A13A8D959942C9B23C6B5324C24B09AC13476D339B24D7FB23
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	e8f0c8cd4d88c0e0 (2 x CoinMiner, 1 x CobaltStrike)
Reporter	sans_isc
Tags:	backdoor efile.com exe Python signed

Code Signing Certificate

Organisation:	Sichuan Niurui Science and Technology Co., Ltd.
Issuer:	Sectigo Public Code Signing CA R36
Algorithm:	sha384WithRSAEncryption
Valid from:	2022-04-08T00:00:00Z
Valid to:	2024-04-07T23:59:59Z
Serial number:	c11e1aa05bd747eab43fb31eb6a531dc
Thumbprint Algorithm:	SHA256
Thumbprint:	941f449e8a329b6d161d78b51dcec6b15c5dcc455517b499635cbf08c0beceb5
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

sans_isc

JavaScript code on efile.com directed users to a fake error page that offered this binary for download.

Analysis https://isc.sans.edu/diary/Analyzing%20the%20efile.com%20Malware%20%22efail%22/29712

Intelligence

File Origin

# of uploads :

# of downloads :

340

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://winwin.co.th/intro/update.exe

Verdict:

No threats detected

Analysis date:

2023-04-02 19:47:08 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e9ff2ee3-c4a5-446f-a9b0-5eedfb41e87a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/380094/

Detection(s):

Sanesecurity.Rogue.0hr.20230404-1313.BadEfile.UNOFFICIAL

SecuriteInfo.com.FileRepMalware.29467.15994.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Creating a file

DNS request

Creating a file in the Program Files subdirectories

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/76529/overview

Behaviour

MalwareBazaar

MeasuringTime

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/642c48d005c72da113b37226/reports/8dd5cf02-b203-4120-9e76-8877d31ae76c/overview

Verdict:

Malicious

Link:

https://www.hybrid-analysis.com/sample/882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb

Result

Verdict:

MALICIOUS

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/dabcf8aa-5519-42dc-b4cc-2fadd7b288f2

Result

Threat name:

Unknown

Detection:

clean

Classification:

n/a

Score:

6 / 100

Link:

https://www.joesandbox.com/analysis/1204657

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb/

Threat name:

Win64.Trojan.BrokenDynamo

Status:

Malicious

First seen:

2023-03-17 18:51:14 UTC

File Type:

PE+ (Exe)

Extracted files:

1312

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rawzlpn4u5nltujuq3shpk3wwoly4fgw7srqyepmg2hx4x5b2dfq._file

Verdict:

unknown

22cb2fba2dde578f61c82ed450c88c9060629fa7736bb7e27a584c97473c0883

3c1b7eed78ed128b6463c8b6eb35e46b78f2a9946d0b2a093e51630919b5054a

75e9498c9de4ca202f86709a5b58448b64f09ab94440007fe6a9a0ea7c1e633e

77555fc73bde72d601c995f884b564d9f12e3577221ffece363c0f8786745dff

8e4ce102a531d540a1f643396d6ddfc0da9acc963ca995bcba9d07909ebb58e0

937e73c80582b2c880a5af198e6520e76e22c3e1ef2fe4a8278d0b49ec61ef86

a20cc7c8887cad9fce369f6b2113b21958926bdef91f6b544f01bbbbd2b12dc7

c072f81e922796d43b29a7f7b59b7c6f3a4ff70a05ea1f5b6523ee1b809fabf3

ec5ab723a255e763e9c87a23d44794b70108b988c7053432177d5dadafd7e645

+ 17 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

pyinstaller

Link:

https://tria.ge/reports/230404-tdxpjaac5y/

Behaviour

Suspicious use of WriteProcessMemory

Loads dropped DLL

Unpacked files

SH256 hash:

882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb

MD5 hash:

8aec9363db389e4b18e5e25e17bc7da7

SHA1 hash:

e243975bde2276b48b74025cf5c27b3b0c8ea198

Link:

https://www.unpac.me/results/43b19a72-7379-469d-ad9a-30c52b7cf7a4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller.

Rule name:	Suspicious_Macro_Presence Create hunting rule
Author:	Mehmet Ali Kerimoglu (CYB3RMX)
Description:	This rule detects common malicious/suspicious implementations.

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 882d95bdbca75ab9d13486e477ab76b3978e14d6fca30c11ec368f7e5fa1d0cb

(this sample)

Link

https://app.any.run/tasks/d25c5a78-d22f-4a8c-b714-73541a66a412/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/380094/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample