MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 904adfc207b1c3b3862b16bd1d865967c270cf6de65979b849897f731e540cbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	904adfc207b1c3b3862b16bd1d865967c270cf6de65979b849897f731e540cbb
SHA3-384 hash:	7c92ade43b178d61f588f1018ae13407319486fd80b30508b93ad372b1ab6b8c91e266d817be5f5cff832314cebbca6a
SHA1 hash:	6013979abb6f1ff249f0e28791319a33d8bbcc4e
MD5 hash:	61e4a084cc1608a11b7dd5149da4800c
humanhash:	alabama-oklahoma-jupiter-delaware
File name:	904adfc207b1c3b3862b16bd1d865967c270cf6de65979b849897f731e540cbb
Download:	download sample
File size:	1'295'088 bytes
First seen:	2021-03-23 08:07:58 UTC
Last seen:	2021-03-23 08:52:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	80126f45ea382259110e4b34c47362ad (3 x RemcosRAT)
ssdeep	24576:tXS4EZdRHfgaYLo7U+GXp+/fA4bzXj0n7aKpdHkSPtHz4jCG8TpAD+b:2BI/Zn4bMY+T4wJb
Threatray	85 similar samples on MalwareBazaar
TLSH	05555B22BE9D8877C06616348C5FA7656839BE103A20456F67F45D4CDF3A780BC293BB
Reporter	JAMESWT_WT
Tags:	185.158.115.38 TORG-ALYANS LLC

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

904adfc207b1c3b3862b16bd1d865967c270cf6de65979b849897f731e540cbb

Verdict:

No threats detected

Analysis date:

2021-03-23 08:19:18 UTC

Tags:

installer

Link:

https://app.any.run/tasks/b94b0b14-7862-4a88-81d6-f6ef2134d9b7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/126458/

Detection(s):

PUA.Win.Packer.BorlandCpp-9

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/649528

Signature

Allocates memory in foreign processes

Hijacks the control flow in another process

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/904adfc207b1c3b3862b16bd1d865967c270cf6de65979b849897f731e540cbb/

Threat name:

Win32.Downloader.Penguish

Status:

Malicious

First seen:

2021-03-11 02:42:19 UTC

File Type:

PE (Exe)

Extracted files:

146

AV detection:

20 of 28 (71.43%)

Threat level:

3/5

Verdict:

malicious

04ac77106a85dad9f430906c1363969a025b97675671479a0386ce6f6d0f7ece

04c950e9fb1cf6ff2de10fd17f04191f8e938189766482ef856efa2581df8dbb

0e79effa0348929c10e8aa39b07b38ba50872d4fe132fd7c131e4ac9892ed046

446fdd51f5eb4359191e189e54a209bd96295c5495cabc1b0b07c8f11d1eb748

a3fedff31a0349bc1b17791e2382179f465c870b3abd6b49040b3091be722f51

b401246b1d42e19f1d86ae14b21b2aa82868eb4197c482c8aa78be7f7e28e494

cb7a74842bedcc2a37001978778e146e251cd2aac681d349d8f448f08f1a9868

e431d81e245dd47b376162b55b07a341789498cbc19dba9271b98cd048002e01

eb7b058c625b1306c70d8a76546af054bd769347ca067f5db5e1b0b1c7306298

+ 75 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210323-ml7bz1pq56/

Unpacked files

SH256 hash:

c7fbdc61eb62c05e40295617e2db75877672931f751a770d2629e6eab6075f2c

MD5 hash:

abf6c724b20844d5b0073988a58faf1e

SHA1 hash:

7a8269d5b2ae623f8148ce9863f48f7e12ce036b

Link:

https://www.unpac.me/results/efd1a4a6-5792-4d12-83c6-e55c373b74f9/

SH256 hash:

904adfc207b1c3b3862b16bd1d865967c270cf6de65979b849897f731e540cbb

MD5 hash:

61e4a084cc1608a11b7dd5149da4800c

SHA1 hash:

6013979abb6f1ff249f0e28791319a33d8bbcc4e

Link:

https://www.unpac.me/results/efd1a4a6-5792-4d12-83c6-e55c373b74f9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DriveBy Activity

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/904adfc207b1c3b3862b16bd1d865967c270cf6de65979b849897f731e540cbb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win32_parallax_payload_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax Injected Payload v1.01
Reference:	https://twitter.com/VK_Intel/status/1227976106227224578

Rule name:	crime_win32_rat_parralax_shell_bin Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax injected code
Reference:	https://twitter.com/VK_Intel/status/1257714191902937088

Rule name:	MAL_crime_win32_rat_parallax_shell_bin Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax injected code
Reference:	https://twitter.com/VK_Intel/status/1257714191902937088

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/126458/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample