MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 904af3bff57448a7275f50b317a6ed056b68a4c8ba0046115c696a8703591a64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	904af3bff57448a7275f50b317a6ed056b68a4c8ba0046115c696a8703591a64
SHA3-384 hash:	92c02950593d4912c33673dbd9fe9bf298526af9006e39be783bacb1cc89cf7d6c6343ab9540a130649edfd20b083813
SHA1 hash:	8e76ebd6b8fad2aea9958f3ebb7b05b731db04ec
MD5 hash:	a50644bbb7b53b1394e5df3129d9bbef
humanhash:	wisconsin-seven-mango-yankee
File name:	904af3bff57448a7275f50b317a6ed056b68a4c8ba0046115c696a8703591a64
Download:	download sample
File size:	1'014'641 bytes
First seen:	2022-01-05 05:58:24 UTC
Last seen:	Never
File type:	msi
MIME type:	application/x-msi
ssdeep	24576:OsuDXXNBv04BMeRocDP1NPQDhkPTG4McJ:OVXdyi5ooAFeBJ
Threatray	699 similar samples on MalwareBazaar
TLSH	T17025234577538F73C4679BB40AA3DB3902799C447B028A932BD0B3553EBB3A44EC3659
Reporter	JAMESWT_WT
Tags:	msi Purple Fox

Intelligence

File Origin

# of uploads :

# of downloads :

165

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/217360/

Detection(s):

PUA.Win.Packer.PECompact-2

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed packed

Link:

https://www.filescan.io/uploads/61d533ab92bdc4b4077fb044/reports/9a059c47-7cdf-4e8e-a443-63e7b99c3706/overview

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/904af3bff57448a7275f50b317a6ed056b68a4c8ba0046115c696a8703591a64

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/915661

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/904af3bff57448a7275f50b317a6ed056b68a4c8ba0046115c696a8703591a64/

Threat name:

Win32.Trojan.Woreflint

Status:

Malicious

First seen:

2021-08-16 20:02:00 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

24 of 43 (55.81%)

Threat level:

5/5

Verdict:

malicious

0d83906aa1c84a83028cd12f8ef9582a260f94e56c4254cb35735b98d7266b8e

383996c33dfd88054e6600a885efa9fe7215f81c35eed57dc09fd9321b1ea634

3b6437f01fccf08fb0b2aec67a09c03ec8a741c774bcea3ad6320bd6984afe2f

447157a9abc75d0c95e6ee0ffa7d8865280c637e7a469992619f06f21f01275c

67e2366e87044cbdeefa32770db63e9592c7e637d4c62c678f894eeba419bd26

878730d98ca2b265653a8c94f41fbb35a564fd36453a04c830d7c59a626f633e

bd7d27059a0e1304a490b0e421515978e79fe3ddaf64a68299a5a1b3961312b5

c5a89658b850b8988392440e6c802d451cb4392b6d765db1f2f4b9a7269dbd6f

db827664d924cee347ceed8264f97be9183a2edfe4ab8cd602b443df7f28c5ed

+ 689 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/220105-gpqzxaaab4/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Drops file in Windows directory

Enumerates connected drives

Loads dropped DLL

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/904af3bff57448a7275f50b317a6ed056b68a4c8ba0046115c696a8703591a64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PurpleFox_Dropper Create hunting rule
Author:	@bartblaze
Description:	Identifies PurpleFox aka DirtyMoe botnet, dropper CAB or MSI package.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/217360/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample