MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9645193a9c27dda91e226282f95aa9f41b71818cfbae43b8e056a77db19655fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9645193a9c27dda91e226282f95aa9f41b71818cfbae43b8e056a77db19655fb
SHA3-384 hash: 453f77012d9144c8af95188687856d9de03d7aa9e428619db3b3098fba48286de64dca07e7de55299a5857b7f1b611d4
SHA1 hash: f5e3587a93a0dd4ddff0d2ca75577f5719763a51
MD5 hash: 0b4ebd7fc0fc37a5f64d5c1ad3247ef8
humanhash: enemy-carpet-sixteen-uncle
File name:AnyDesk (2).exe
Download: download sample
File size:5'944'848 bytes
First seen:2021-04-03 20:36:19 UTC
Last seen:2021-04-03 21:48:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a9d14bb684d1f510d1683e48b1f609d3
ssdeep 98304:jw2asSqTc42CcE53Fj5v0JLpzF0cMpc3OUQUchbOAwuMZBBhjEYN4uZCv:EAfl5VtvOpzm6pvchaAFEFfS
Threatray 1'523 similar samples on MalwareBazaar
TLSH 9156335C5F12984DCE8BB1BBC0CA39F43F4299006E42CADA5D736D4D8E9FB34662961C
Reporter Anonymous

Intelligence

File Origin
# of uploads :
2
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AnyDesk (2).exe
Verdict:
No threats detected
Analysis date:
2021-04-03 20:37:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b37a3461-c64b-4df9-b194-367958b6bb2a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132032/
Detection(s):
SecuriteInfo.com.Artemis0B4EBD7FC0FC.7084.14999.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/063fd672-2019-4a18-8c67-e8949b2444f1
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/665293
Signature
Hides threads from debuggers
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9645193a9c27dda91e226282f95aa9f41b71818cfbae43b8e056a77db19655fb/
Verdict:
malicious
Similar samples:
13409a886c8f0bd8a991f67ce2d8864dec2574fc456f3179d0332026606546aa
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
752abe1050403b95676de500b60db8b36e26f02e4b24eb84ae9f4daf6d03b957
9237e5cae5f698d5ad9f6c61af8bd866e599abb05f5bc49474d98e269a29a588
a53dac7e98824879e0571fbac851d515d9727c41ee7b13148cf99433e6a6b9ae
a78df3ea7c9bcf96c6c9db033be7a66d9c418c1acfa3c8efc3c4ba313c5b4fad
ad3c67acd7773a47ac0d46c544f1bcaa03ddbeb577b195e66fc4a15cd4413dab
c0e6f7a4aa809d2b93ba137245380ada0a44ac5576935e13e165d02b1b937583
d367eca88434cb310aad91f251c9baa7d11fcd2ffd2c0f0cbb35595445a27698
fdf5f9635c047cde3c096139490f3462d03434986b1450ca5f01be74e1f5b559
+ 1'513 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/210403-vyjpv1srqj/
Behaviour
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
9645193a9c27dda91e226282f95aa9f41b71818cfbae43b8e056a77db19655fb
MD5 hash:
0b4ebd7fc0fc37a5f64d5c1ad3247ef8
SHA1 hash:
f5e3587a93a0dd4ddff0d2ca75577f5719763a51
Link:
https://www.unpac.me/results/3082f609-ae50-470c-bbe6-21950ba124bf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/9645193a9c27dda91e226282f95aa9f41b71818cfbae43b8e056a77db19655fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/132032/

Comments