MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 987506b904adf02794b1c51f8b166aa4ea284454607e133ef0d5d003aba64b00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 987506b904adf02794b1c51f8b166aa4ea284454607e133ef0d5d003aba64b00
SHA3-384 hash: e9495dfc30a74b79a7919829a437903b3c9b55b7b731fd7becddc9c50c9b7de519faf5839b45292997ee1d9f3d4a5c5a
SHA1 hash: 744d0113296a443202061c81d81fdb718d6090ed
MD5 hash: 72bd252201771166ec7522d0534025dd
humanhash: connecticut-paris-triple-pizza
File name:987506b904adf02794b1c51f8b166aa4ea284454607e133ef0d5d003aba64b00
Download: download sample
File size:13'485'968 bytes
First seen:2021-03-29 07:09:20 UTC
Last seen:2021-03-29 07:48:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 393216:vCC7p7Avb3HKmWktAiOg6GvjwPO/tAjAVnOd9:vCC7BOJWrHEzSz
Threatray 582 similar samples on MalwareBazaar
TLSH 1BD633862E544080FDF36A37CE9F576731646FD05A8C48FA73122F3825E6A15CE24AB7
Reporter JAMESWT_WT
Tags:LTD SERVICES LIMITED signed

Code Signing Certificate

Organisation:LTD SERVICES LIMITED
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-03-18T00:00:00Z
Valid to:2022-03-18T23:59:59Z
Serial number: 7d36cbb64bc9add17ba71737d3ecceca
Intelligence: 9 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 05be3171ca7272803d139ca13b16c24a3dd22917b1b8d6d0fd5401e63a79dd27
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Main-Installer.exe
Verdict:
Malicious activity
Analysis date:
2021-03-28 23:17:08 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/efe605d3-1521-437b-ae3d-530a8a5fffa1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.56960.23317.21019.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a service
Launching a service
Sending a UDP request
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Sending a TCP request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/32ec2b93-20a2-478c-b51d-8a9d6d2b51d1
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/656522
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/987506b904adf02794b1c51f8b166aa4ea284454607e133ef0d5d003aba64b00/
Threat name:
Win32.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2021-03-26 10:27:27 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
04c950e9fb1cf6ff2de10fd17f04191f8e938189766482ef856efa2581df8dbb
064cad19bee4580a82bc4ee3558e8510100ebba8da83720749f553cc411d5cb3
06fa1b160e322bd7710c9110b1e4e873795b5c2680b8bbe70bbaf23484533459
0953e54968ca9407a172c0a35a00d8b30ec603770809bbd2901a070e1b83b7f8
38272fb3fbcabee6980aeb4be9ae17147a7979dc415cb3cfbedc48cc298bbefa
4ce173da12efcf686dd4a7fec6678fc6c0e2cae352a3dd327bdfa478c18589e4
67b662f28ef6c6a148443ebece272e63e7eeb9d366032b4366fe459b7c5c41f8
6c131f342e8226706ba1b39cc955852b022130c14ea12bd3b3cf340bbea25bf6
7c84f12d1931043664fde0954a5af1b0e30edd8f7fcc6b33cfe298fc431baa84
7e88f1c425154e6fff6d031aaaa4d8bb4c8ff131e429f44310fd936bfc08b357
+ 572 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210329-74kmecqq82/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Adds Run key to start application
Unpacked files
SH256 hash:
daabc1612f5837e1b1efa4fc4a4fd850a0ae4e534d3aeb1bfcf2ef6977a39151
MD5 hash:
3ac636725d7528425eaffe5a4da15a37
SHA1 hash:
e7281533bec2d0c8d483335990e63b5b9d682aa1
Link:
https://www.unpac.me/results/419607f1-33bb-499f-b94b-a68e78b6a31b/
SH256 hash:
987506b904adf02794b1c51f8b166aa4ea284454607e133ef0d5d003aba64b00
MD5 hash:
72bd252201771166ec7522d0534025dd
SHA1 hash:
744d0113296a443202061c81d81fdb718d6090ed
Link:
https://www.unpac.me/results/419607f1-33bb-499f-b94b-a68e78b6a31b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Jaik
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/987506b904adf02794b1c51f8b166aa4ea284454607e133ef0d5d003aba64b00

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments