MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98a511650351d4f72470d9c83a4ea479f9ba58a7ae181d8dff5ac29a1bda4977. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BandarChor

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	98a511650351d4f72470d9c83a4ea479f9ba58a7ae181d8dff5ac29a1bda4977
SHA3-384 hash:	80bbb3c9f2d41260e229b48d78763679a727bf93740d7d022c0977107d61e25b62aad112bcd8192577589028b18ca431
SHA1 hash:	aa1be293c7ff1462344fe8631f04f932726b64e8
MD5 hash:	32f66c1fe538ec87c7f6fb43663a07fc
humanhash:	east-vermont-nevada-alanine
File name:	32F66C1FE538EC87C7F6FB43663A07FC
Download:	download sample
Signature	BandarChor Create hunting rule
File size:	403'221 bytes
First seen:	2022-11-30 15:08:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	34f45cc5ffd6d0836c503e99b229ebb2 (2 x BandarChor)
ssdeep	6144:rdYlZngbYYH/6NvREnLDBjOaSIIrU8eTFSKDYqjvlKd2cD8feJhOskQlu:xbV8pVBe5UeNM2cQfMhdHc
Threatray	5 similar samples on MalwareBazaar
TLSH	T12D84F1549818E5CDF46EAC7DFB82765D5A33F5352EA202E329D62DFCCDB219A0033819
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4505/5/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
dhash icon	d03cfcdaccf418c1 (2 x BandarChor)
Reporter	Merlin_Azel
Tags:	BandarChor exe

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

32F66C1FE538EC87C7F6FB43663A07FC

Verdict:

Malicious activity

Analysis date:

2022-12-01 01:10:38 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f991774d-cb9a-447c-9768-6aa86f4756f3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/340174/

Detection(s):

Win.Trojan.Agent-1356850

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Сreating synchronization primitives

Creating a window

DNS request

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

67%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6387720e69830678d7160bb7/reports/7bdb6b87-3643-48f5-8949-c9760f01aa85/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Bandarchor

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fa1f1782-af21-4b30-b942-e1489bef0309

Result

Threat name:

Unknown

Detection:

malicious

Classification:

rans.adwa.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1124095

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to inject code into remote processes

Detected suspicious e-Mail address in disassembly

Detected unpacking (changes PE section rights)

Drops PE files to the startup folder

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/98a511650351d4f72470d9c83a4ea479f9ba58a7ae181d8dff5ac29a1bda4977/

Threat name:

Win32.Ransomware.Isda

Status:

Malicious

First seen:

2015-11-15 00:58:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 25 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tcsrczidkhkpojdq3hedutveph43uwfhvymb3dp7llbjug62jf3q._file

Verdict:

malicious

BandarChor

9f11a8c899cebf82b33fb6e0b457081a4d9cbc8da214579ca3d71dced16c0471

BandarChor

c6aa7fc9c195d950bc5290cd4827019ee03a98938b6dee9f4e6101747fa69e72

BandarChor

ddd3ee4728aa61fbbb285449383ddb12e62bb0da661d281f3d5deed805dfa497

BandarChor

df06c19f1ab56d40f6c4b70c37be024abaa997eb0d55223a14a946eb47cddc4c

BandarChor

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/221130-sje61adg4w/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Drops startup file

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a2b3ad0a-d437-4610-b14e-570964701d53

Unpacked files

SH256 hash:

902a9bf7a2d51a569e2e945fc736c1e4b9f504dc646ed9a3cf9d9c8768eef7df

MD5 hash:

382305eb9e05b8ef0d9d3c4e95ddb54c

SHA1 hash:

4d96b7219131c51a969d5e0b45238d1cc5443c9e

Link:

https://www.unpac.me/results/d2382540-80de-434c-82d7-7a0a2edf1dfc/

SH256 hash:

61ae62eabc7b025903502a7361a42ed72a91e4a2d4234cfe6e2a78d15032a2aa

MD5 hash:

ffb05b4d4e01d9dd6e94d81e15b51e49

SHA1 hash:

81b61f2aec544f20d48ac52c0f1097c2dfb6ba5b

Link:

https://www.unpac.me/results/d2382540-80de-434c-82d7-7a0a2edf1dfc/

SH256 hash:

98a511650351d4f72470d9c83a4ea479f9ba58a7ae181d8dff5ac29a1bda4977

MD5 hash:

32f66c1fe538ec87c7f6fb43663a07fc

SHA1 hash:

aa1be293c7ff1462344fe8631f04f932726b64e8

Detections:

win_coldseal_auto

Link:

https://www.unpac.me/results/d2382540-80de-434c-82d7-7a0a2edf1dfc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.82

Link:

https://yomi.yoroi.company/submissions/98a511650351d4f72470d9c83a4ea479f9ba58a7ae181d8dff5ac29a1bda4977

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_coldseal_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.coldseal.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/340174/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample