MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a72f971944fcb7a143017bc5c6c2db913bbb59f923110198ebd5a78809ea5fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	9a72f971944fcb7a143017bc5c6c2db913bbb59f923110198ebd5a78809ea5fc
SHA3-384 hash:	75bce0e6ba18fb887b81f1518abcbde746dffbd8d6ca86bdbc4802a802ef232ad9836c46c167c09b0824d14b4945689c
SHA1 hash:	e005c58331eb7db04782fdf9089111979ce1406f
MD5 hash:	55a7aa5f0e52ba4d78c145811c830107
humanhash:	artist-comet-cola-green
File name:	iec56w4ibovnb4wc.onion_Library__ShadowHammer__Setup.bin.malw
Download:	download sample
File size:	3'333'936 bytes
First seen:	2020-03-18 22:48:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a22d038fcd8e82d4cc8f31fa49212724
ssdeep	98304:QzVRcdYETHvs4d9VeL2TKvrYhBjXrToaFmWMyDnV1K+e1Fw6qtnLD7UEnBgbAZJb:HdjsmUexXrToaFmS+bFYD7UIfwyiJiKO
Threatray	154 similar samples on MalwareBazaar
TLSH	72F59E3A39A18077D6733530595DB3BAF2BDAD304D354A4B56902E3C3E344A29A2877F
Reporter	ov3rflow1
Tags:	malw

Code Signing Certificate

Organisation:	DigiCert SHA2 Assured ID Code Signing CA
Issuer:	DigiCert Assured ID Root CA
Algorithm:	sha256WithRSAEncryption
Valid from:	Oct 22 12:00:00 2013 GMT
Valid to:	Oct 22 12:00:00 2028 GMT
Serial number:	0409181B5FD5BB66755343B56F955008
Intelligence:	9 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	51044706BD237B91B89B781337E6D62656C69F0FCFFBE8E43741367948127862
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Rootkit.ShadowHammer-6935338-0

Gathering data

Threat name:

Win32.Trojan.ShadowHammer

Status:

Malicious

First seen:

2018-10-19 16:27:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 31 (83.87%)

Threat level:

5/5

Verdict:

malicious

3a2ffd78111d04ce8986e867c0ed71f258e814b302868faa887fa6138cfb8827

3f254c62ad02f051ac2112f3aa92cb537f95d7de0d3c80ba5c42dc3a8a79090e

4118da509f4aace1799d5880924a4101d8ed8ee746e0a03a7f47f3cec76eaf58

5bd66c88148005029d20c92e1d793f8d41f47a273a9334f9a85ec31148d0b040

a6e6d01862c62f53c73f50d34e5209d51100244389a6fbc0f5863d59154582af

aa0b542cfde007f858cd18f0b3a104ccaa6c401c26e908829aed144e13471f20

c7a24df45e43686f1331c01a5c77ca492924482e29099e778fdee153e88d8363

cff7986462a1035c053de4021e2a59ff8de076b7843137354f871084eaa60f9e

eb55844a34109790b370caba8afbcafb1fd52d0575b7c031cf21a0ff74f7bbc1

+ 144 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9a72f971944fcb7a143017bc5c6c2db913bbb59f923110198ebd5a78809ea5fc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_TRUST_INFO	Requires Elevated Execution (level:requireAdministrator)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::InitializeAcl ADVAPI32.dll::InitializeSecurityDescriptor
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal
GDI_PLUS_API	Interfaces with Graphics	gdiplus.dll::GdiplusStartup gdiplus.dll::GdiplusShutdown gdiplus.dll::GdipDeleteGraphics gdiplus.dll::GdipAlloc gdiplus.dll::GdipCreateFromHDC
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::PlaySoundW
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AddAccessAllowedAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::SetFileSecurityW ADVAPI32.dll::SetSecurityDescriptorDacl ADVAPI32.dll::SetSecurityDescriptorOwner
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteW SHELL32.dll::ShellExecuteExW SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetVolumeInformationW KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW SHLWAPI.dll::PathRemoveFileSpecW KERNEL32.dll::GetWindowsDirectoryW KERNEL32.dll::GetFileAttributesW
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::LookupAccountNameW ADVAPI32.dll::LookupAccountSidW ADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegQueryValueW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuW USER32.dll::CreateMenu ole32.dll::OleCreateMenuDescriptor USER32.dll::EmptyClipboard USER32.dll::OpenClipboard USER32.dll::PeekMessageW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample