MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ca0776e3c226e4ebb4c8c08ea750e6dbc22e447dea68e1e8795b5d5691472c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ca0776e3c226e4ebb4c8c08ea750e6dbc22e447dea68e1e8795b5d5691472c0
SHA3-384 hash: 9b58c7c253798af5b714d0ce38712c4305cf1c8d1ef4f4c8551a209f46577e30b22861b03e3800c4da12f4fd1e36005f
SHA1 hash: 854c7ef9e0c541dce0df6a9aea7568207046511e
MD5 hash: fb2dc7eccfa938149161caf3c7c16b58
humanhash: bulldog-mobile-stream-rugby
File name:9ca0776e3c226e4ebb4c8c08ea750e6dbc22e447dea68e1e8795b5d5691472c0
Download: download sample
File size:525'312 bytes
First seen:2020-03-27 01:18:54 UTC
Last seen:2020-03-27 02:48:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 85561b2e917de65a78f9c5ee23713b1b
ssdeep 12288:naaL/TQWJagCvpaUuRlVo8LPdWZ/59+TOUIHO1hm6a5dWVP1gND:aaTQskaRRlVf0/jm1hJidWxQ
Threatray 1 similar samples on MalwareBazaar
TLSH 7FB433F339EA48F9F9FB407FE92A5095655C643A7B4B3A38708DC71E12788BD40B0469
Reporter Marco_Ramilli
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Delshad
Create hunting rule
Status:
Malicious
First seen:
2020-03-12 13:57:23 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
581122114ad28f404b2cc4f8df5d77b6ed447f8f26f862960bb0181776bfacd9
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
NET_SHARE_APICan access Network ShareNETAPI32.dll::NetShareEnum
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments