MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d7f7c72370ec20ffa8d25341c1e94626785feb7e964005feb8a474894cfd32a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d7f7c72370ec20ffa8d25341c1e94626785feb7e964005feb8a474894cfd32a
SHA3-384 hash: 11b14b429894c1fb9399a5a2ab1c1b39082188a4b367ed199c3a4823e3a819d520ff56765eae440293cd75b22a46f1cd
SHA1 hash: 001100a7b24c44d699d5d21711149470e52e0488
MD5 hash: 4c9b22390a80767e5703559caff03bdd
humanhash: blue-montana-lima-social
File name:9d7f7c72370ec20ffa8d25341c1e94626785feb7e964005feb8a474894cfd32a
Download: download sample
File size:16'312 bytes
First seen:2021-08-05 09:29:44 UTC
Last seen:2021-08-05 11:19:47 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 1dcdb5550f0e3d7e686b361f67a1f2d8 (1 x RedLineStealer, 1 x CobaltStrike, 1 x BitRAT)
ssdeep 192:Nx3j+vEMbdJkwKdEQs6JH5OhLLxTGdeGzFRl6WKpPIKfhig1/C5cEWXSaAg2Mf3z:jab6JHwRT8TvapwKNsenvazs
Threatray 147 similar samples on MalwareBazaar
TLSH T1A9728D3B1B381461DE4D4CB9E0C84AA21D707B70AF89406392FAC44E8E957F5677C32B
Reporter JAMESWT_WT
Tags:193.56.146.99 dll signed Sistema LLC

Code Signing Certificate

Organisation:Sistema LLC
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2021-07-28T00:00:00Z
Valid to:2022-07-28T23:59:59Z
Serial number: cfad6be1d823b4eacb803b720f525a7d
Thumbprint Algorithm:SHA256
Thumbprint: 90203fdd6baba51724d0b70e23557a266683ba9fa0fa86d4517df6d30c54fd41
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176594/
Detection(s):
SecuriteInfo.com.Variant.Bulz.517843.4280.13100.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
HanciTor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eb458ee2-ad9a-45ed-8e6d-fd19d56a5761
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/827779
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Rundll32 performs DNS lookup (likely malicious behavior)
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460208 Sample: cBz6e42P5Q Startdate: 05/08/2021 Architecture: WINDOWS Score: 64 28 Multi AV Scanner detection for submitted file 2->28 30 Machine Learning detection for sample 2->30 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 2 7->9         started        13 cmd.exe 1 7->13         started        15 rundll32.exe 1 7->15         started        dnsIp5 22 mw.warnerproductions.com 9->22 32 System process connects to network (likely due to code injection or exploit) 9->32 34 Rundll32 performs DNS lookup (likely malicious behavior) 9->34 17 rundll32.exe 1 13->17         started        24 mw.warnerproductions.com 15->24 26 192.168.2.1 unknown unknown 15->26 signatures6 process7 dnsIp8 20 mw.warnerproductions.com 17->20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d7f7c72370ec20ffa8d25341c1e94626785feb7e964005feb8a474894cfd32a/
Threat name:
Win32.Trojan.Mukeralmoh
Create hunting rule
Status:
Malicious
First seen:
2021-08-04 19:45:31 UTC
File Type:
PE (Dll)
AV detection:
17 of 46 (36.96%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1c7866cbbb7548f836766e024e6bf9d4d300493b83dbeebdcba8b1deff8e35cb
2f3b39e32b302b059b4bf652a4094d8631ce6f7ec8a95a2b1db2d7d1fe29fcde
344812cf8973f2db950bdcdc1413886677e350e3321f4307cb9209a8d21b8e64
4c66afbef0c7ab3047b833ddb9abc63cc67772220a61353fd07fab5ad533fdfd
4df50c6d6d188c3413bdba53851cbeea7b281b92b0d5341c021a65912395fa5b
51ce63a5081da7b4b5c18e1b9768c3fa7c2b2da8485af743619fe2c0cb18a54b
5719740e2e46073095cfb08ed7c0d397a7e76dda4047749b7ea0cb4ab47150a5
595736e53ca10cf360d6859269d1ac8d2ee2758da03dc15a30d10c539ca4fd0a
82aaa2be9712c513dc78ebab36b41fe2848e23a6b60f13023c92024af0726943
d7e1f07bc65793bd8100a95a5e76a7afee32a49fa7d355d967582be050e2b55d
+ 137 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210805-te49xxxz1x/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
9d7f7c72370ec20ffa8d25341c1e94626785feb7e964005feb8a474894cfd32a
MD5 hash:
4c9b22390a80767e5703559caff03bdd
SHA1 hash:
001100a7b24c44d699d5d21711149470e52e0488
Link:
https://www.unpac.me/results/1c2a6eb0-270d-4524-95e2-cc1042863fcf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9d7f7c72370ec20ffa8d25341c1e94626785feb7e964005feb8a474894cfd32a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/176594/

Comments