MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f270ac39c512c05aeb9e502738dbbc438a6f95596ec041333b7ae7e334e9c2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA 5 File information Comments

SHA256 hash:	9f270ac39c512c05aeb9e502738dbbc438a6f95596ec041333b7ae7e334e9c2b
SHA3-384 hash:	89f5a7a97bc9037cfadb2c4cdb908f8825f96be536716e78eb819e5ffcd07dbdaf54211aa5fd98f6471f590d02df19dd
SHA1 hash:	2f82c98c97bccafd8144d9cbdf26f1ee2d66f3d7
MD5 hash:	24992f26d5a91f1d5857a13db6439b8f
humanhash:	muppet-kilo-hotel-north
File name:	24992f26d5a91f1d5857a13db6439b8f.exe
Download:	download sample
File size:	1'949'168 bytes
First seen:	2021-03-19 07:40:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a781462b9ac82bb340f6d3cc965c6b76
ssdeep	49152:kFircU7rxdytOXGROPMACuCGrHJVTPuItXMGVWOn5Rcn:ksf7rxdyY2OEMCarltVf54
Threatray	665 similar samples on MalwareBazaar
TLSH	D795331EC7941C68F857F7321462F573A702BD804B899BAC161EB18E6EFE351034AB5E
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

122

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

24992f26d5a91f1d5857a13db6439b8f.exe

Verdict:

No threats detected

Analysis date:

2021-03-19 07:43:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e6ad5ffc-6044-4e6e-a76c-c031250bcb78

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/125592/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.36530824.18667.23891.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Creating a window

DNS request

Sending a custom TCP request

Creating a file

Creating a file in the %AppData% directory

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/914ecb02-3e27-4550-9c4e-5e73934564d6

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/645785

Signature

Creates HTML files with .exe extension (expired dropper behavior)

Detected unpacking (changes PE section rights)

Hides threads from debuggers

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sample or dropped binary is a compiled AutoHotkey binary

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9f270ac39c512c05aeb9e502738dbbc438a6f95596ec041333b7ae7e334e9c2b/

Threat name:

Win64.Dropper.Dapato

Status:

Malicious

First seen:

2021-03-18 19:22:04 UTC

AV detection:

11 of 28 (39.29%)

Threat level:

3/5

Verdict:

unknown

0982c38ddad347ce0ff426106db78f3e51b723d7d90308a970ef43ef84fc8d75

0ebab35c1d6c8bdfc810aa740f9038ce35e578d294c70df70686a3a3082d8332

593f9422a79559ab792b98a272ebd5db883b8a85f34de6a6f05f1c900b221dc5

61a70fdae6040d08c4f66f5d5ba95aba1987cda5e4715903696c3139a33d8e05

778c5c85b7aeb0db2367daa8d4e15869330801058c8ee5e9c77fd0c890ac5afc

be41dee9f9b806f5932a9ed56c841d884f4d7f8dafcdd20b4debfe82cc4898d4

c3a2aedb10f9b59ecfc94aafcc041c885727f5f34d1db8bb9ff41cd910ef4eab

ccea3ec883dbebf01bf405a8191e375dcdad2ab03b4601bd34b5261a3acf3fea

ef9b7f99346ac5307323163c42c1c5d1e63143287677c551db77403165346d96

+ 655 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion themida trojan

Link:

https://tria.ge/reports/210319-hp342r4gan/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Checks BIOS information in registry

themida

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Unpacked files

SH256 hash:

9f270ac39c512c05aeb9e502738dbbc438a6f95596ec041333b7ae7e334e9c2b

MD5 hash:

24992f26d5a91f1d5857a13db6439b8f

SHA1 hash:

2f82c98c97bccafd8144d9cbdf26f1ee2d66f3d7

Link:

https://www.unpac.me/results/cece774e-1661-4e2e-ada6-ab3c71cae802/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.44

Link:

https://yomi.yoroi.company/submissions/9f270ac39c512c05aeb9e502738dbbc438a6f95596ec041333b7ae7e334e9c2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

Rule name:	INDICATOR_EXE_Packed_MPress Create hunting rule
Author:	ditekSHen
Description:	Detects executables built or packed with MPress PE compressor

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	INDICATOR_SUSPICIOUS_AHK_Downloader Create hunting rule
Author:	ditekSHen
Description:	Detects AutoHotKey binaries acting as second stage droppers

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/