MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a03f927003cc418724452aa9b8ef35101034ce5c2b0b88cc1b6f2162937573a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 4

Intelligence 4 IOCs YARA 3 File information Comments

SHA256 hash:	a03f927003cc418724452aa9b8ef35101034ce5c2b0b88cc1b6f2162937573a1
SHA3-384 hash:	3b769183aec3387f6275d98c1d07f13a70270eacc4eff009bca5c4be0d7784a4308191ddff39477056b01e7985049bbc
SHA1 hash:	d660ab015f8d1682ded84add189cb2914b465b9d
MD5 hash:	be32988a7b6af62918aef6c947d6e86a
humanhash:	lactose-mockingbird-spring-alaska
File name:	be32988a_by_Libranalysis
Download:	download sample
File size:	2'526'920 bytes
First seen:	2021-05-05 09:06:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	67533f79a87f4ce08c671dedbb7cb801 (1 x Autorun)
ssdeep	49152:awi0L0qe5W/W5W/f5W/45W/+0g7mM+M6RkMkIM7I067/5W/B0g7mM+M6RkMkIM7W:Fi0M5WO5WH5Ww5WbM+M6RkMkIM7e5WAl
Threatray	10 similar samples on MalwareBazaar
TLSH	09C5CF41F3C1F4AAD4A906700A77E770066BBC655C185B1F73A8F65E6C30287A93AF1B
Reporter	Libranalysis

Libranalysis

Uploaded as part of the sample sharing project

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/150189/

Detection(s):

PUA.Win.Packer.Asprotect-3

PUA.Win.Packer.Aspack-29

PUA.Win.Packer.Aspack-30

Win.Dropper.Stone-9856966-0

Win.Dropper.Stone-9856997-0

Win.Dropper.Stone-9856998-0

Win.Trojan.Autorun-10697

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the Windows subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Enabling the 'hidden' option for recently created files

Replacing system executable files

Creating a file in the Program Files subdirectories

Modifying an executable file

Searching for the window

Creating a file

Replacing files

Deleting a recently created file

Replacing executable files

Infecting executable files

Enabling autorun

Enabling a "Do not show hidden files" option

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a03f927003cc418724452aa9b8ef35101034ce5c2b0b88cc1b6f2162937573a1/

Threat name:

Win32.Worm.Stihat

Status:

Malicious

First seen:

2020-05-03 16:18:59 UTC

AV detection:

30 of 31 (96.77%)

Threat level:

5/5

Verdict:

suspicious

19e260f3f8e21a501e0bc8b6e5285da663cb0284f453891e78a5d2f28fec1ee4

288a42b03d1409ee289b7aa0896150467dc850fc56661c12d850114acaf88363

5553a7b6943f4c1435ec14ecb41b95029d6f2a94f7f415f660c14bd8b68ab7f9

6c3a2a15b41eb56729d6682230dbdde331e5f6cd7950aee950233475bebaad99

6cc037e6cfc78eecd49983911b948548c87af9c2c4525977249e78464aadba06

a5d757f0c6bdf80b0d483bdc417c7f14857c9e4c72ac39d3b04d5babf20d807a

c5fd02008e86c06d74e74208f75e34a6c32afd3992530f048c7da755fd06c214

cca7c0b4a9e6f5543134bdaf98b3cd09f906c2e902edaa69e7d74343b72e7a49

e8a55bf735e18a15e63ccefeb94b2d4e840c8e5cce62a346467f02a17c9a6aab

Result

Malware family:

n/a

Score:

10/10

Tags:

aspackv2 persistence

Link:

https://tria.ge/reports/210505-1xn2c2b2vj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops autorun.inf file

Drops file in System32 directory

Enumerates connected drives

Drops startup file

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

Modifies WinLogon for persistence

Unpacked files

SH256 hash:

a03f927003cc418724452aa9b8ef35101034ce5c2b0b88cc1b6f2162937573a1

MD5 hash:

be32988a7b6af62918aef6c947d6e86a

SHA1 hash:

d660ab015f8d1682ded84add189cb2914b465b9d

Link:

https://www.unpac.me/results/09db44b6-7e87-449c-ab2d-bab30710c3e7/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ASPack Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ASPack

Rule name:	RemoteStrings Create hunting rule
Author:	Katie Kleemola
Description:	indicators for remote.dll - surtr stage 2

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/150189/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample