MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9524141feab182697ee45965c0d91577eb32f4c9252160b1b50be3ed9b000e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9524141feab182697ee45965c0d91577eb32f4c9252160b1b50be3ed9b000e2
SHA3-384 hash: 20121f0160bd1cc6dc7cea34353f21609b46c7f1ef038323fff6650f3f09ab15d4b30ac4b2dd2382866d45571e207318
SHA1 hash: 5fcc96f9ecb5230c02c2fc2bc368d06352a944b1
MD5 hash: 275e8545b0fdb6c7acef45aa6e109685
humanhash: mockingbird-eleven-kitten-equal
File name:275e8545b0fdb6c7acef45aa6e109685.dll
Download: download sample
File size:2'721'732 bytes
First seen:2021-08-21 19:43:20 UTC
Last seen:2021-08-21 21:06:08 UTC
File type:DLL dll
MIME type:application/x-dosexec
ssdeep 24576:q01GaJxve1E8pkCLLe/K43EnnnclQwIqJY0OjklWXQMFBRpm4L/59ah0USm3uwl2:q0ckvuV/59a6USdi9Ues6bV6bn
Threatray 78 similar samples on MalwareBazaar
TLSH T1B2C5395179EA4098B07178EB7ED4AF658919AF7D3F092D3E309033468EF1746BC0AB61
Reporter abuse_ch
Tags:dll

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181106/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37245881.31547.28802.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
CinaRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e393dd2-2c8e-4c8d-9484-427512680005
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/836834
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 469264 Sample: LGNDjyJV7g.dll Startdate: 21/08/2021 Architecture: WINDOWS Score: 56 34 Multi AV Scanner detection for submitted file 2->34 36 .NET source code contains method to dynamically call methods (often used by packers) 2->36 38 .NET source code references suspicious native API functions 2->38 14 loaddll32.exe 1 2->14         started        process3 process4 16 cmd.exe 1 14->16         started        process5 18 rundll32.exe 16->18         started        process6 20 rundll32.exe 18->20         started        process7 22 rundll32.exe 20->22         started        process8 24 rundll32.exe 22->24         started        process9 26 rundll32.exe 24->26         started        process10 28 rundll32.exe 26->28         started        process11 30 rundll32.exe 28->30         started        process12 32 rundll32.exe 30->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9524141feab182697ee45965c0d91577eb32f4c9252160b1b50be3ed9b000e2/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-08-21 18:01:11 UTC
AV detection:
12 of 46 (26.09%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
2eb37b1a65e93d5619e44bb3734b321c97f195a6d079386194a84a5a1617c2dc
556c6ec49b714eb7bf9b3d816fd18a8962fb6be756224aa4cf8614e5bd7f0738
6c3a2575d3325e7a0f520a5fefa0384855980461683e6c7463debbd668ab3258
8bcc9ea07aa49b1c774327cb2fffaea269806805538b40aa8b7d2a89b8cfbca8
b4a9350c9b97dd32fe445e00e8d9501279e5845351609c6cd715def5ca98e404
ceb9cf440fc521f09a503e90889acb7f51b4c39ce8a8c4d37dd8304fca2db4ce
d1fa4207d7c46c5f84b1c45e7b5d09aa9c99c896b0e25664bee3b13fcaabcfad
dc6aaf7acf8b088dd2f0a3cbffd5ae7e56ed1680aeccb2ff7eecb9d56796cf68
f5fd82f7f599b1ed477a6f66388cbe0f2beec9fc28e83d35105cd3222a85d5ab
f60f2206408f200da52f4cb7f8535e12450e94fb0b96f513509b3ccc10fe9b2f
+ 68 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210821-rfk57bv796/
Behaviour
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
a9524141feab182697ee45965c0d91577eb32f4c9252160b1b50be3ed9b000e2
MD5 hash:
275e8545b0fdb6c7acef45aa6e109685
SHA1 hash:
5fcc96f9ecb5230c02c2fc2bc368d06352a944b1
Link:
https://www.unpac.me/results/7a4c18a6-497f-404b-afab-17210453f3d7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/a9524141feab182697ee45965c0d91577eb32f4c9252160b1b50be3ed9b000e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DLL dll a9524141feab182697ee45965c0d91577eb32f4c9252160b1b50be3ed9b000e2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1307073/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/181106/

Comments