MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9da850395755704d33ff8c4c5f469dfcbcec9f373a5cf5b0b3290dff2a5c43f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	a9da850395755704d33ff8c4c5f469dfcbcec9f373a5cf5b0b3290dff2a5c43f
SHA3-384 hash:	dc457b792c48a589230f5f03b518c7fa4e8a36dcb8ac38b6334b984aac4e556ecc0d8160c70fd7747958bcef707e7527
SHA1 hash:	2be04de26aaa128616e8e276c1fceea980521222
MD5 hash:	02ba166aaa48dc532b6926192d109850
humanhash:	fish-grey-louisiana-ten
File name:	payload.bin.exe
Download:	download sample
File size:	732'160 bytes
First seen:	2023-07-15 13:40:23 UTC
Last seen:	2023-07-15 13:41:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	23cfbb9020bf007a80e407e0db4e8430
ssdeep	12288:Y26DrBWy9HfVwZNWO6psn0Rb+iC+oEa+TsW1UzANagI5cH3e0:osIirXjn0RdssAANan5Qb
Threatray	301 similar samples on MalwareBazaar
TLSH	T17FF4E19861804B1AFA398B700527E7FA1D1DDD362644F0AEEF5978FB90B09C36412E5F
TrID	37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 12.7% (.EXE) Win64 Executable (generic) (10523/12/4) 7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	818da080a0a0a0a2 (137 x Heodo, 46 x Urelas, 12 x Rhadamanthys)
Reporter	billthebadboy
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

237

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

payload.exe

Verdict:

Malicious activity

Analysis date:

2018-10-04 10:59:40 UTC

Tags:

trojan

Link:

https://app.any.run/tasks/d504ff26-fbd8-4d66-9060-799703353bb1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/420479/

Detection(s):

PUA.Win.Packer.BorlandDelphiKo-1

Win.Trojan.Belesak-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %temp% directory

Creating a process from a recently created file

Moving a file to the %temp% directory

Moving of the original file

Rewriting of the hard drive's master boot record

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm masquerade packed

Link:

https://www.filescan.io/uploads/64b2a1eff52c3e1a01495a84/reports/50f503ef-da18-4768-9630-de58cc239061/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/a9da850395755704d33ff8c4c5f469dfcbcec9f373a5cf5b0b3290dff2a5c43f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/67309265-062b-4558-958a-71c12ab98752

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1273588

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to infect the boot sector

Hides threads from debuggers

Infects the boot sector of the hard disk

Machine Learning detection for dropped file

Machine Learning detection for sample

Moves itself to temp directory

Multi AV Scanner detection for submitted file

Tries to evade debugger and weak emulator (self modifying code)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a9da850395755704d33ff8c4c5f469dfcbcec9f373a5cf5b0b3290dff2a5c43f/

Threat name:

Win32.Trojan.Meredrop

Status:

Malicious

First seen:

2012-08-28 15:30:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vhnika4vovlqjuz77dcml5dj37f45sptoos46wylgkin74vfyq7q._file

Verdict:

malicious

64d1d03c3378be695f30daea3877b732f662fc453dcd03af0f7990467c698a8f

68c1f88ca465c2a423a823c58fa157936edbbe9583ccfb6f4276a51f98921691

6c519c5931abd91d5bd467740f3f87bcdb180c599e12ce1d16679943e2117889

c8ac98c4e43e4290cdaefce51ebf9165143c31d3fbce0f9f80cf5a3258058c4a

ea10f282be1864ccfe204fcba69fea1b172213a5dc114ef46c629a1ea98c8c24

fd19241e3dbb2519f4f10b8e415e5dee056a7f2894bd7b0e7000a544147caf0a

+ 291 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

bootkit persistence

Link:

https://tria.ge/reports/230715-qy359sbg6z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Writes to the Master Boot Record (MBR)

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Unpacked files

SH256 hash:

a9da850395755704d33ff8c4c5f469dfcbcec9f373a5cf5b0b3290dff2a5c43f

MD5 hash:

02ba166aaa48dc532b6926192d109850

SHA1 hash:

2be04de26aaa128616e8e276c1fceea980521222

Link:

https://www.unpac.me/results/c0732eea-b14f-4a7d-9a9f-7d5d6438c9ab/

Malware family:

FinFisher

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a9da85039575/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a9da850395755704d33ff8c4c5f469dfcbcec9f373a5cf5b0b3290dff2a5c43f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/420479/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample