MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aaf4fe2b9156b1b9372507b031bbab5c49f893fe652ea9d8729da31a1303153e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aaf4fe2b9156b1b9372507b031bbab5c49f893fe652ea9d8729da31a1303153e
SHA3-384 hash: 2cc86fdead3b35707af9133386d61f7329768a6279566bba4eabf87d1979ed3631e01ce66ce92fd03eb2ad7c5ca23681
SHA1 hash: d33de30c6083ac2d63be514b3d41a40bde1580f6
MD5 hash: 6a94e722a736eeabd2ba6f74124e593a
humanhash: fillet-table-undress-july
File name:8900bde76eb764f75b27ca2157a52b03
Download: download sample
File size:1'554'064 bytes
First seen:2020-11-17 12:43:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'510 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 24576:gMphTYyZLS80MBTdKUC4uAqQrV5Zxy99MBRnFGWwmAQH7UJVezCpyAsgZNugux2h:gq9YyVfuA00kYAOITeQRbrvq2TdbICF
Threatray 11 similar samples on MalwareBazaar
TLSH D875332278542DB7F422DE79A73AE65446B33C320C76F34071ED460EBB8A5619E0F366
Reporter seifreed

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Installcore-9781902-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Replacing files
DNS request
Searching for the window
Changing a file
Creating a process with a hidden window
Sending a UDP request
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aaf4fe2b9156b1b9372507b031bbab5c49f893fe652ea9d8729da31a1303153e/
Threat name:
Win32.PUA.InstallCore
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 12:50:10 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  1/5
Verdict:
unknown
Similar samples:
049aa38ca2a7bf736c20dde8afaa1c062b2638a0ec5357b701eb29a82c561139
0a15d91e88e2d81c1f76beaf27268e1c774af712372da7d339a0adaf3bee4278
0ae092d6c1b1378fc208be8edcfaba68d273a097e840422862bb2ca5c7148d9b
2f8884403c9dbc6fde91f741b4279b47877e659a483d46be638ec341b54c4539
309f224bfc7c045033d627fbe2df400042a21a16914b600eb20498fb6ba9d8b8
727bf3c928ced653e64054ee6d4992e20b8673f9a6149582c900e68ab536f907
7460db6b65c30c87eeb159a05e2ff51d98ebcc4fe1bb06ac692a6e72e805fef6
c63103061e7337f1fbc9db8d48f50f45922e3984a627e6fd52599b5e0790c282
cc1763d5cbc67c87378ddbec63c75bb178f7a24e045429a353ecf1d6fbd3b4ae
e7983d795c518350bd9862d3c08786dc0c129979c7e5a216a4139136d1f77133
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201117-331gtn5a4x/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
aaf4fe2b9156b1b9372507b031bbab5c49f893fe652ea9d8729da31a1303153e
MD5 hash:
6a94e722a736eeabd2ba6f74124e593a
SHA1 hash:
d33de30c6083ac2d63be514b3d41a40bde1580f6
Link:
https://www.unpac.me/results/d34c7517-5442-4bef-89c9-4297c1fba491/
SH256 hash:
e5880c010d77f69d5df036329abcc4db38cb112a1e67b5202f2aebd290705253
MD5 hash:
ab66057868c4d60591ac29211a70618a
SHA1 hash:
483905045645a93974932f262c09230b5fc8a68e
Link:
https://www.unpac.me/results/d34c7517-5442-4bef-89c9-4297c1fba491/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments