MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab3bae35acc023bc94bea153fc9ccf4a25071ebd4e67f54c0767e3c829509e46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab3bae35acc023bc94bea153fc9ccf4a25071ebd4e67f54c0767e3c829509e46
SHA3-384 hash: d8b591fed3312aa4e15b495afa9dd38c0eefc1365de6f585a18c26626d4475374d54568dd8dfaa1a48165f09c45fbe2e
SHA1 hash: e9857ef5ed7019d18c8ba82259b390942f8196df
MD5 hash: 186e5693b1c6135743ea64ed94c90f1b
humanhash: wisconsin-eleven-bakerloo-vegan
File name:ab3bae35acc023bc94bea153fc9ccf4a25071ebd4e67f54c0767e3c829509e46
Download: download sample
File size:1'719'972 bytes
First seen:2021-03-01 23:57:23 UTC
Last seen:2021-03-02 02:16:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 845afb2b5d7999c716962677637e454b
ssdeep 49152:HTB2HiWjEbWHxkGGVqNKxaKKMS81jTqeAEd:1CHjGMPKKR81X1AEd
TLSH 458501AC3F98DE02D07E067624CD282D27F97986ED62C76D4DDAA4D83C133A658D118F
Reporter c3rb3ru5d3d53c2


Avatar
c3rb3ru5d3d53c
@c3rb3ru5d3d53c Live Hunt

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ab3bae35acc023bc94bea153fc9ccf4a25071ebd4e67f54c0767e3c829509e46
Verdict:
No threats detected
Analysis date:
2021-03-01 23:58:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/427938e4-9809-4051-b1c1-62f4312f0418

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
EnigmaStub
Create hunting rule
Link:
https://www.capesandbox.com/analysis/120452/
Detection(s):
SecuriteInfo.com.Variant.Barys.101505.23426.23986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/623036
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for sample
PE file has nameless sections
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab3bae35acc023bc94bea153fc9ccf4a25071ebd4e67f54c0767e3c829509e46/
Threat name:
Win32.Packed.EnigmaProtector
Create hunting rule
Status:
Malicious
First seen:
2021-03-01 23:58:06 UTC
AV detection:
26 of 48 (54.17%)
Threat level:
  1/5
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210301-mvqav6td3s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
ab3bae35acc023bc94bea153fc9ccf4a25071ebd4e67f54c0767e3c829509e46
MD5 hash:
186e5693b1c6135743ea64ed94c90f1b
SHA1 hash:
e9857ef5ed7019d18c8ba82259b390942f8196df
Link:
https://www.unpac.me/results/bf9df665-e8fa-4f71-9b05-73c6a800540f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/ab3bae35acc023bc94bea153fc9ccf4a25071ebd4e67f54c0767e3c829509e46

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.virustotal.com/gui/file/ab3bae35acc023bc94bea153fc9ccf4a25071ebd4e67f54c0767e3c829509e46/details
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/120452/

Comments