MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac64e343753c2912dedf804bcb0202cf2aee410b77e52dfb6fae9c0ea610ccbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	ac64e343753c2912dedf804bcb0202cf2aee410b77e52dfb6fae9c0ea610ccbc
SHA3-384 hash:	a819bbb2be2b0e91d42b976e4257fa6f983b1172002568b20c61b82236a2ec6dd011cf4a87a6191162d06366799acfc2
SHA1 hash:	31cc463bdac0371af28da8b95e7f63e48c7faad2
MD5 hash:	3a0e88b8460abe668ad29c2ca29bfedc
humanhash:	bravo-solar-skylark-muppet
File name:	ac64e343753c2912dedf804bcb0202cf2aee410b77e52dfb6fae9c0ea610ccbc
Download:	download sample
File size:	3'244'032 bytes
First seen:	2022-08-03 10:28:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a00164459a73eecbdd307551bd77b018
ssdeep	49152:5szKMxlmBK+/5b7I6dDLzwK1kE7n9zE3DCTlzckiwOT+FBM5JN:5Xulmv5bU6FvrM3k5NraJN
Threatray	14'052 similar samples on MalwareBazaar
TLSH	T108E52392CD44093BF17326F05422AAFCD5A25EE52A28D27B03F17663FDB11EA1D35293
TrID	38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 13.0% (.EXE) Win64 Executable (generic) (10523/12/4) 8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	6327161b1b1b4908
Reporter	JAMESWT_WT
Tags:	exe Hangzhou Saifan Technology Co. Ltd.

Intelligence

File Origin

# of uploads :

# of downloads :

302

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ac64e343753c2912dedf804bcb0202cf2aee410b77e52dfb6fae9c0ea610ccbc

Verdict:

Suspicious activity

Analysis date:

2022-08-03 10:32:48 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8b05e777-a0f0-47ef-8d57-b3c7eadb701a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/296156/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending a custom TCP request

Searching for synchronization primitives

Creating a window

Creating a file in the Program Files subdirectories

Creating a file in the Windows directory

Creating a service

Launching a service

Loading a system driver

Creating a file in the Windows subdirectories

Enabling autorun for a service

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62ea4e386336465f2a09c911/reports/83e85abb-8da3-467d-b160-775d5cdd41ea/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/aaa7c8a4-c092-4374-b19c-09de49b1215d

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1045528

Signature

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found driver which could be used to inject code into processes

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Sample is not signed and drops a device driver

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ac64e343753c2912dedf804bcb0202cf2aee410b77e52dfb6fae9c0ea610ccbc/

Threat name:

Win32.Backdoor.Farfli

Status:

Malicious

First seen:

2022-05-24 19:36:51 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vrsogq3vhqurfxw7qbf4waqcz4vo4qilo7ss363pv2oa5jqqzs6a._file

Verdict:

malicious

5450806ae37bf26fc3d0db2190b03f0d74c032c3f9a2c91b7870e354992c6e35

8795836a86dc61f9fe1d4b3f798ebf3a4c1900ddac2f207f4d1f46e87b85850f

8ec16e4c4fd0a80322418ea661e4dd3b427f7369078d85f64069588624752bdc

97bd84d68cdb1c875b45f735ab621aed8a0c717e56a7c8337532dabcad5c20a6

9aaa46606f36b7f4b26420e95a75090d1a933356e994ca69d3af6bb4c3774430

9c7feb98fb5804f1f80dd03db1f84a06b68ea6043d2d34ab53edce82b83827b2

ab631126a17db88906bb50154d9f7c064a3fb8d4d2ff29863705786bca72e30f

ae0a99c5cc44699f19c5967df89e034876b214da707275a33bcf7298697ac184

df50e9ae62a46bda93ff03d76b707d574a3803754a782e21e4b9ef547f7ca32e

+ 14'042 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/220803-mh85ssbbhn/

Behaviour

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Unpacked files

SH256 hash:

ef3b8d9461dc4fb5ce0e4aa4440ec8ae616912f256305c0f61723f03631626f0

MD5 hash:

ffcc0c20805be38df41bf1d5d147d169

SHA1 hash:

b6d1794ea4ac51de575f0a80c282b2c2e22599a7

Link:

https://www.unpac.me/results/65470ec3-5af8-4007-a111-5ef2d3e41ba4/

SH256 hash:

ac64e343753c2912dedf804bcb0202cf2aee410b77e52dfb6fae9c0ea610ccbc

MD5 hash:

3a0e88b8460abe668ad29c2ca29bfedc

SHA1 hash:

31cc463bdac0371af28da8b95e7f63e48c7faad2

Link:

https://www.unpac.me/results/65470ec3-5af8-4007-a111-5ef2d3e41ba4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/ac64e343753c2912dedf804bcb0202cf2aee410b77e52dfb6fae9c0ea610ccbc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	without_attachments Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the no presence of any attachment
Reference:	http://laboratorio.blogs.hispasec.com/

Rule name:	with_urls Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the presence of an or several urls
Reference:	http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/296156/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample