MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad45d231d336af58e53ed062c82024c28777b9cf0fc3592f9e8fb83c4142a0ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad45d231d336af58e53ed062c82024c28777b9cf0fc3592f9e8fb83c4142a0ff
SHA3-384 hash: aa9589f5da00b518bdbe2a19339b9838474a201c94456ed8357f2c09e5fcfdf43c48b8bf5630d67ff93abd0de70b76a2
SHA1 hash: 0982f13095fc6ad487d3b88614cf9e3ac45ae78b
MD5 hash: 0f15c5684ae735486314958aef911e59
humanhash: bluebird-island-eighteen-sixteen
File name:0f15c5684ae735486314958aef911e59.exe
Download: download sample
File size:351'232 bytes
First seen:2020-11-19 06:07:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 120ed72c3a1d2edf2fc18f79d053ceaa
ssdeep 6144:TikliLGSRWElvJE7adRVW4bHxnUprqfUZcGtno6azhPNNUE/Fq9M4rQxtc:THliLGSRkmdrRxUgcOGCPNZEw
Threatray 5 similar samples on MalwareBazaar
TLSH C374F11176C0C033E15969314AA6C6B4AE79B8B55D29868B3BD52F7E4F313D2CB32B43
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/542236
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found C&C like URL pattern
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 320217 Sample: C5E8aYL5V2.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 88 48 4cnx9s25gsvw.top 2->48 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Multi AV Scanner detection for domain / URL 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 2 other signatures 2->60 8 C5E8aYL5V2.exe 17 2->8         started        signatures3 process4 dnsIp5 50 4cnx9s25gsvw.top 45.139.186.121, 49735, 49736, 49737 HostingvpsvilleruRU Russian Federation 8->50 52 192.168.2.1 unknown unknown 8->52 30 C:\Users\user\AppData\...\syZsNnTNps[1].vx, PE32 8->30 dropped 32 C:\ProgramData\...\appconfig.dll, PE32 8->32 dropped 62 Detected unpacking (changes PE section rights) 8->62 64 Detected unpacking (overwrites its own PE header) 8->64 13 WerFault.exe 9 8->13         started        16 WerFault.exe 9 8->16         started        18 WerFault.exe 9 8->18         started        20 7 other processes 8->20 file6 signatures7 process8 file9 34 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 13->34 dropped 36 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->36 dropped 38 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->38 dropped 40 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->40 dropped 42 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->42 dropped 44 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->44 dropped 46 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->46 dropped 22 conhost.exe 20->22         started        24 conhost.exe 20->24         started        26 reg.exe 20->26         started        28 4 other processes 20->28 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad45d231d336af58e53ed062c82024c28777b9cf0fc3592f9e8fb83c4142a0ff/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 02:05:48 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
1d806080181a1cae20bd36f6508bd5f26bd3f4de7f34d82bdb77789682570414
48069d5f27497d0ace8d6d583b36442c724913ef230b648f1f60f6a59cfd7589
70eb0335e1f9033bec0973ba114d5446442412a9069e05d0b0d7a403dc0b4fcf
bf250bbbd7b308f4679b2d825c53825f47e7f7d2e6f7a1320d5e6cc8a006ba5d
d893d3b0e8c2fa238a84eeec1adb6dec0853828d314873be41ee74280541b6d0
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201119-l1ntnhjqms/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious behavior: RenamesItself
Program crash
Loads dropped DLL
Unpacked files
SH256 hash:
ad45d231d336af58e53ed062c82024c28777b9cf0fc3592f9e8fb83c4142a0ff
MD5 hash:
0f15c5684ae735486314958aef911e59
SHA1 hash:
0982f13095fc6ad487d3b88614cf9e3ac45ae78b
Link:
https://www.unpac.me/results/b68ab737-a9b1-4001-a040-9713e9f6fe08/
SH256 hash:
f96912b9444d7d352d21a03cb568f3e27d3df2fc1e4298ea15e2c9bea86309e8
MD5 hash:
a2c8142e9ca0cab89cbba79d2edd95a6
SHA1 hash:
0be192a3c60dd00bc6b92e1b01dfe24f1d8740c2
Link:
https://www.unpac.me/results/b68ab737-a9b1-4001-a040-9713e9f6fe08/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ad45d231d336af58e53ed062c82024c28777b9cf0fc3592f9e8fb83c4142a0ff

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/828188/
  
Delivery method
Distributed via web download

Comments