MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af604815e1dc25a89516a4cda7af722d1285ef0e0a0b96e691fffa4a57282ed6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 2


Intelligence 2 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af604815e1dc25a89516a4cda7af722d1285ef0e0a0b96e691fffa4a57282ed6
SHA3-384 hash: cdff155be91354b115b8d256c4504a69d6e5f113ca434bcec1eacab2571833171c0b903d37c6410e54ca32bf067903e2
SHA1 hash: 7c4760dc109183d9af0e06ab33925eef2708deb3
MD5 hash: 3625809925beeb7ab7c3910db47c99de
humanhash: carpet-rugby-april-happy
File name:af604815e1dc25a89516a4cda7af722d1285ef0e0a0b96e691fffa4a57282ed6
Download: download sample
File size:5'569'720 bytes
First seen:2020-09-01 09:16:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dbb7be92b8ecf6739049254c58536cca
ssdeep 98304:Xrmpd9TpjnpiWYxhEN63ATl2UAr0pxR5Mvv/ujPJmnjoKpeNyK2hU:7Cpjpi1xMVlRAIpxR5M3/IPWQNyPm
Threatray 1 similar samples on MalwareBazaar
TLSH 244612FD61843718C40FCD346127DD89A2B6152E0BFCD5BAB5EB7AC07B97821AA02F15
Reporter JAMESWT_WT
Tags:Ample Digital Limited

Code Signing Certificate

Organisation:thawte Primary Root CA
Issuer:thawte Primary Root CA
Algorithm:sha1WithRSAEncryption
Valid from:Nov 17 00:00:00 2006 GMT
Valid to:Jul 16 23:59:59 2036 GMT
Serial number: 344ED55720D5EDEC49F42FCE37DB2B6D
Intelligence: 7 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 8D722F81A9C113C0791DF136A2966DB26C950A971DB46B4199F4EA54B78BFB9F
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53873/
Result
Verdict:
Clean
Maliciousness:
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/456322
Signature
Hides threads from debuggers
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect debuggers (CloseHandle check)
Tries to detect debuggers by setting the trap flag for special instructions
Tries to detect virtualization through RDTSC time measurements
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 280546 Sample: 4S5YULLTgH Startdate: 01/09/2020 Architecture: WINDOWS Score: 68 31 Obfuscated command line found 2->31 33 Very long command line found 2->33 7 loaddll64.exe 1 2->7         started        process3 signatures4 35 Obfuscated command line found 7->35 37 Very long command line found 7->37 10 rundll32.exe 7->10         started        13 rundll32.exe 7->13         started        15 rundll32.exe 7->15         started        17 5 other processes 7->17 process5 signatures6 39 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->39 41 Tries to detect debuggers by setting the trap flag for special instructions 10->41 43 Tries to detect debuggers (CloseHandle check) 10->43 45 Tries to detect virtualization through RDTSC time measurements 10->45 47 Hides threads from debuggers 13->47 19 WerFault.exe 21 9 13->19         started        21 WerFault.exe 9 15->21         started        23 WerFault.exe 9 17->23         started        25 WerFault.exe 9 17->25         started        27 WerFault.exe 9 17->27         started        29 WerFault.exe 9 17->29         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af604815e1dc25a89516a4cda7af722d1285ef0e0a0b96e691fffa4a57282ed6/
Verdict:
suspicious
Similar samples:
b52960b7ce7ae8c007c59626859816296471b7810036baaa7b7b86c2cd6d6218
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/200901-wlkvxkhydn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/af604815e1dc25a89516a4cda7af722d1285ef0e0a0b96e691fffa4a57282ed6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/53873/

Comments