MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af86c7d38b436ded683e7a304f9200312aaa8e283c31de972bfabcd87a857a1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 3

Intelligence 3 IOCs YARA 3 File information Comments

SHA256 hash:	af86c7d38b436ded683e7a304f9200312aaa8e283c31de972bfabcd87a857a1b
SHA3-384 hash:	f3368031d3c86326c5c4abf24bd72f34d93c7edb854edfa7cac0ed9dcd2e4e63b48a2d78e460a9330ca043002f29aee4
SHA1 hash:	4da0a4d9e96cb5ee8a5b027555ef5f632cf854ee
MD5 hash:	0c833750e80fcd47f8bb34cad797eac4
humanhash:	lake-virginia-illinois-comet
File name:	af86c7d38b436ded683e7a304f9200312aaa8e283c31de972bfabcd87a857a1b
Download:	download sample
File size:	353'280 bytes
First seen:	2020-03-29 16:05:03 UTC
Last seen:	2020-03-30 07:05:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e5919b5746055301c3d8888884dd6420
ssdeep	6144:k+3Sl2bONINfjf/j6f0Cq33h+TE+U48Fru5BgEj75ON21FPUb9rP+RySvYLqki8U:3m2JNz76fnygRnn5O8+79SvTOei8qej
Threatray	67 similar samples on MalwareBazaar
TLSH	1A74DE429CA1FF1AE021F1F0D10B3DE4D105FD29D9C6197AB4A03E26767A7C39A2E5B4
Reporter	Marco_Ramilli
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-4

Win.Trojan.Ramnit-1847

Win.Malware.Zusy-6840460-0

Gathering data

Threat name:

Win32.Virus.Ramnit

Status:

Malicious

First seen:

2016-05-27 15:24:07 UTC

AV detection:

31 of 31 (100.00%)

Threat level:

5/5

Verdict:

malicious

2e13c882d28c2236893a0a543e67c74a4f2e560d98c98b800f95c07938156a37

4926b96164fb60d873073e001df509423e2935bea931191f26a938ebc1425629

56133c0d017af35f49253926e3583cf72c36146ab7faa65b6058971685166652

6edb794a9f28cbd60dcb9fefc0e145f64c9e623b3df235a4a907ca948fd1edb9

7333ddf4a7e53eeda33a8360b307471358597aeff78f4a5a7f4610640f97bdc7

799b7395c9f279d8cd1cd24657788ecb37db7ae03c0dddeb3344a95a551d1325

7e5b0829c6ff31260033e79d4172ef09efa4c6667a99c97b8ec82d614a68a241

bd668ef292ae01d2ed9a32b1ea054e2acb484f61e86481f306669637ba31ce82

eb6472cb9139a37375c07bcf4e2e9b4744118d7b497f4858755a166468fb2574

+ 57 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CN_Honker_WordpressScanner Create hunting rule
Author:	Florian Roth
Description:	Sample from CN Honker Pentest Toolset - file WordpressScanner.exe
Reference:	Disclosed CN Honker Pentest Toolset

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	win_mbrlock_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe af86c7d38b436ded683e7a304f9200312aaa8e283c31de972bfabcd87a857a1b

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/322603/

URLhaus

https://urlhaus.abuse.ch/url/322640/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::waveOutOpen
RAS_API	Uses Remote Access	RASAPI32.dll::RasHangUpA
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteA
WIN_BASE_API	Uses Win Base API	KERNEL32.DLL::LoadLibraryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample