MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afde4b3d64da9dea8c95d5bfa349920a7d74017ac4bdefd41d1cd45002e00ad8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afde4b3d64da9dea8c95d5bfa349920a7d74017ac4bdefd41d1cd45002e00ad8
SHA3-384 hash: 7f90c38f949253d2b732f5899f247cd13def9852046841cd25761609432599b438813b82ea9e71801c156fa64576debe
SHA1 hash: 734b704c582e7612ef883a7b0742e30e5eb29adc
MD5 hash: 9ff5c964eaf31b3b4bca885c33fcfb83
humanhash: solar-alabama-december-quebec
File name:9ff5c964eaf31b3b4bca885c33fcfb83.dll
Download: download sample
File size:28'672 bytes
First seen:2021-08-14 06:13:39 UTC
Last seen:2021-08-14 06:46:39 UTC
File type:DLL dll
MIME type:application/x-dosexec
ssdeep 768:ioF+ioX6zCJsqJFp0yaO8f2/ZiKjR7N8IqoSz:ZFF06zCavNO/sKjx+IX+
Threatray 342 similar samples on MalwareBazaar
TLSH T1CDD2BF46E68240FDFF9238FDB2F5970EEE21C709D74808C753A12A55DE166B1B97801D
Reporter abuse_ch
Tags:dll

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179140/
Detection(s):
SecuriteInfo.com.Generic.Exploit.Donut.2.7614A029.19025.13409.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b733f38-202e-44ad-a583-cf6458033684
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/832768
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 465199 Sample: glokUT3m2v.dll Startdate: 14/08/2021 Architecture: WINDOWS Score: 72 36 Multi AV Scanner detection for submitted file 2->36 38 Machine Learning detection for sample 2->38 9 loaddll32.exe 1 2->9         started        process3 process4 11 rundll32.exe 9->11         started        14 cmd.exe 1 9->14         started        16 rundll32.exe 9->16         started        signatures5 46 Contains functionality to inject threads in other processes 11->46 48 Contains functionality to inject code into remote processes 11->48 50 Writes to foreign memory regions 11->50 18 cmd.exe 13 11->18         started        21 rundll32.exe 14->21         started        52 Allocates memory in foreign processes 16->52 54 Creates a thread in another existing process (thread injection) 16->54 24 cmd.exe 13 16->24         started        process6 dnsIp7 34 136.244.116.216, 443, 49738, 49739 AS-CHOOPAUS United States 18->34 26 conhost.exe 18->26         started        40 Writes to foreign memory regions 21->40 42 Allocates memory in foreign processes 21->42 44 Creates a thread in another existing process (thread injection) 21->44 28 cmd.exe 13 21->28         started        30 conhost.exe 24->30         started        signatures8 process9 process10 32 conhost.exe 28->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/afde4b3d64da9dea8c95d5bfa349920a7d74017ac4bdefd41d1cd45002e00ad8/
Threat name:
Win32.Exploit.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 18:06:00 UTC
AV detection:
5 of 28 (17.86%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
043544fc666b260b348dbd6c004ac8a76c62418e34b3330e6d0a1fac1dfc3f9f
0de691a91c2cce2b647aafa0fc5abdbfb84e2a91cda8ff93f4f85f2385007901
885e34ff7befbdcdb027a017843cbacdba7eebb34d3df2e3113cceb9adafe8b5
8e32c98dd5c642b06be652eb257ebdc1222be4eb00677dbdd31e9dcb2eff033a
a58cf7753cdff434e81e0163ec97f8e1a8b32c80ddfa7cbf021778a759f78842
a9321317116649103debb8a03f5b36ee8b015fa48fc7da5c2b5eb5192dac8233
d966b0be571e5da5143ec930b1cf99c053412ecfdb76d46b16ba811c16e9eb8b
e3f01ed8d12f734d433783b0fe727e25e1a9a982a38e50fe72734c75c146df07
f6b969be87ff04be7afa8ebb789d8867356700537c3ca7cc8f64d2a587c0c0d6
+ 332 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210814-2hnb3zpfxj/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Unpacked files
SH256 hash:
afde4b3d64da9dea8c95d5bfa349920a7d74017ac4bdefd41d1cd45002e00ad8
MD5 hash:
9ff5c964eaf31b3b4bca885c33fcfb83
SHA1 hash:
734b704c582e7612ef883a7b0742e30e5eb29adc
Link:
https://www.unpac.me/results/1e6fc98c-2306-401d-999f-3fa5abca24b9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/afde4b3d64da/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/afde4b3d64da9dea8c95d5bfa349920a7d74017ac4bdefd41d1cd45002e00ad8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179140/

Comments