MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b14b1aee43f78548e382e6a5b5b59208f65f7c3a8e7aa1e3bdf7d8bea5217146. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	b14b1aee43f78548e382e6a5b5b59208f65f7c3a8e7aa1e3bdf7d8bea5217146
SHA3-384 hash:	d042cb66dcfada175316857f35eee0d91919945cb2abddfccff470ad6af25738453aba33f4fbf1e649e6ee644e9ba7ea
SHA1 hash:	61f8075fd172886158902ba70bb3fcccd1de740f
MD5 hash:	0c48e904ceded874dd65f5ca6d1075ed
humanhash:	lemon-red-happy-november
File name:	1.exe
Download:	download sample
File size:	1'521'664 bytes
First seen:	2022-11-30 18:56:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	296df6d34c5cd51c253772b859775151 (1 x AsyncRAT, 1 x RecordBreaker)
ssdeep	24576:OiaJjjD8m657w6ZBLmkitKqBCjC0PDgM5AZFkNBGVpDrwWmAACOlpWew0f:OiaFvVV1BCjBy84VpUf
TLSH	T14F658C2523F88A37E1FF1738A8316A0887F3F5166237E78F698494E91E577518E103A7
TrID	37.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 21.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 15.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 6.7% (.SCR) Windows screen saver (13097/50/3) 5.1% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
Reporter	Gannascus_
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

182

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1.exe

Verdict:

Malicious activity

Analysis date:

2022-11-30 17:08:30 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5f5a4407-6b1c-4fae-8aba-5d633d31697b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/340731/

Detection(s):

SecuriteInfo.com.Trojan.Heur.GM.4404010800.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Creating a window

Sending a custom TCP request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug dllhost.exe hh.exe packed packed regsvr32.exe replace.exe

Link:

https://www.filescan.io/uploads/6387a77f8a1bf55a249cbf69/reports/5862144f-0edf-4e3d-a2e5-e1329316d196/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e026a22b-7862-4ad8-9999-ed5333085948

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1124345

Signature

.NET source code contains very large strings

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file has nameless sections

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b14b1aee43f78548e382e6a5b5b59208f65f7c3a8e7aa1e3bdf7d8bea5217146/

Threat name:

Win32.Trojan.Razy

Status:

Malicious

First seen:

2022-11-30 16:04:21 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wffrv3sd66cury4c42s3lnmsbd3f67b2rz5kdy5567ml5jjbofda._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/221130-xlx7tafc24/

Behaviour

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/72591b02-6339-450f-a93e-7fb050a8eda3

Unpacked files

SH256 hash:

dadca335ab25517609326de40001ea5aaeb0bfa1139f3458df26b07209dc121b

MD5 hash:

5f2a0d681844db68511822247258b551

SHA1 hash:

8fc493af235064349122c82d6bdfb010762734c3

Link:

https://www.unpac.me/results/65605d0f-e284-4b76-a643-6d17f0e34763/

SH256 hash:

7387b69bbc8b15f447b714d68cc6d665e6e1f2e26ecb2ec4938e5b8c99dfb5c3

MD5 hash:

c8847abf91b6cf5e3598c16e627b2ea7

SHA1 hash:

b7bc2c1369f150a273fa481488d3f4298ce5cea8

Link:

https://www.unpac.me/results/65605d0f-e284-4b76-a643-6d17f0e34763/

SH256 hash:

b00ac2f3ea3d44e9da5101fca6f5084dd46e0eb2f136f4995ad106a39b015aa9

MD5 hash:

548b4059f47f4133593a88a8479139ca

SHA1 hash:

6e3d54c5eb6d6a052c5c1ca5da46cf819479e4cd

Link:

https://www.unpac.me/results/65605d0f-e284-4b76-a643-6d17f0e34763/

SH256 hash:

b14b1aee43f78548e382e6a5b5b59208f65f7c3a8e7aa1e3bdf7d8bea5217146

MD5 hash:

0c48e904ceded874dd65f5ca6d1075ed

SHA1 hash:

61f8075fd172886158902ba70bb3fcccd1de740f

Link:

https://www.unpac.me/results/65605d0f-e284-4b76-a643-6d17f0e34763/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b14b1aee43f78548e382e6a5b5b59208f65f7c3a8e7aa1e3bdf7d8bea5217146

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	extracted_at_0x44b Create hunting rule
Author:	cb
Description:	sample - file extracted_at_0x44b.exe
Reference:	Internal Research

Rule name:	INDICATOR_EXE_Packed_Enigma Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Enigma

Rule name:	INDICATOR_EXE_Packed_Loader Create hunting rule
Author:	ditekSHen
Description:	Detects packed executables observed in Molerats

Rule name:	MAL_Unknown_PWDumper_Apr18_3 Create hunting rule
Author:	Florian Roth
Description:	Detects sample from unknown sample set - IL origin
Reference:	Internal Research

Rule name:	MAL_Unknown_PWDumper_Apr18_3_RID312A Create hunting rule
Author:	Florian Roth
Description:	Detects sample from unknown sample set - IL origin
Reference:	Internal Research

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/340731/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample