MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b23eb66e588b47a73b393c87467b0b2b0431d9d346368efeaa36a76c7877cd27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dharma


Vendor detections: 3


Intelligence 3 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b23eb66e588b47a73b393c87467b0b2b0431d9d346368efeaa36a76c7877cd27
SHA3-384 hash: 858ba5fb6e4ac99b72c3358eaa15eea0dfe828754ab0f6d042bcef3706aae620c373820637cf93bb1ef997f497f5e838
SHA1 hash: 4674fb333affd27dda941b6afceb83bc5d943eb8
MD5 hash: 17448c3d1d3edb80b753c271cad45ef4
humanhash: island-one-enemy-potato
File name:comresourcesrootcert.exe
Download: download sample
Signature Dharma
Create hunting rule
File size:707'584 bytes
First seen:2020-04-03 13:36:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3cc16587a13b4f57a3eab6c51342f0fe (1 x Dharma)
ssdeep 12288:x6YIAEMiEObzlkINId8wEsZU0ekrQ4Umz/XX/K:x6YI2MVId7EsZqkLfz
Threatray 13 similar samples on MalwareBazaar
TLSH E7E48D91EAC5C0B0D0E444B0BD85F7B04ABAAD22F9229D1B37C4794C7F3E9D15329A57
Reporter Jirehlov
Tags:Dharma exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
2'045
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Packer.PrivateExeProte-16
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Dropback
Create hunting rule
Status:
Malicious
First seen:
2020-03-16 16:19:00 UTC
File Type:
PE (Exe)
Extracted files:
29
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1398be5280bdfc67179822e32d2d39e3e36afac05f88f3267cc7a1a63a3bdb68
Dharma
227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3
Dharma
2d0eb35f04745646d8c6eb3d1ab1c3e8bc8c30f1a9dc0ad89ea260e898ed9d4e
Dharma
2f2e75affe9217c7211043936678fb1777e2db4a8f1986b8805ddb1e84e9e99b
Dharma
45e9481702b87e03705d35c12c5a8a3d795d42f91d562cba539999846c729686
Dharma
65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7
Dharma
6985917d29596b66d9bbc745a13d5577110d9b0408719c5559d23dd59a9e4f0b
Dharma
9a4e6b6a25332f21e4e15bd5c67ea1613db78bf02fa3cef2eba47f27723f8d58
Dharma
c855a83b6b0b51c9e9bc1b2676d5644f1c578b87734517ce63820ca33d155707
Dharma
ea6bafd96818930f83200987d64c970ad03afcae9d69fbde9dd18f2ace154a99
Dharma
+ 3 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Ransomware_Wadhrama
Create hunting rule
Author:Florian Roth
Description:Detects Wadhrama Ransomware via Imphash
Reference:Internal Research
Rule name:win_dharma_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdipDeleteGraphics
gdiplus.dll::GdipCreateFromHDC
MULTIMEDIA_APICan Play MultimediaMSACM32.dll::acmFormatTagDetailsA
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::ImpersonateLoggedOnUser
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.DLL::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::TerminateProcess
KERNEL32.DLL::LoadLibraryW
KERNEL32.DLL::LoadLibraryA
KERNEL32.DLL::GetStartupInfoA
KERNEL32.DLL::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.DLL::WriteConsoleA
KERNEL32.DLL::WriteConsoleW
KERNEL32.DLL::SetStdHandle
KERNEL32.DLL::GetConsoleMode
KERNEL32.DLL::GetConsoleCP
KERNEL32.DLL::GetConsoleWindow
KERNEL32.DLL::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.DLL::CreateFileA
WININET.dll::FtpRemoveDirectoryW
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextA
ADVAPI32.dll::CryptCreateHash
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::WSAStringToAddressA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::FindWindowA
USER32.dll::FindWindowExA
USER32.dll::CreateWindowExA

Comments