MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b51c5be9e34060e996fdb34e96a2e0788d130bec03a74cf7bc7f568fe02960af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b51c5be9e34060e996fdb34e96a2e0788d130bec03a74cf7bc7f568fe02960af
SHA3-384 hash: 5cee131fd661475cfc6d1832ced7770a990622a4f5e03e2062ca13c8f0c8c04c7a2e0a0082e6ed867ba91c5a179b8ba1
SHA1 hash: a247b898b15649c2bea9f5ad884965096a52c406
MD5 hash: 46f36756727adbd712ea97c7f5f89268
humanhash: delaware-edward-iowa-burger
File name:b51c5be9e34060e996fdb34e96a2e0788d130bec03a74cf7bc7f568fe02960af
Download: download sample
File size:55'270 bytes
First seen:2020-08-27 10:20:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d9a1d7e397ea421e37b9fed210eeadbb
ssdeep 768:NSQreeji5Y8rl5WwtCBUjLWVXUrm99FjrX2f0w9/J:NnaMyt5N8BUjUXUrm9bjrG/J
TLSH 5843B7B0AD989CC7D614633C12F6F231257CB9924B738757AA7056312B12FD1FF96242
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/51766/
Detection(s):
SecuriteInfo.com.GEN_PowerShell.12511.7876.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/452547
Signature
Antivirus / Scanner detection for submitted sample
Encrypted powershell cmdline option found
Malicious encrypted Powershell command line found
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious Csc.exe Source File Folder
Sigma detected: Suspicious Encoded PowerShell Command Line
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 278634 Sample: VmoAK9VZXb Startdate: 27/08/2020 Architecture: WINDOWS Score: 88 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Malicious encrypted Powershell command line found 2->45 47 5 other signatures 2->47 11 loaddll64.exe 1 2->11         started        process3 process4 13 rundll32.exe 11->13         started        16 rundll32.exe 11->16         started        signatures5 59 Very long command line found 13->59 18 cmd.exe 1 13->18         started        process6 signatures7 49 Very long command line found 18->49 51 Encrypted powershell cmdline option found 18->51 21 powershell.exe 18 18->21         started        24 conhost.exe 18->24         started        process8 signatures9 53 Malicious encrypted Powershell command line found 21->53 55 Very long command line found 21->55 57 Encrypted powershell cmdline option found 21->57 26 powershell.exe 23 21->26         started        process10 dnsIp11 39 192.168.70.131, 6666 unknown unknown 26->39 35 C:\Users\user\AppData\...\0xumpimy.cmdline, UTF-8 26->35 dropped 30 csc.exe 3 26->30         started        file12 process13 file14 37 C:\Users\user\AppData\Local\...\0xumpimy.dll, PE32 30->37 dropped 33 cvtres.exe 1 30->33         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b51c5be9e34060e996fdb34e96a2e0788d130bec03a74cf7bc7f568fe02960af/
Threat name:
Win64.Backdoor.Meterpreter
Create hunting rule
Status:
Malicious
First seen:
2020-08-20 22:26:53 UTC
File Type:
PE+ (Dll)
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Verdict:
unknown
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200827-8g1avhysrj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Rozena
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/b51c5be9e34060e996fdb34e96a2e0788d130bec03a74cf7bc7f568fe02960af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GEN_PowerShell
Create hunting rule
Author:https://github.com/interleaved
Description:Generic PowerShell Malware Rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/51766/

Comments