MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6fbcfc55f0124980a29986006323c37504b13e09e45d5c949c448f4f339ec56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6fbcfc55f0124980a29986006323c37504b13e09e45d5c949c448f4f339ec56
SHA3-384 hash: cbc498905cfc855f7d15f3356daecd4b0b795f28df0ba552a892984824a01cf2b8d93edcadebf67d8abacce680b1faa0
SHA1 hash: 947143ed3cbf4bb921f0fb85de55e6390cb0bc9e
MD5 hash: 47dbc6a3a4e72e1cec415d68805eb19f
humanhash: orange-two-dakota-failed
File name:b6fbcfc55f0124980a29986006323c37504b13e09e45d5c949c448f4f339ec56
Download: download sample
File size:3'371'008 bytes
First seen:2021-03-03 06:23:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 09891080ca1352c747d9d26b2a70c20f
ssdeep 98304:kyS70zzf4YQIEWRPtkjXXBBGy1lQgXLyKvko1jbXzytw1:kypRIX/QgXLyUV3+ta
TLSH 95F5BF217A544073CDD306329909F27AF3FDAD250B3F41FB5690BA7B2E3558286285EE
Reporter JAMESWT_WT
Tags:LICHFIELD STUDIO GLASS LIMITED signed

Code Signing Certificate

Organisation:LICHFIELD STUDIO GLASS LIMITED
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-02-26T00:00:00Z
Valid to:2022-02-26T23:59:59Z
Serial number: 047801d5b55c800b48411fd8c320ca5b
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: e9b4783b2e562b1c8d534074f49f61ccb6c0d94e902e0b53172925dfdc41d106
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b6fbcfc55f0124980a29986006323c37504b13e09e45d5c949c448f4f339ec56
Verdict:
Malicious activity
Analysis date:
2021-03-03 06:28:07 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/031a6166-c9bd-4c62-bab7-de2f9ea03cc1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/121195/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Transferring files using the Background Intelligent Transfer Service (BITS)
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Moving a file to the %AppData% directory
Deleting a recently created file
Creating a file in the %temp% directory
Launching a process
Creating a window
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
66 / 100
Link:
https://www.joesandbox.com/analysis/625501
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates files in alternative data streams (ADS)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6fbcfc55f0124980a29986006323c37504b13e09e45d5c949c448f4f339ec56/
Threat name:
Win32.Backdoor.ParalaxRat
Create hunting rule
Status:
Malicious
First seen:
2021-03-01 22:40:05 UTC
File Type:
PE (Exe)
Extracted files:
41
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210303-fmkstdtt2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
UPX packed file
Unpacked files
SH256 hash:
b6fbcfc55f0124980a29986006323c37504b13e09e45d5c949c448f4f339ec56
MD5 hash:
47dbc6a3a4e72e1cec415d68805eb19f
SHA1 hash:
947143ed3cbf4bb921f0fb85de55e6390cb0bc9e
Link:
https://www.unpac.me/results/2ed98efc-c92f-4411-9711-e58220439955/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
BitRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6fbcfc55f0124980a29986006323c37504b13e09e45d5c949c448f4f339ec56

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:upx_packed
Create hunting rule
Description:UPX packed file

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/121195/

Comments