MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b74cc5a17329986d8de5f8a6485d15b3f143cd900fb71b004862777ca39b33bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b74cc5a17329986d8de5f8a6485d15b3f143cd900fb71b004862777ca39b33bd
SHA3-384 hash: e7e80592afa3e988fe2431bd9f7d7c24d97aa5b1af0e546c6c01888a8b73c7dc29980053f4c8e0dc4f8b260ceede59e6
SHA1 hash: 66c219421cc5b9e22311c57f1e70c2ab28f244eb
MD5 hash: 526c4af305f4438ee3ae6ff894d76597
humanhash: december-maryland-four-nebraska
File name:steam_api.dll
Download: download sample
File size:876'544 bytes
First seen:2021-11-20 00:23:55 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 0fa5f603594be57c7a33042959196729
ssdeep 24576:qZbu54jB/DmCOrMy9xCZcdpKj/eXhXF33LAR:qFQiiCu/xCZcSj/eXhX1LAR
Threatray 1 similar samples on MalwareBazaar
TLSH T10A150135609212F4C6F5E2709D525C4F7AB4508F31282CBDF6648633D8A6A0B7EBB5CE
Reporter Anonymous
Tags:dll

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed winnti
Link:
https://www.filescan.io/uploads/61984036359656727c9e1328/reports/543b765d-66ba-4acd-a702-01597ab70232/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d495a668-e54e-4180-841e-da1c0f471b3f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/892981
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 525454 Sample: steam_api.dll Startdate: 20/11/2021 Architecture: WINDOWS Score: 56 19 Malicious sample detected (through community Yara rule) 2->19 21 Multi AV Scanner detection for submitted file 2->21 7 loaddll32.exe 15 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 6 other processes 7->15 process5 17 rundll32.exe 9->17         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b74cc5a17329986d8de5f8a6485d15b3f143cd900fb71b004862777ca39b33bd/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-04-17 09:48:12 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
9fdf001f730abe9e97454ce266d79326fb6e7c02fa6f3c16a7bbf5485ef674c4
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/211120-ap3kdacabl/
Behaviour
Suspicious use of WriteProcessMemory
UPX packed file
Unpacked files
SH256 hash:
b74cc5a17329986d8de5f8a6485d15b3f143cd900fb71b004862777ca39b33bd
MD5 hash:
526c4af305f4438ee3ae6ff894d76597
SHA1 hash:
66c219421cc5b9e22311c57f1e70c2ab28f244eb
Link:
https://www.unpac.me/results/c3d434e4-77ae-4cf7-b4b3-27cf2c61c34f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DeathRansom
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b74cc5a17329986d8de5f8a6485d15b3f143cd900fb71b004862777ca39b33bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:Winnti_NlaifSvc
Create hunting rule
Author:Florian Roth
Description:Winnti sample - file NlaifSvc.dll
Reference:https://goo.gl/VbvJtL
Rule name:Winnti_NlaifSvc_RID2CFF
Create hunting rule
Author:Florian Roth
Description:Winnti sample - file NlaifSvc.dll
Reference:https://goo.gl/VbvJtL

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207709/

Comments