MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b75b694bdd2b87abd5edb0012cd46d25d62962caf00c60b59b6987d3956e3a73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 11 File information Comments

SHA256 hash:	b75b694bdd2b87abd5edb0012cd46d25d62962caf00c60b59b6987d3956e3a73
SHA3-384 hash:	1bc47772badf140cfb0a4e08fcf288dfa1ba36dc96358f6b96db40034dd1eb604e00d1f3623921c4058e1592e1d37034
SHA1 hash:	3ba39d2fd486202f9760da56f553f625dec211aa
MD5 hash:	abe20e57bff17b7174caea7100466b10
humanhash:	berlin-echo-low-berlin
File name:	abe20e57_by_Libranalysis
Download:	download sample
File size:	39'746'580 bytes
First seen:	2021-05-02 23:01:47 UTC
Last seen:	2021-05-02 23:45:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep	786432:Eur68Tk/sjJFnV7DsAY/Orw7KkOVkWK2qveu4wP+RQhMk:E26Ck4LZRw2kq5K+RQd
Threatray	2'663 similar samples on MalwareBazaar
TLSH	BB9733AF67F21542FD78B0B80907734B0DA66E54A460DEE729D5EC0B954FCC6A00BED2
Reporter	Libranalysis

Libranalysis

Uploaded as part of the sample sharing project

Intelligence

File Origin

# of uploads :

# of downloads :

130

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% subdirectories

Creating a window

Result

Verdict:

MALICIOUS

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/706642

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect virtualization through RDTSC time measurements

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Trojan.Razy

Status:

Malicious

First seen:

2021-04-18 04:57:33 UTC

AV detection:

20 of 47 (42.55%)

Threat level:

5/5

Verdict:

malicious

752abe1050403b95676de500b60db8b36e26f02e4b24eb84ae9f4daf6d03b957

7c2bcbc90aad473e93b52051f11b1c1d8f3d9436b7d95b49e1ca4c7c835b0115

9237e5cae5f698d5ad9f6c61af8bd866e599abb05f5bc49474d98e269a29a588

93e582393fca866d1291b3852e63dbe2e7a1460e9e2ab3d750083f28f4d04e64

9b2ad325e0cda26d0cd3769bea307050581d5c38d40d1281ff7e6b56420369cd

9c85d76526d585038392e1af504886580d096e9646de2907b73feab521920944

9fefa41ed2d1032a787fbe2c1d8f1f4d3d93c717b4ab7aef6de94d50012b113c

a21b545b7aab8405487b134cbc179aab85ee49af77928d896f9904fefcfce076

e5a666bc9d8b7c4a483d8a9204919dc454bca394cd22ac150aaf18bbb80b0b89

+ 2'653 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion themida trojan

Link:

https://tria.ge/reports/210502-x5gpbktxgx/

Behaviour

Checks whether UAC is enabled

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Themida

Score:

0.56

Link:

https://yomi.yoroi.company/submissions/b75b694bdd2b87abd5edb0012cd46d25d62962caf00c60b59b6987d3956e3a73

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win32_ransom_avaddon_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Avaddon ransomware
Reference:	https://twitter.com/VK_Intel/status/1300944441390370819

Rule name:	Cryptocoin_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Steam in files like avemaria

Rule name:	dsc Create hunting rule
Author:	Aaron DeVera
Description:	Discord domains

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	quakbot_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	silentbuilder_halo_generated Create hunting rule
Author:	Halogen Generated Rule, Corsin Camichel

Rule name:	Steam_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Steam in files like avemaria

Rule name:	Telegram_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample