MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b87196935635ee9996c2286282ac5bd1d3f7e90d8269bfefcf9533d6df30ecf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b87196935635ee9996c2286282ac5bd1d3f7e90d8269bfefcf9533d6df30ecf5
SHA3-384 hash: 959e014b67de8f54d4e4efebd585cefd6e513b9c207bb8f3cc31a2bcd80bcffce02664c937f894a0a2f19d32424dca6f
SHA1 hash: 0dcfe3a81e327bf105946ee515d032bff36e53f5
MD5 hash: ad16b81f2a1141172c5f7b90a350c772
humanhash: table-robert-lithium-floor
File name:ad16b81f2a1141172c5f7b90a350c772.exe
Download: download sample
File size:6'660'096 bytes
First seen:2021-07-09 18:24:11 UTC
Last seen:2021-07-09 18:47:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 98304:DJgChA7NnsJRBJp+JqUZYR5KFOWjuT9TiZxRaWykiwzIe6Wzwfvq:DaChqs7BGNZYvKuTIPRar55WM6
Threatray 88 similar samples on MalwareBazaar
TLSH T1356612C1A7D45844C91A3EFA891DD23C8B1E9E1AAA63B10D75E83AC433715015FEBF9C
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ad16b81f2a1141172c5f7b90a350c772.exe
Verdict:
No threats detected
Analysis date:
2021-07-09 18:25:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/33854d17-d647-465c-b23d-3345ca3107b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170721/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.919.30052.30815.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be692630-7a68-473f-ae6e-54978da534b9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/814165
Signature
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Sigma detected: WScript or CScript Dropper
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b87196935635ee9996c2286282ac5bd1d3f7e90d8269bfefcf9533d6df30ecf5/
Threat name:
ByteCode-MSIL.Trojan.Dnoper
Create hunting rule
Status:
Malicious
First seen:
2021-07-09 14:01:46 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
20
AV detection:
8 of 29 (27.59%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
042c6ccdc439211a649c933b4f54748e9955277ff435f6319748d744b63028d5
0f50a03ab746696adbaae3755d933c7f6f5070e8592efa2452de01ba9326fa7c
13f0c6e6a5c9f192c09a6e3a3768e8e31548b04a6839b28731862707c2689ac2
398e6661f5ca757d0d7c777a0ed8ca1481b5c2df810008164e1f51deefc2ab48
3b463cccd70c11b6e8eb2be3e16113db9fc9268367c70210c49b7ef80e29d3d1
3ed17d1df70b71852be2335f91bdfe20cd4a319a7d22d407e6e82a8dbe91bc5f
5133f50e4eba6506c9b0236ee2b881301886ab8967b75316d9b259063ca1a2dc
64c9c7ff15bf8c493c229fe32e455e2612c8282e8fc0beaad6e29dd2f5ca1d86
7bfa1a2593f74120d8f9ad1cdae68a06f22c86fdcc58eb9ecb3471b500330867
88d413cd1c86f67b6484f694cf829fde9df980755442cdaebba7c6a1e41b3ea4
+ 78 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/210709-mkywl6y81e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
b87196935635ee9996c2286282ac5bd1d3f7e90d8269bfefcf9533d6df30ecf5
MD5 hash:
ad16b81f2a1141172c5f7b90a350c772
SHA1 hash:
0dcfe3a81e327bf105946ee515d032bff36e53f5
Link:
https://www.unpac.me/results/f59b7163-fd96-4e8f-95b1-da14f4ffd732/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/b87196935635ee9996c2286282ac5bd1d3f7e90d8269bfefcf9533d6df30ecf5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe b87196935635ee9996c2286282ac5bd1d3f7e90d8269bfefcf9533d6df30ecf5

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/170721/
  
URLhaus
https://urlhaus.abuse.ch/url/1431195/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1430221/

Comments