MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8a3d6fb9df78b366b1f4028346e0bedf9ecefad4e6108966ba9a8ede0e11ae7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Allaple

Vendor detections: 15

Intelligence 15 IOCs YARA 3 File information Comments

SHA256 hash:	b8a3d6fb9df78b366b1f4028346e0bedf9ecefad4e6108966ba9a8ede0e11ae7
SHA3-384 hash:	54284c1a7b1e02a078725498e1b994a5817bc3c2a4a6e7fb8953ed9b207476691cf223f998819216de3a2f5c3e260f2b
SHA1 hash:	42e8d94f888c914928cffbbe87efb63aec3d9acb
MD5 hash:	9cede4a611b2f791c7e5c9e2d064cbfc
humanhash:	triple-nuts-undress-lithium
File name:	b8a3d6fb9df78b366b1f4028346e0bedf9ecefad4e6108966ba9a8ede0e11ae7
Download:	download sample
Signature	Allaple Create hunting rule
File size:	98'304 bytes
First seen:	2024-12-09 13:52:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8bfd70ac60d41ffae1945486da91f576 (1 x Allaple)
ssdeep	1536:+xxx7yo3B0Ot+piNhyf9b6wixC9uO93GVwEpjVrs2ryrd1vUQuqSuWnRrF4O5+nT:iyKwaObogYO935EHs2qmRlixH
Threatray	9 similar samples on MalwareBazaar
TLSH	T1D4A3E0EFD5E19DC4EB67193A8410A6E3BD682C2823F531841824F5EF9CA3320656B5DF
TrID	28.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 25.5% (.EXE) Win32 Executable (generic) (4504/4/1) 11.6% (.ICL) Windows Icons Library (generic) (2059/9) 11.5% (.EXE) OS/2 Executable (generic) (2029/13) 11.3% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	213-21-220-222 allaple exe worm

Intelligence

File Origin

# of uploads :

# of downloads :

661

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b8a3d6fb9df78b366b1f4028346e0bedf9ecefad4e6108966ba9a8ede0e11ae7

Verdict:

No threats detected

Analysis date:

2024-12-09 13:59:17 UTC

Tags:

icmp

Link:

https://app.any.run/tasks/89cd4d05-7eeb-4049-a6c1-564227ba192a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6756f64048182d1685570faa

Tags:

injection allaple virus overt

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Changing a file

Creating a file in the Program Files subdirectories

Connection attempt

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

allaple networm overlay packed packed packer_detected virus

Link:

https://www.filescan.io/uploads/6756f640293be149ee23ee9d/reports/43e9edcf-cd55-4dbb-a7ed-3b679d21d710/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/b8a3d6fb9df78b366b1f4028346e0bedf9ecefad4e6108966ba9a8ede0e11ae7

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Allaple

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3a732ad6-4109-425a-bbfe-735a85a50131

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1571558

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Detected unpacking (creates a PE file in dynamic memory)

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations

Suricata IDS alerts for network traffic

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b8a3d6fb9df78b366b1f4028346e0bedf9ecefad4e6108966ba9a8ede0e11ae7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b8a3d6fb9df78b366b1f4028346e0bedf9ecefad4e6108966ba9a8ede0e11ae7/

Threat name:

Win32.Worm.Allaple

Status:

Malicious

First seen:

2022-07-28 05:25:05 UTC

File Type:

PE (Exe)

AV detection:

37 of 38 (97.37%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xcr5n64566ftm2y7iaudi3ql5x46z35njzqqrftlvguo3yhbdltq._file

Result

Malware family:

n/a

Score:

4/10

Tags:

discovery

Link:

https://tria.ge/reports/241209-q6y7aazlfy/

Behaviour

Modifies registry class

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Verdict:

Malicious

Tags:

Win.Worm.Allaple-306

YARA:

n/a

Link:

https://app.threat.zone/submission/b6f1925d-1442-462d-8a25-f6ca40e82d8b

Unpacked files

SH256 hash:

31a4de81da58d4f0f2f2299c073eca058b7bd8d514bb8e43fdaa4949ca587c23

MD5 hash:

49e5125f7c5c710b213e2de422eda8b6

SHA1 hash:

60d4857280f272fe5dc507b4acfb505a2efeed2d

Detections:

Allaple

win_allaple_auto

Link:

https://www.unpac.me/results/8c907088-4fd8-47c7-8314-be84997cf301/

Parent samples :

a4e3a51d3bafd44bad049bbe1c4ce7e3e8e2952b9c1700c11ec2d97e7fb52a31
2bdb30d02bc3a9894a3ee6ff89ecd7ed6d8937e88ccc8c85f5618e7cae931f50
8cbc4de8053a106655e954a82d40ed1f456882f69cc6dfb13ed41e27a637375b
824a5d1fc6ac6050922b1d6a62930d7e6c487b667a83412815e31980f9cfdaba
e6a8f27d09c850978b635d02a99758fe27e2accbe11eeab7588f90726fc89e74
4fc053d321a623653ee61b803b3d10d0b102da59325106851aa0d48539c36476
378059b27606eae8b78d0ebcd8cf469ece63a8e36459ebb060739ac3bdb35d62
b8a3d6fb9df78b366b1f4028346e0bedf9ecefad4e6108966ba9a8ede0e11ae7
75e150c19f29423a5c58cf0e85df991020eb6ee0ea45539da74372694c03ce82

SH256 hash:

b8a3d6fb9df78b366b1f4028346e0bedf9ecefad4e6108966ba9a8ede0e11ae7

MD5 hash:

9cede4a611b2f791c7e5c9e2d064cbfc

SHA1 hash:

42e8d94f888c914928cffbbe87efb63aec3d9acb

Link:

https://www.unpac.me/results/8c907088-4fd8-47c7-8314-be84997cf301/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b8a3d6fb9df78b366b1f4028346e0bedf9ecefad4e6108966ba9a8ede0e11ae7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::GetCommModemStatus KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::FreeConsole KERNEL32.dll::SetConsoleCP

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample