MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b92e82e83c4f3ea90cd3c64b3276265aee5bfc9acdca956f6df4811b252bb978. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Renamer


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b92e82e83c4f3ea90cd3c64b3276265aee5bfc9acdca956f6df4811b252bb978
SHA3-384 hash: 1e1cb714d19efc0aa9649c8b2476b9c2a6ac992338635de419c3ce589855f60643009f95969209073034259cebb81631
SHA1 hash: e9cb95893361e92cbbd423cab03219cc4b4d74cf
MD5 hash: 6d3632abf3c43b6da3bcef47d3343da1
humanhash: bluebird-jig-cup-social
File name:dohcrypted.exe
Download: download sample
Signature Renamer
Create hunting rule
File size:1'576'960 bytes
First seen:2021-09-07 13:07:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f095340e94ca508e3b83fb009ebf4cc (18 x Renamer)
ssdeep 24576:ccCT67wHqWis4l+jIACFr5hqjiLDpSJDN93pqb6W8cU4gLQIA:xCpn8t74iA3qb6W8cU43
Threatray 4'302 similar samples on MalwareBazaar
TLSH T12C75010B9EEF1167FC552B71D02149B310FBF9F60E464722F6E1E60E2A30FA165384A6
dhash icon 00d2d4d4d4dcd400 (1 x Renamer)
Reporter James_inthe_box
Tags:exe Renamer

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Overseas Keys inquiry .doc
Verdict:
Malicious activity
Analysis date:
2021-09-07 06:04:23 UTC
Tags:
trojan exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/7ebf3749-cc3f-4729-8816-20aacbf980c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Renamer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/186031/
Detection(s):
Win.Trojan.VBGeneric-6989114-0
Create hunting rule

Win.Malware.Dxtx-9829330-0
Create hunting rule

Win.Malware.Dxtx-9872553-0
Create hunting rule

Win.Malware.Dxtx-9872615-0
Create hunting rule

Win.Malware.Dxtx-9876181-0
Create hunting rule

Win.Packed.Ponystealer-6733035-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Malware family:
Gorgon Group
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c8accb44-ed5f-4dcf-bcc7-88dfc9d7a02f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.spre.spyw.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846611
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Drops VBS files to the startup folder
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Sigma detected: Drops script at startup location
Tries to detect virtualization through RDTSC time measurements
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b92e82e83c4f3ea90cd3c64b3276265aee5bfc9acdca956f6df4811b252bb978/
Threat name:
Win32.Trojan.DistTrack
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 08:14:50 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0a2a6d1c44faaf913e485ad041724238f793bb57508eb1574b3b07a4931cc8a2
Renamer
12f249adf9e96719d8999e5ff16ca67fb252cb38edf05851577a564b3044f987
Renamer
17ad4077635fb91dd079433a999903f6252d19e47b503d92c1ddac9c93e14d2d
Renamer
22916cd876516df90c959904823fbc25a331cd7f8e70343cc05f4674128f07e1
Renamer
4b611d0f1bcb7daca27c3093c8c7ea6359e5b6e5b6b4c91e4cba798f60b3413c
Renamer
61b36c03b131bf1dac4d6ddf392b9ebd48a0d6c723abb9119c308dd22b5432db
Renamer
68f58a48d09d07cd851a8d03cef1a6000f715257fbfbad215e22013ac7a7e611
Renamer
8c35b3d63f5644c97f5e9a1215ac4d9a4486eb78ff8a1410da52fa6853c99bf8
Renamer
dcabbdbcb25b9663b40e527927ad003ab43726989d5772a9999e4350ca974a6a
Renamer
eeb94d0ce7213c5b8c070a7df59ba79aaf8248361922980368c31295c6641aae
Renamer
+ 4'292 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210907-qc7lkafghn/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops autorun.inf file
Drops startup file
Loads dropped DLL
Unpacked files
SH256 hash:
b92e82e83c4f3ea90cd3c64b3276265aee5bfc9acdca956f6df4811b252bb978
MD5 hash:
6d3632abf3c43b6da3bcef47d3343da1
SHA1 hash:
e9cb95893361e92cbbd423cab03219cc4b4d74cf
Link:
https://www.unpac.me/results/6e336ca4-7cf8-4b2e-8083-865c2d66625a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b92e82e83c4f3ea90cd3c64b3276265aee5bfc9acdca956f6df4811b252bb978

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Embedded_PE
Create hunting rule
Rule name:Embedded_PE
Create hunting rule
Rule name:MALWARE_Win_Renamer
Create hunting rule
Author:ditekSHen
Description:Detects Renamer/Tainp variants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/186031/
  
URLhaus
https://urlhaus.abuse.ch/url/1599750/

Comments