MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba4445419d534dd16aa0e5af096d451b81638173c80686d5aa8816b780514396. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba4445419d534dd16aa0e5af096d451b81638173c80686d5aa8816b780514396
SHA3-384 hash: 9fd40e683b5ad325992e694277b4e0a0d9531c6ce39f68f7d365ea08e81fc3f8228c6c8b5db8a149d3982bee9168c893
SHA1 hash: a64fd9f126ef259503422589754cee13b20de080
MD5 hash: 4e88cb52fa6c33f10aeeac975b2e4cd4
humanhash: oscar-robert-mississippi-may
File name:4e88cb52fa6c33f10aeeac975b2e4cd4
Download: download sample
File size:1'409'528 bytes
First seen:2023-11-27 18:16:42 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash c3808a9e82ae47a53120a4e9320a8c72
ssdeep 24576:ZcOeh7E7IJbtEJEHng8wGrQTLq73xaH7pbHl6GV:ZcOWFJbtSMXoTLq73xK51
Threatray 73 similar samples on MalwareBazaar
TLSH T18D656B12F4FFE81FC8362031C85DA046FB9B299251B73EC8693D6C2994776B57992C0B
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10523/12/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon ccccc4e8d89acccc (1 x CobaltStrike, 1 x Gh0stRAT, 1 x ValleyRAT)
Reporter zbetcheckin
Tags:32 dll exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
337
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/460782/
Detection(s):
Win.Trojan.Ulise-9645830-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug overlay packed
Link:
https://www.filescan.io/uploads/6564dd1e7485e5b1ecbd6671/reports/f72b0e7a-c59a-4a8e-9238-c6df95bb4513/overview
Verdict:
Malicious
Labled as:
Trojan.Kryptik
Link:
https://www.hybrid-analysis.com/sample/ba4445419d534dd16aa0e5af096d451b81638173c80686d5aa8816b780514396
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4bf226ce-83ef-40e6-a41b-a48f4adbd4b5
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1348817
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1348817 Sample: XSveuOAaXN.dll Startdate: 27/11/2023 Architecture: WINDOWS Score: 48 19 Multi AV Scanner detection for submitted file 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 36 other processes 7->15 process5 17 rundll32.exe 9->17         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ba4445419d534dd16aa0e5af096d451b81638173c80686d5aa8816b780514396
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba4445419d534dd16aa0e5af096d451b81638173c80686d5aa8816b780514396/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2023-11-27 18:17:06 UTC
File Type:
PE (Dll)
Extracted files:
38
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xjcekqm5kng5c2va4wxqs3kfdoawhaltzadinvnkrallpacriola._file
Verdict:
malicious
Similar samples:
1f3194c5d2f7de0505f5a5a6d219f217cd5526ef7c9f8cd2d163887176572825
20f4b006007defc2e71a4a3bc6ffe0cdbb5ed6f34c4e15e95d85a7cb60a76286
4e90491d7bfcb50079a2fc9795b8ae9c4bd9ee5b26913b075ea248f953c6b910
71a0f84fc97d3ea8ecdc9dc19e058fe994e3cecf826f3db462c4995d8ee6dacb
7d147fa016e7218fcf60c76d2688a100e83fbb580f3c954d55e08d2c7b0b5a14
a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf
d46dbbb40bf11bda9b1aa74d9d2550a73ab0ae6008270c2c541153cd4974a3dd
dceef11f380d4082b9e67accef94ff1eaf6ba3eb6be59b861a11f084b29a1c7c
+ 63 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/231127-ww233sbd72/
Behaviour
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
ba4445419d534dd16aa0e5af096d451b81638173c80686d5aa8816b780514396
MD5 hash:
4e88cb52fa6c33f10aeeac975b2e4cd4
SHA1 hash:
a64fd9f126ef259503422589754cee13b20de080
Link:
https://www.unpac.me/results/6c48e565-97b0-4456-8cc6-3c6346fc8552/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba4445419d534dd16aa0e5af096d451b81638173c80686d5aa8816b780514396

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Armadillov1xxv2xx
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DLL dll ba4445419d534dd16aa0e5af096d451b81638173c80686d5aa8816b780514396

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2735840/
Cape
Cape
https://www.capesandbox.com/analysis/460782/

Comments


Avatar
zbet commented on 2023-11-27 18:16:43 UTC

url : hxxp://118.107.7.250:4159/ndldll.txt