MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb1af121502e40a549135b72f34ad49d11cfbfa49b5cbcf549777549087fe751. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 6 File information Yara Comments

SHA256 hash: bb1af121502e40a549135b72f34ad49d11cfbfa49b5cbcf549777549087fe751
SHA3-384 hash: fc85e312af01230f31d3461ed198f891a55e755b11c23ea6b101e813b39aa2055b5fb778dd77bb537b2e3e1bb1e9bd66
SHA1 hash: 54f313419abe2dd153b7d2e66f8270b2a459cd13
MD5 hash: 9070256c0531a143da6ee6697b5aa352
humanhash: vegan-march-football-seventeen
File name:bb1af121502e40a549135b72f34ad49d11cfbfa49b5cbcf549777549087fe751.dll
Download: download sample
Signature Lazarus
File size:264'192 bytes
First seen:2020-08-02 09:04:28 UTC
Last seen:2020-08-02 15:29:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ccb87335a0c972884296455ec2c5fcfe
ssdeep 6144:UgOXJL6cuV+TzlGfB8hOWPzRY5OdR0TpfhzpJo02VwOGVSeu2:FcuK0B6cwKBywOGVS
TLSH 8A44076172E50879F8B39A388EE34452E9BA7C611335C2DF1261235E8E3BFD19D36721
Reporter Anonymous
Tags:dll Lazarus

Intelligence


File Origin
# of uploads :
3
# of downloads :
47
Origin country :
IN IN
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Modifying an executable file
Creating a file
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Deleting of the original file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Signature
Allocates memory in foreign processes
Benign windows process drops PE files
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255807 Sample: YJiBAC7OIA.dll Startdate: 02/08/2020 Architecture: WINDOWS Score: 72 33 Sigma detected: Suspicious Svchost Process 2->33 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 rundll32.exe 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 37 Contains functionality to inject threads in other processes 10->37 39 Writes to foreign memory regions 10->39 41 Allocates memory in foreign processes 10->41 19 svchost.exe 10->19 injected 43 Creates a thread in another existing process (thread injection) 13->43 45 Injects a PE file into a foreign processes 13->45 22 svchost.exe 13->22 injected process6 file7 35 Benign windows process drops PE files 19->35 25 cmd.exe 19->25         started        31 C:\Users\user\Desktop\YJiBAC7OIA.dll, PE32+ 22->31 dropped 27 dllhost.exe 22->27         started        29 cmd.exe 22->29         started        signatures8 process9
Threat name:
Win64.Trojan.NukeSped
Status:
Malicious
First seen:
2020-07-25 16:16:00 UTC
AV detection:
21 of 31 (67.74%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Adds Run key to start application
Deletes itself
Deletes itself

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments