MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb3d35cba3434f053280fc2887a7e6be703505385e184da4960e8db533cf4428. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash: bb3d35cba3434f053280fc2887a7e6be703505385e184da4960e8db533cf4428
SHA3-384 hash: 4fb78148a019f573916ea8b9fe6f25d8317f9b0c203f4098297ae0eaabd6e5f49fc781d5d56c2eb5d686f5938c35e9a6
SHA1 hash: 42ae87079f73f4fa3513b0febb288e3860be061f
MD5 hash: aea6585be1b8ed83061e13b72e2f21d7
humanhash: spring-california-sweet-december
File name:Dysm.decoded.exe
Download: download sample
File size:55'296 bytes
First seen:2023-04-03 22:54:37 UTC
Last seen:2023-04-03 23:32:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b241af31925d8f6ae53fca14aa14a03e
ssdeep 768:fauBAEAsP2ysspQ4gIBngqPEsDVN4Z6rk6bkkDUrpuaWj5:J20pQ4gIBnXPEsZN7kUfDep7E5
TLSH T188438C227990C1B3C44504750964E751AB6FB9324AB5C787BBD816BEAF313D0AF3E34A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter luc4m
Tags:APT41 exe

Intelligence


File Origin
# of uploads :
2
# of downloads :
336
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Dysm.decoded.exe
Verdict:
No threats detected
Analysis date:
2023-04-03 22:44:10 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Enabling autorun with the shell\open\command registry branches
Setting a single autorun event
Enabling autorun
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd.exe greyware
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Signature
Creates an undocumented autostart registry key
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 840501 Sample: Dysm.decoded.exe Startdate: 04/04/2023 Architecture: WINDOWS Score: 56 32 Multi AV Scanner detection for submitted file 2->32 34 Machine Learning detection for sample 2->34 6 Dysm.decoded.exe 7 2->6         started        9 iexplore.exe 1 67 2->9         started        11 iexplore.exe 2->11         started        process3 signatures4 36 Creates an undocumented autostart registry key 6->36 13 iexplore.exe 40 9->13         started        16 iexplore.exe 115 9->16         started        18 iexplore.exe 9->18         started        process5 dnsIp6 20 www.msn.com 13->20 22 srtb.msn.com 13->22 28 5 other IPs or domains 13->28 24 edge.gycpi.b.yahoodns.net 87.248.119.252, 443, 49772, 49773 YAHOO-DEBDE United Kingdom 16->24 26 prebid.media.net 34.107.148.139, 443, 49732, 49733 GOOGLEUS United States 16->26 30 12 other IPs or domains 16->30
Threat name:
Win32.Trojan.Doina
Status:
Malicious
First seen:
2023-01-12 23:05:20 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Behaviour
Modifies registry class
Adds Run key to start application
Unpacked files
SH256 hash:
bb3d35cba3434f053280fc2887a7e6be703505385e184da4960e8db533cf4428
MD5 hash:
aea6585be1b8ed83061e13b72e2f21d7
SHA1 hash:
42ae87079f73f4fa3513b0febb288e3860be061f
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Suspicious_Macro_Presence
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.
Rule name:SUSP_ENV_Folder_Root_File_Jan23_1
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious file path pointing to the root of a folder easily accessible via environment variables
Reference:Internal Research
Rule name:SUSP_PowerShell_Base64_Decode
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe bb3d35cba3434f053280fc2887a7e6be703505385e184da4960e8db533cf4428

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments