MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd5d3ebe6150f53c1535e1667a18bbd4831751a414e7518dc8e1d15a19db95b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 4

Intelligence 4 IOCs YARA 1 File information Comments

SHA256 hash:	bd5d3ebe6150f53c1535e1667a18bbd4831751a414e7518dc8e1d15a19db95b3
SHA3-384 hash:	9725754233373557f4c9495929f2205e5276166cd1feedae8023119ac4fddd23816ace66d045ee302cc4098f6270b3a3
SHA1 hash:	e71024b789e25f79b50b9d79409ba0c85597cf35
MD5 hash:	119fc3356fd91b84ce3195f4914ce53e
humanhash:	neptune-oxygen-foxtrot-fish
File name:	iec56w4ibovnb4wc.onion_Library__GandCrab__GandCrabV5.0.9.bin.malw
Download:	download sample
File size:	169'472 bytes
First seen:	2020-03-18 22:08:47 UTC
Last seen:	2024-11-16 15:41:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	6ab8173f30757d6c461671e5705da932
ssdeep	3072:Xi+77RrDGdRTSHL/FnVxi7AnWpL5geHRiZ4qjKbknx/:XioIqFVxsqWpmeHouk
Threatray	45 similar samples on MalwareBazaar
TLSH	7EF3125A2B73DCC6D7B78B781B03B2238204D11257AC67A47BB48C3EDF6F258516076A
Reporter	ov3rflow1
Tags:	malw

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Upx-49

PUA.Win.Packer.UpxProtector-1

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-6

PUA.Win.Packer.Upx-4

SecuriteInfo.com.Trojan.Encoder.26904.7156.26260.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Filecoder

Status:

Malicious

First seen:

2018-11-03 12:50:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Verdict:

malicious

25babc8d9be2e6cc3cdd408fac70bea0d9c3f0c3480945d3bcb374c88b6f82c1

62115059096fc430f5e8b4cfe6884444fbb2b0733760a7f4a9856791f1151ba9

7c19cbbbb385a448d0033fe89cf139fff95ea9760ac2f0e9fa9acac60d180b81

89313534a5c4579b6a00425281ef0473246cfb2340653bd3cf41b584bfa40578

8c71aca391fbd24fb5400cbc0cea7bfc424dfac861cbfebbac25393e8b21bbf4

8f326df009924cd7bf93a0a9cb83f1ae42adec4e7afce32971da35a8d792a223

a6fa24e0210cf4e792b983adf65416871b6a4792fbd5ba3ccaf15484159c776b

bbeaa86003be4d14ff5643c47d20ca8a44e4d7e655bda8a93439fbe7dd4e9066

fd1a4137fb29a94777cafedaaf9118b456f4f3aa7e6cc7de3a40e5c180776c34

+ 35 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bd5d3ebe6150f53c1535e1667a18bbd4831751a414e7518dc8e1d15a19db95b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN_BASE_API	Uses Win Base API	KERNEL32.DLL::LoadLibraryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample