MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c419360ddd30c3126efcab65227301530d96427ac670dc515b77bb2bd6e7115b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TriumphLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c419360ddd30c3126efcab65227301530d96427ac670dc515b77bb2bd6e7115b
SHA3-384 hash: 81e67114f448723b73f099b1dddfb1763e34cc6e5aeef386b4fc54e8aa8c417c0b3e418309365306a98e2a4b497f4649
SHA1 hash: bb936123ebb4607e575312b6420d0248a3bd8b22
MD5 hash: 3fce044289f0c4a62d759e885649ee6f
humanhash: ten-hotel-neptune-sink
File name:SecuriteInfo.com.W32.AIDetectGBM.malware.02.5824.14890
Download: download sample
Signature TriumphLoader
Create hunting rule
File size:377'856 bytes
First seen:2021-02-23 16:01:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3bb85935dd89c47b5e23c0d7b9f226e1 (4 x TriumphLoader)
ssdeep 6144:pSXjOJqxNyKv+tsdD9szjj/ULs8DUikF8c3GjhxzU16oINizb26e4HnoS:pSXjOJ22sdyv/ULAiONojjszK6
Threatray 42 similar samples on MalwareBazaar
TLSH C984F111F6A0D033C04788704930D6A859B9FCB1696956CFB7D83FAA5FB03D2223AB57
Reporter SecuriteInfoCom
Tags:TriumphLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118703/
Detection(s):
SecuriteInfo.com.W32.AIDetectGBM.malware.02.5824.14890.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Moving of the original file
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Triumph Loader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/615689
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found C&C like URL pattern
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Triumph Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356853 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 28 orvalansterych.xyz 2->28 30 ldencajasigrap.xyz 2->30 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Multi AV Scanner detection for domain / URL 2->40 42 Antivirus detection for URL or domain 2->42 44 4 other signatures 2->44 8 SecuriteInfo.com.W32.AIDetectGBM.malware.02.5824.exe 17 2->8         started        signatures3 process4 dnsIp5 32 ldencajasigrap.xyz 35.228.210.99, 49729, 49730, 49732 GOOGLEUS United States 8->32 34 orvalansterych.xyz 8->34 36 192.168.2.1 unknown unknown 8->36 46 Detected unpacking (changes PE section rights) 8->46 48 Detected unpacking (overwrites its own PE header) 8->48 12 cmd.exe 8->12         started        14 cmd.exe 8->14         started        16 WerFault.exe 9 8->16         started        18 7 other processes 8->18 signatures6 process7 process8 20 conhost.exe 12->20         started        22 reg.exe 12->22         started        24 conhost.exe 14->24         started        26 timeout.exe 14->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c419360ddd30c3126efcab65227301530d96427ac670dc515b77bb2bd6e7115b/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-02-23 13:34:55 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yqmtmdo5gdbre3x4vnsse4ybkmgzmqt2yzynyuk3o65sxvxhcfnq._file
Verdict:
unknown
Similar samples:
0497cc25a7285cb6480e39eb07f109d734ab11d873f828b855e8894573ad3907
TriumphLoader
277b945d21b789b34998669cc5de2b63b356f704d2b2cad50a4f57bce7981aa6
TriumphLoader
2fcc9fab2d0a0768dc125ebe1a8c881468cfed99f7bcab74035b00b1936f6b08
TriumphLoader
68c9874dab6a9afe9e94bb238f4360743176fdf6661c98a6636a5fb5baa13f0f
TriumphLoader
73b4942f4b7b201ddc6bc501a405f5709770c6721dc3a9dee46d8b54c3f70473
TriumphLoader
780d0f885bef310ee66a0b1e8debe2c00fb5bab0a8827a7dcc57cd74bd6328f9
TriumphLoader
7d79133217e9c4784ed686ed00d05ede0736164a005e1d2a960db5ff72e87d3e
TriumphLoader
824c526e26c00e1f55093d18b88e8740198b5f662ca346674a0f1807b836bf4e
TriumphLoader
a2c81ec4816dbf6c7bf224d0a3af9f52f2c879dc2e672a85b75f22cbb8d9d71e
TriumphLoader
b09b4beebe993e6e4dddeb07ff1a84aa833c34daa24f8c8416f322526c47683f
TriumphLoader
+ 32 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210223-gnylhb554e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
b1b46deec765f140970f8902a513c532e53b92c56c53da9c98abd811f4e1e59d
MD5 hash:
2dc3e5ca0264d7eab08d11c2698757d1
SHA1 hash:
61c02c4f2932ea0f4b2579fa238bd31d48d60482
Link:
https://www.unpac.me/results/a9fb57e4-b78e-4186-8637-0dda5e4b350e/
SH256 hash:
c419360ddd30c3126efcab65227301530d96427ac670dc515b77bb2bd6e7115b
MD5 hash:
3fce044289f0c4a62d759e885649ee6f
SHA1 hash:
bb936123ebb4607e575312b6420d0248a3bd8b22
Link:
https://www.unpac.me/results/a9fb57e4-b78e-4186-8637-0dda5e4b350e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c419360ddd30c3126efcab65227301530d96427ac670dc515b77bb2bd6e7115b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TriumphLoader

Executable exe c419360ddd30c3126efcab65227301530d96427ac670dc515b77bb2bd6e7115b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1025449/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/118703/

Comments