MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7a4610450b391e045dafc9aead744dfeaad2cf215caf58a0304edb190310efc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BandarChor

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	c7a4610450b391e045dafc9aead744dfeaad2cf215caf58a0304edb190310efc
SHA3-384 hash:	7ce8940d10eb9e80f32c311144d2233255428aac0bb2a52450fa9dd32a0654feb5cac6a955cdcd8eb454683407ab3f0c
SHA1 hash:	52e410872dd2055cefe42d2d7cf3453017e99740
MD5 hash:	6d87a5d150ba8a76c6ca75272fcefdd9
humanhash:	mountain-hotel-echo-arizona
File name:	6D87A5D150BA8A76C6CA75272FCEFDD9
Download:	download sample
Signature	BandarChor Create hunting rule
File size:	403'221 bytes
First seen:	2022-11-30 15:14:42 UTC
Last seen:	2022-11-30 16:03:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	34f45cc5ffd6d0836c503e99b229ebb2 (2 x BandarChor)
ssdeep	6144:rdYlZngbYYH/6NvREnLDBjOaSIIrU8eTFSKDYqjvlKd2cD8feJhOskQlk:xbV8pVBe5UeNM2cQfMhdHW
Threatray	6 similar samples on MalwareBazaar
TLSH	T1DE84F1549818E5CDF46EAC7DFB82765D5A33F5352EA202E329D62DFCCDB219A0033819
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4505/5/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
dhash icon	d03cfcdaccf418c1 (2 x BandarChor)
Reporter	rabbit84061341
Tags:	BandarChor exe

Intelligence

File Origin

# of uploads :

# of downloads :

122

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

6D87A5D150BA8A76C6CA75272FCEFDD9

Verdict:

Malicious activity

Analysis date:

2022-12-01 00:13:31 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8815bfbc-316f-410b-acdd-475543d9186d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/340238/

Detection(s):

Win.Trojan.Agent-1356850

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Сreating synchronization primitives

Creating a window

DNS request

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6387737fc2c8d19cd07c6d17/reports/9952bd03-b703-4eb6-9c2d-3875245649c4/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Bandarchor

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ccbf8785-3452-4c67-99ee-d0aa4b648c2d

Result

Threat name:

Unknown

Detection:

malicious

Classification:

rans.adwa.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1125270

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to inject code into remote processes

Detected suspicious e-Mail address in disassembly

Detected unpacking (changes PE section rights)

Drops PE files to the startup folder

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c7a4610450b391e045dafc9aead744dfeaad2cf215caf58a0304edb190310efc/

Threat name:

Win32.Ransomware.Isda

Status:

Malicious

First seen:

2015-11-15 00:59:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 25 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y6sgcbcqwoi6aro27snovv2e37vk2lhscxfplcqdatw3debrb36a._file

Verdict:

malicious

BandarChor

98a511650351d4f72470d9c83a4ea479f9ba58a7ae181d8dff5ac29a1bda4977

BandarChor

9f11a8c899cebf82b33fb6e0b457081a4d9cbc8da214579ca3d71dced16c0471

BandarChor

c6aa7fc9c195d950bc5290cd4827019ee03a98938b6dee9f4e6101747fa69e72

BandarChor

ddd3ee4728aa61fbbb285449383ddb12e62bb0da661d281f3d5deed805dfa497

BandarChor

df06c19f1ab56d40f6c4b70c37be024abaa997eb0d55223a14a946eb47cddc4c

BandarChor

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/221130-smzptabd49/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Drops startup file

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6ac0ce80-cf11-4af0-a17c-537e08d8f686

Unpacked files

SH256 hash:

902a9bf7a2d51a569e2e945fc736c1e4b9f504dc646ed9a3cf9d9c8768eef7df

MD5 hash:

382305eb9e05b8ef0d9d3c4e95ddb54c

SHA1 hash:

4d96b7219131c51a969d5e0b45238d1cc5443c9e

Link:

https://www.unpac.me/results/4712093a-8645-4d83-b913-95678f9db159/

SH256 hash:

e5c2427a1bf7322e5a18a02611329797ee8fa3f2e730e8efcf6d7e7574499420

MD5 hash:

16ad057044ae53bf38782303df50cc16

SHA1 hash:

01b55b279af902e33a4bc15e38724d3ea9c116a2

Link:

https://www.unpac.me/results/4712093a-8645-4d83-b913-95678f9db159/

SH256 hash:

c7a4610450b391e045dafc9aead744dfeaad2cf215caf58a0304edb190310efc

MD5 hash:

6d87a5d150ba8a76c6ca75272fcefdd9

SHA1 hash:

52e410872dd2055cefe42d2d7cf3453017e99740

Detections:

win_coldseal_auto

Link:

https://www.unpac.me/results/4712093a-8645-4d83-b913-95678f9db159/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.82

Link:

https://yomi.yoroi.company/submissions/c7a4610450b391e045dafc9aead744dfeaad2cf215caf58a0304edb190310efc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_coldseal_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.coldseal.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/340238/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample