MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c829aa312e2ea1c043566e26517b2bf90e9c12ed68e9d7d24577ebc13f2cf3b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c829aa312e2ea1c043566e26517b2bf90e9c12ed68e9d7d24577ebc13f2cf3b1
SHA3-384 hash: d7e8283cfb6b5d1cd76062b23d5e1b323bb412c5dd12aab7cd3fefc1da317c6ab940b45a71fff70ebda8e4039dde8801
SHA1 hash: ec2aafc84ae8aed9ee054de23ce4b94d8c99715d
MD5 hash: 473e2b68ef2d75263e04dc41649a45ce
humanhash: bulldog-orange-utah-floor
File name:product samples pdf.exe
Download: download sample
File size:6'403'811 bytes
First seen:2020-07-21 16:32:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dac775e30ac330b097f7d80b3fb4a6d0 (1 x AveMariaRAT, 1 x NanoCore)
ssdeep 196608:X7N+EDkFTmeNf7tOdqGUJK+X8BPAWBWhDX:rN+EIz7k9UJgqWkN
Threatray 17 similar samples on MalwareBazaar
TLSH A15623035E0BF68AF40E6B7B961A82D3A0CC5CFE9445241374657F6FB0B0687266B53B
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/30304/
Detection(s):
SecuriteInfo.com.LuheMalumA.13912.29549.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Moving a recently created file
Sending a custom TCP request
Deleting a recently created file
Delayed writing of the file
Setting a global event handler
Replacing files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.expl.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/393538
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249093 Sample: product samples pdf.exe Startdate: 22/07/2020 Architecture: WINDOWS Score: 92 64 Multi AV Scanner detection for submitted file 2->64 66 May check the online IP address of the machine 2->66 68 Machine Learning detection for sample 2->68 70 May use the Tor software to hide its network traffic 2->70 7 product samples pdf.exe 1 2 2->7         started        11 java.exe.exe 2->11         started        13 java.exe.exe 2->13         started        process3 file4 42 C:\Users\user\AppData\...\java.exe.exe, PE32 7->42 dropped 72 Creates autostart registry keys to launch java 7->72 15 product samples pdf.exe 1 19 7->15         started        74 Multi AV Scanner detection for dropped file 11->74 76 Machine Learning detection for dropped file 11->76 78 Injects a PE file into a foreign processes 11->78 20 java.exe.exe 1 11->20         started        22 java.exe.exe 1 13->22         started        signatures5 process6 dnsIp7 56 myexternalip.com 216.239.32.21, 443, 49739, 49740 GOOGLEUS United States 15->56 34 C:\Users\user\AppData\Local\...\Jeva.exe, PE32 15->34 dropped 36 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 15->36 dropped 38 C:\Users\user\AppData\...\libwinpthread-1.dll, PE32 15->38 dropped 40 5 other files (none is malicious) 15->40 dropped 58 Sleep loop found (likely to delay execution) 15->58 60 Hides threads from debuggers 15->60 24 Jeva.exe 8 15->24         started        28 Jeva.exe 4 15->28         started        62 Exploit detected, runtime environment starts unknown processes 20->62 30 Jeva.exe 1 20->30         started        32 Jeva.exe 22->32         started        file8 signatures9 process10 dnsIp11 44 64.79.152.132, 443, 49724 SWITCH-LTDUS United States 24->44 46 81.17.17.131, 443, 49727 PLI-ASCH Switzerland 24->46 54 5 other IPs or domains 24->54 80 Multi AV Scanner detection for dropped file 24->80 48 81.17.30.48, 443, 49736 PLI-ASCH Switzerland 28->48 50 148.251.237.219, 443, 49734 HETZNER-ASDE Germany 28->50 52 95.216.33.58, 443, 49735 HETZNER-ASDE Germany 28->52 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c829aa312e2ea1c043566e26517b2bf90e9c12ed68e9d7d24577ebc13f2cf3b1/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 16:33:06 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zau2umjof2q4aq2wnytfc6zl7ehjyexnndu5pusfo7v4cpzm6oyq._file
Verdict:
suspicious
Similar samples:
23cfbb0bf1e110a79678f45c29897e6090b660d3df420bbb916fc3f1bc12eead
268953af63bad4895dd06c024fd1ec2af2c134623a0e100e26894e4d6bab741e
6269fd417f93e7c0d7cab576b35dc3b6f6a58c0f04e75533bad84987c228f0e6
75fa551eec71d6d8b9817266813715c2bbb7a537005587f9f1e0d058a05febc6
7c58672f646a85dd65ae2c5d44fdcfb899584a9a27650418a06ecc495cdf7a86
83acd77bd1b76095992046c1cd53fd0fb4f0ae9f22f410facf174f4e1ce2f475
8bb55767bfda131b71a547dd7075f7e43cfda859ab8241188bab784e96096acc
991c4166a2246ca5ae9186a1e747f5eb767fdbd304dbfa1c5f4a2019cb6b4aec
9c0f286d5217ba8e607661f85013cdf95304829e512843d3e5615f9e3058fedb
e7d2deba4fccbea79ffa209ebe0ce49f98aecfb340c8d6ec3ea1773cb12cb07e
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx persistence
Link:
https://tria.ge/reports/200721-jr1adyzjsn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Looks up external IP address via web service
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Loads dropped DLL
UPX packed file
Executes dropped EXE
Executes dropped EXE
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c829aa312e2ea1c043566e26517b2bf90e9c12ed68e9d7d24577ebc13f2cf3b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Datper
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Datper in memory
Reference:https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Rule name:Rooter
Create hunting rule
Author:Seth Hardy
Description:Rooter
Rule name:RooterStrings
Create hunting rule
Author:Seth Hardy
Description:Rooter Identifying Strings
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/30304/

Comments