MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c97cc43057489ba902f5e6abe951eb9f3134365289acf230cedcd554bbee2531. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 4 File information Comments

SHA256 hash:	c97cc43057489ba902f5e6abe951eb9f3134365289acf230cedcd554bbee2531
SHA3-384 hash:	9a4ab5a3bb422e056f03e350a01be6ca5a84f70cec8ff1f9b65a68e4a14efcaa83ee6d5953ca04046284c39f97491c07
SHA1 hash:	0460d1e3ea5db7c55011ea569008d50a3ffc58dc
MD5 hash:	04b80c9b940c2d17aaee6c81bab7448b
humanhash:	juliet-lamp-massachusetts-spring
File name:	04b80c9b_by_Libranalysis
Download:	download sample
File size:	31'232 bytes
First seen:	2021-05-05 10:05:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bada59b09f06f9c01c84b065a341cf6b (7 x Worm.Ramnit)
ssdeep	384:tPpOMLnVCiL5WTdCSIww/2AycSNXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxl:tku5AmOTjQGPL4vzZq2o9W7GsxBbPr
Threatray	1'920 similar samples on MalwareBazaar
TLSH	ADE28F8AB603A8F7D95732B000DE96B7DF7FA9218D71883ED670E9706F57890BC24215
Reporter	Libranalysis

Libranalysis

Uploaded as part of the sample sharing project

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/150327/

Detection(s):

PUA.Win.Packer.Asprotect-3

Win.Virus.Triusor-6887833-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Changing an executable file

Creating a window

DNS request

Modifying an executable file

Sending a UDP request

Infecting executable files

Sending an HTTP GET request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d5b1b033-fc9a-4de2-9fe9-70a97d5629c1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c97cc43057489ba902f5e6abe951eb9f3134365289acf230cedcd554bbee2531/

Threat name:

Win32.Virus.Wapomi

Status:

Malicious

First seen:

2020-05-06 19:44:00 UTC

AV detection:

29 of 31 (93.55%)

Threat level:

5/5

Verdict:

unknown

64ae52e978fe48c65e909c47332af1c73048dae656fe4d51189acba140b992b2

6849844f8db49f95dea55403c488f27bca49676b8a91bae8f4a43add845b98d1

9dd2eb7c197323caa4b78641ce05ad9c3e28622164f813caa992c28a88ad8598

b189f37d7aab9eaf7eed1a036083af41b28756971e29de1603951039c628649f

ba7dd90bf8bd6a1dc665c8860c09489ea5531d739e55be0321bd85478b03c95f

cc3cc6a1905bcacf25dd804f51b1856cea7f69f751d8981a1fe34d1b77a8a494

e0e378ec26b4930f9705d8fb24e6d1d09a24f94b5b90b4b9a2c1541116e53f77

ed84620f1fb9e2966299bdcd66403a6ff9a3ed063cc83fc084d1d7942db66be7

fd7b0ab8f0c2dab25a9652914d02846e32da3298ab43d9bbfa50aec311bccb02

+ 1'910 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

aspackv2

Link:

https://tria.ge/reports/210505-3tx78a71ej/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

Unpacked files

SH256 hash:

aaa0a66a106c21818521340c340b4573852a3c07a6c5a3f36acecc2e15225e7e

MD5 hash:

dd5323e9001e9190a19fec18306a4ba5

SHA1 hash:

46527a56baa2f68975dcc248e51b59ca4959b23c

Detections:

win_unidentified_045_g0

win_unidentified_045_auto

Link:

https://www.unpac.me/results/d4918f8f-e864-40af-8937-6b05bd008756/

SH256 hash:

c97cc43057489ba902f5e6abe951eb9f3134365289acf230cedcd554bbee2531

MD5 hash:

04b80c9b940c2d17aaee6c81bab7448b

SHA1 hash:

0460d1e3ea5db7c55011ea569008d50a3ffc58dc

Link:

https://www.unpac.me/results/d4918f8f-e864-40af-8937-6b05bd008756/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ASPack Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ASPack

Rule name:	ProcessInjector_Gen Create hunting rule
Author:	Florian Roth
Description:	Detects a process injection utility that can be used ofr good and bad purposes
Reference:	https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	win_unidentified_045_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/150327/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample