MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca3d79dbd07fe563bdab59e559fafede0199aff5e25c138c560277e8a4521a87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	ca3d79dbd07fe563bdab59e559fafede0199aff5e25c138c560277e8a4521a87
SHA3-384 hash:	e2bfd940b73a640bb6c36f32bfbd72edff011851bf4d1033b737deff6d5459cea1c63f849b326db50e6f4f3bdecaf6fd
SHA1 hash:	8c86374aa8a4604be47dbe2b9cd84885f04a1cb4
MD5 hash:	12b71771467bb1d2d2f5f1a793836f7a
humanhash:	london-cold-twenty-nuts
File name:	12b71771467bb1d2d2f5f1a793836f7a.dll
Download:	download sample
File size:	92'160 bytes
First seen:	2022-09-25 06:59:48 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	29903019a47f616c5fc87caf6208d0d4
ssdeep	1536:jM3AWafa1LDlnDDHFm0P5feNHNM27A9ErWn889rnPnnbmfsWByjTgU:j3fa1NDDHcseNHNESwnPnYByj8U
Threatray	2 similar samples on MalwareBazaar
TLSH	T12E9349157984F832D5BE1A3D1828CA718F7EB910DFA09CEB6F5102690FB11D1CE3996A
TrID	42.7% (.EXE) Win32 Executable (generic) (4505/5/1) 19.2% (.EXE) OS/2 Executable (generic) (2029/13) 19.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.9% (.EXE) DOS Executable Generic (2000/1)
Reporter	abuse_ch
Tags:	dll

Intelligence

File Origin

# of uploads :

# of downloads :

190

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/313101/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.43414.2605.22746.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a process with a hidden window

Sending a custom TCP request

Сreating synchronization primitives

Moving of the original file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Enabling autorun by creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/632ffc816963f27ddc3117b2/reports/551e757d-7cac-43ff-99c2-c434f790b3f5/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/2d48e565-66aa-43e1-84ee-c546d9750237

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1076767

Signature

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Creates a thread in another existing process (thread injection)

Creates autostart registry keys with suspicious names

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ca3d79dbd07fe563bdab59e559fafede0199aff5e25c138c560277e8a4521a87/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2022-09-19 04:28:12 UTC

File Type:

PE (Dll)

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zi6xtw6qp7swhpnllhsvt6x63yaztl7v4jobhdcwaj36rjcsdkdq._file

Verdict:

malicious

45136071c0cb88b6cbf83675992b439590a0f3425c6f3a8ee548c5228d0d9e6f

Result

Malware family:

n/a

Score:

6/10

Tags:

persistence

Link:

https://tria.ge/reports/220925-hsnjmadff7/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Adds Run key to start application

Unpacked files

SH256 hash:

ca3d79dbd07fe563bdab59e559fafede0199aff5e25c138c560277e8a4521a87

MD5 hash:

12b71771467bb1d2d2f5f1a793836f7a

SHA1 hash:

8c86374aa8a4604be47dbe2b9cd84885f04a1cb4

Link:

https://www.unpac.me/results/a39c8c93-2fa8-41e5-a20b-ecad59c08ff1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ca3d79dbd07fe563bdab59e559fafede0199aff5e25c138c560277e8a4521a87

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	CAS_Malware_Hunting Create hunting rule
Author:	Michael Reinprecht
Description:	DEMO CAS YARA Rules for sample2.exe

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	RansomwareTest3 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DLL dll ca3d79dbd07fe563bdab59e559fafede0199aff5e25c138c560277e8a4521a87

(this sample)

Cape

https://www.capesandbox.com/analysis/313101/

URLhaus

https://urlhaus.abuse.ch/url/2313294/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample