MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdafcc7bc094d89f02d5ea8529abedd613b96874b5226004c975af80525adff4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Wapomi


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdafcc7bc094d89f02d5ea8529abedd613b96874b5226004c975af80525adff4
SHA3-384 hash: 961f3dc4051ab119994d91ec2a51a5fadb1b148d79952c2d56670b14fbe7e3d3b6c33e1adce7358268bf76d955286da8
SHA1 hash: 0b86c07005c45eeb4f72d129e63276cf82b0f38a
MD5 hash: abb974fa91c3129677732235dbcefc2f
humanhash: single-alabama-finch-pizza
File name:cdafcc7bc094d89f02d5ea8529abedd613b96874b5226004c975af80525adff4
Download: download sample
Signature Wapomi
Create hunting rule
File size:176'128 bytes
First seen:2022-10-11 13:57:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5002bceb823d3d7321ac4b2e8ee9f66d (2 x Wapomi)
ssdeep 3072:sNf3wRqQxKvxnsRcaCvzdSH0RVNTUyV5EZUA9dHS2AVzH:8PeyxTvR60RV2tZdSNVz
Threatray 14'782 similar samples on MalwareBazaar
TLSH T12504CF117ED4D034E7A30A314C72A735B2BABC7C2731997B5BC4760EEA72589B934326
TrID 34.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
29.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
11.5% (.EXE) Win64 Executable (generic) (10523/12/4)
7.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
dhash icon 8007c6888c8990b2 (2 x DanaBot, 2 x RemcosRAT, 2 x Wapomi)
Reporter petikvx
Tags:Wapomi

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318975/
Detection(s):
Win.Virus.Wapomi-138
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

SecuriteInfo.com.Worm.AutoRun.LY.dropper.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Searching for the window
Creating a service
Creating a window
Launching a service
Sending a custom TCP request
Enabling autorun for a service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autorun packed ramnit shell32.dll update.exe virus virut
Link:
https://www.filescan.io/uploads/6345766bf7728fc83824e45d/reports/283ee83c-3a96-4647-8c13-31799f6e392d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/65fc6abb-c2d0-4f09-8266-7af1ce438bc4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1088048
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionalty to change the wallpaper
Creates a Windows Service pointing to an executable in C:\Windows
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cdafcc7bc094d89f02d5ea8529abedd613b96874b5226004c975af80525adff4/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2017-10-16 01:28:17 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
26 of 26 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zwx4y66astmj6awv5kcstk7n2yj3s2duwurgabgjowxyaus2372a._file
Verdict:
malicious
Similar samples:
00c0934af824603bef01ce8a5d9fcbd0e97432c877d40cade42fdffdfb5175e0
Wapomi
1dcab4cdffdf269ea33719990ac81c515345b50fe1c60a3fe7e47d1a59fb7cc0
Wapomi
96cf18e2a423b74f89f810553f9b4ba3859bd2f71172facfc8911c6cf6221881
Wapomi
a651672f98fba458ca8b6861557119c81d12afcb705c457d65dd2b44dcc499fe
Wapomi
daf4c0820c45f6be84cf248504e10bfee063ea6fc8de3b397adaa6682e4bb610
Wapomi
e3387d3f62414fb262da20e54d5775a647443b88cd8a0e738cdc488b95477d4e
Wapomi
ec306f0a108c77a02ab48c5c85296c4b3b7d4b690245f9dd8a67df774b641cf8
Wapomi
ef0c34580084f9855c1e5c3fa9d902688d400baabc7366c8da9ba3d4b708da49
Wapomi
+ 14'772 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
aspackv2 persistence upx
Link:
https://tria.ge/reports/221011-q9te7shaal/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
Sets DLL path for service in the registry
UPX packed file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1dfff1f9-63ea-4447-8227-716d67f83359
Unpacked files
SH256 hash:
cdafcc7bc094d89f02d5ea8529abedd613b96874b5226004c975af80525adff4
MD5 hash:
abb974fa91c3129677732235dbcefc2f
SHA1 hash:
0b86c07005c45eeb4f72d129e63276cf82b0f38a
Detections:
WapomiFileInfector2014
Create hunting rule
Link:
https://www.unpac.me/results/00f0f72d-871f-4bb4-a6c3-873b474c6dde/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cdafcc7bc094d89f02d5ea8529abedd613b96874b5226004c975af80525adff4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/318975/

Comments