MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d19b02a35003c637360cc342d5fcdae87dc7336fc7925f07f5c0636eae22ba37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d19b02a35003c637360cc342d5fcdae87dc7336fc7925f07f5c0636eae22ba37
SHA3-384 hash: 04b291fc6d7136a34ac7d14873724874b65abdfc4803f681c1397f0b88a346d5c7dfa5bac1c0565bd22ec809f7f166b8
SHA1 hash: c9641fb957ba8f39512c9096a550ccf490d65303
MD5 hash: ad416d58aa5a4a822803554204a0085b
humanhash: floor-nuts-venus-echo
File name:ad416d58aa5a4a822803554204a0085b.dll
Download: download sample
File size:1'220'608 bytes
First seen:2020-12-25 07:58:46 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 259ba051ce0cc4e96b53c51d423b1613
ssdeep 12288:T+rYoi8CYESeFv0K0TUvEymk6+tgIutTZV/qb9ylN28aE2GThX8xbd3u0:vofCrSA8KYGMtwgDNZEbCfCGTqx53u0
Threatray 77 similar samples on MalwareBazaar
TLSH EB45D002B79280F1D74D3B34956A373A9F398B420E34CAC7BFA4DE696D36141E636316
Reporter abuse_ch
Tags:dll

Intelligence

File Origin
# of uploads :
1
# of downloads :
575
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109425/
Detection(s):
Win.Keylogger.Deepscan-9640645-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows directory
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Sending a custom TCP request
Creating a file in the drivers directory
Loading a system driver
DNS request
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Launching a process
Creating a file
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/570022
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: System File Execution Location Anomaly
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 334071 Sample: egy7oSjGz0.dll Startdate: 25/12/2020 Architecture: WINDOWS Score: 100 94 Antivirus detection for dropped file 2->94 96 Antivirus / Scanner detection for submitted sample 2->96 98 Multi AV Scanner detection for dropped file 2->98 100 6 other signatures 2->100 9 loaddll32.exe 2 2->9         started        11 Stlmn.exe 2->11         started        14 Stlmn.exe 2->14         started        16 6 other processes 2->16 process3 signatures4 18 lsass.exe 1 1 9->18         started        22 rundll32.exe 9->22         started        24 rundll32.exe 9->24         started        26 lsass.exe 9->26         started        116 Antivirus detection for dropped file 11->116 118 Multi AV Scanner detection for dropped file 11->118 120 Machine Learning detection for dropped file 11->120 28 Stlmn.exe 13 1 11->28         started        122 Drops executables to the windows directory (C:\Windows) and starts them 14->122 31 Stlmn.exe 14->31         started        33 Stlmn.exe 16->33         started        35 Stlmn.exe 16->35         started        37 Stlmn.exe 16->37         started        process5 dnsIp6 82 C:\Windows\SysWOW64\Stlmn.exe, PE32 18->82 dropped 102 Antivirus detection for dropped file 18->102 104 Multi AV Scanner detection for dropped file 18->104 106 Machine Learning detection for dropped file 18->106 39 cmd.exe 1 18->39         started        84 C:\Windows\lsass.exe, PE32 22->84 dropped 108 Drops PE files with benign system names 22->108 43 lsass.exe 22->43         started        45 lsass.exe 22->45         started        110 Drops executables to the windows directory (C:\Windows) and starts them 24->110 47 lsass.exe 24->47         started        49 lsass.exe 24->49         started        51 WerFault.exe 24->51         started        53 cmd.exe 1 26->53         started        90 296659692.f3322.net 118.123.96.148, 10087 CHINANET-SCIDC-AS-APCHINANETSiChuanTelecomInternetData China 28->90 92 192.168.2.1 unknown unknown 28->92 86 C:\Windows\System32\drivers\QAssist.sys, PE32+ 28->86 dropped 112 Sample is not signed and drops a device driver 28->112 file7 signatures8 process9 dnsIp10 88 127.0.0.1 unknown unknown 39->88 114 Uses ping.exe to sleep 39->114 55 conhost.exe 39->55         started        57 PING.EXE 1 39->57         started        59 cmd.exe 1 43->59         started        62 cmd.exe 1 45->62         started        64 cmd.exe 1 47->64         started        66 conhost.exe 53->66         started        68 PING.EXE 1 53->68         started        signatures11 process12 signatures13 124 Uses ping.exe to sleep 59->124 70 conhost.exe 59->70         started        72 PING.EXE 1 59->72         started        74 conhost.exe 62->74         started        76 PING.EXE 62->76         started        78 conhost.exe 64->78         started        80 PING.EXE 64->80         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d19b02a35003c637360cc342d5fcdae87dc7336fc7925f07f5c0636eae22ba37/
Threat name:
Win32.PUA.FlyStudio
Create hunting rule
Status:
Malicious
First seen:
2020-12-21 02:29:03 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
31153d0989d41bd597297136f2457681ac68bb89051509bba7d52c10c554a09e
5002ced102dc1126d041848655d07dbcdc649046457a67c61a027e29779ce907
683fa4be9635d3399ee7eb05dde053930faa95aae3f022cdc0e13e5980438b43
86fffa0c9081c2cea5c4ec6d4ea6ccb67ff530807c1600ee481a6f1c7052071d
8abec65ae164e9b277cdddba8cb63034e1c9ea1971b27973560c77f37c7a4daa
9248b405edcc5411ccb36855b9da55f4b5b0e685b45dec9373395bf2c917aa01
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e
cc6297f7df4aca6dceda00c9812e06d20a3967924d4260df6909c1a86e36b415
d520063afebc52854b83afea9f5ff52414f443b875f1994053a02256fd2d0a50
+ 67 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/201225-5x1byryvc6/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Sets service image path in registry
UPX packed file
Unpacked files
SH256 hash:
d19b02a35003c637360cc342d5fcdae87dc7336fc7925f07f5c0636eae22ba37
MD5 hash:
ad416d58aa5a4a822803554204a0085b
SHA1 hash:
c9641fb957ba8f39512c9096a550ccf490d65303
Link:
https://www.unpac.me/results/bd4a0675-234f-49d0-868b-c389e1cc4d95/
SH256 hash:
d42acdd0449b9fc69c9a667655625d42117548751ae9b8dbbc55512d1cdf5cb3
MD5 hash:
6f47a706c6592b611fefdaec1a6ae11f
SHA1 hash:
04d3f2b86d8ad8f71cec097ac7816c9228cc9686
Link:
https://www.unpac.me/results/bd4a0675-234f-49d0-868b-c389e1cc4d95/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farfli
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d19b02a35003c637360cc342d5fcdae87dc7336fc7925f07f5c0636eae22ba37

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/109425/

Comments