MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1d245f4d408bf9dbaed6c59f68c995e427d95bd8316cc358377ec7ee43fb2f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1d245f4d408bf9dbaed6c59f68c995e427d95bd8316cc358377ec7ee43fb2f2
SHA3-384 hash: fed64726c0bc62350b2128edc4d3e516f28c96f50f55a577eb9939ddaebdb04afc86677dac3b62b40ad5143d564813ff
SHA1 hash: 81d07463cf8ecf13735eaac2796c82521581b85e
MD5 hash: 03f05e78d9887eafafbfa15dc1718a51
humanhash: four-three-lithium-yellow
File name:ds2.exe
Download: download sample
File size:102'400 bytes
First seen:2020-10-10 04:17:04 UTC
Last seen:2020-10-10 04:35:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:XC7ZFrpKR5l9fnHYh52PcdYNjNRisuJixoFdvEBerMtc4XqbDxhK:XC7PEflBHmioXuMdsBoMtcKCrK
Threatray 9 similar samples on MalwareBazaar
TLSH C4A3C707CA9BA933FE4035BAF8185D58CF358418AA17FB7F0506DAED0E5E39A4C53129
Reporter TrappmanRhett

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69676/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/487375
Signature
Antivirus / Scanner detection for submitted sample
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296132 Sample: ds2.exe Startdate: 10/10/2020 Architecture: WINDOWS Score: 72 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Machine Learning detection for sample 2->43 45 2 other signatures 2->45 8 ds2.exe 1 2->8         started        process3 file4 37 C:\Users\user\AppData\Local\...\ds2.exe.log, ASCII 8->37 dropped 47 Injects a PE file into a foreign processes 8->47 12 ds2.exe 1 1 8->12         started        signatures5 process6 signatures7 49 Disables Windows Defender (via service or powershell) 12->49 15 powershell.exe 23 12->15         started        17 powershell.exe 25 12->17         started        19 powershell.exe 24 12->19         started        21 11 other processes 12->21 process8 process9 23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 21->31         started        33 conhost.exe 21->33         started        35 8 other processes 21->35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1d245f4d408bf9dbaed6c59f68c995e427d95bd8316cc358377ec7ee43fb2f2/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 21:55:03 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
06b7205ba6898b1f45883d5a313c1e3e39d8c226eec0ae289f42106af070e8db
1f0e1ce3138f2bea6283f0b28e127952c7d33118056bd7c3b745892aa36ba1e7
2e4775c5d181f37f4a0802a9982601352f0a7de1ffd74909024150572ed6522b
2e6b47bbdb9f281c1432dc63d92d67ca891adf87e20edfa456789c8724a4b7b1
975a65aa0395ac8ec58660540e947df075ab6dbd4a6ecf921fef7fd850f02caa
b4267cab9e3e8255b44e1947b4c6bb40901d9f0654c2d0ab40690851fcacf16c
be64654bb507094ad7ace4a1da27dfe42dd6451d9dadb24b8310aa50e8ff5f34
d8f37e199f10881b2045823553fd64f3f52ec616e24f2235a47dae7c435a3c72
ed184e1c76f982d9537a281ac7cc805179e72d9ca538e7ff202e7be38bfee6ae
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/201010-dp4rf64tr2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Windows security modification
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
d1d245f4d408bf9dbaed6c59f68c995e427d95bd8316cc358377ec7ee43fb2f2
MD5 hash:
03f05e78d9887eafafbfa15dc1718a51
SHA1 hash:
81d07463cf8ecf13735eaac2796c82521581b85e
Link:
https://www.unpac.me/results/59cf94b3-1206-4757-b340-33066a28a98b/
SH256 hash:
165b6353a27653c087637f372f70713e4e0af658e87f03ba0703d8b975525243
MD5 hash:
112730ad698bcb62cfb8c64c4862640a
SHA1 hash:
6b42b1f3f372785c40b4f80c35d6aa2e0d012429
Link:
https://www.unpac.me/results/59cf94b3-1206-4757-b340-33066a28a98b/
SH256 hash:
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
MD5 hash:
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1 hash:
ca70ec96d1a65cb2a4cbf4db46042275dc75813b
Link:
https://www.unpac.me/results/59cf94b3-1206-4757-b340-33066a28a98b/
SH256 hash:
0ea1ef9964030894b06a7452b4dd18fb813d0f74d82d5af77373d0021c6f0b60
MD5 hash:
4e8a04851b1aa2b87f2b80159a64bf49
SHA1 hash:
d1157e16e723a7b5f595f5607338bef689daf3fe
Link:
https://www.unpac.me/results/59cf94b3-1206-4757-b340-33066a28a98b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1d245f4d408bf9dbaed6c59f68c995e427d95bd8316cc358377ec7ee43fb2f2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69676/

Comments