MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2c0dcfcf2d60c5aad8a239bbd8b064b4953e536187230aa1d9b5fffbdeb5c39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	d2c0dcfcf2d60c5aad8a239bbd8b064b4953e536187230aa1d9b5fffbdeb5c39
SHA3-384 hash:	664b30cd0ea0ec9cabb06c080ec7f017211cbb9456a06cdf2554832ce3e86a5aa2d0c3241c6076f8104b76937549e1e5
SHA1 hash:	549016d172c8bb59a8142abe51988bb6efdf03ea
MD5 hash:	1760a76983e07bd7d5531504fac7703c
humanhash:	equal-two-echo-beryllium
File name:	4.exe
Download:	download sample
File size:	1'521'152 bytes
First seen:	2022-11-30 20:20:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	296df6d34c5cd51c253772b859775151 (1 x AsyncRAT, 1 x RecordBreaker)
ssdeep	24576:lu9wjKbTr8m657w6ZBLmkitKqBCjC0PDgM5AZFkNBGVpDrwWmAACOlpWew0f:lu9s23VV1BCjBy84VpUf
Threatray	17'313 similar samples on MalwareBazaar
TLSH	T122659D1563E84A37E2BF173CA8305A1887F7F516627AE78F6984D4F90E573618E003A7
TrID	37.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 21.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 15.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 6.7% (.SCR) Windows screen saver (13097/50/3) 5.1% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
Reporter	Anonymous
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

167

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4.exe

Verdict:

Malicious activity

Analysis date:

2022-11-30 17:20:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f0e4dc8a-f62a-4f8a-881d-256bc1f7a17a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/340755/

Detection(s):

SecuriteInfo.com.Trojan.Heur.GM.4404010800.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %temp% directory

Creating a window

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug dllhost.exe hh.exe packed packed razy regsvr32.exe replace.exe

Link:

https://www.filescan.io/uploads/6387bb2f8a1bf55a249cc0a7/reports/0ae1ce69-00c1-4771-ae19-b029a777aebd/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/33860486-b8e3-42f8-aa3e-f2fbdaf3a281

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1124425

Signature

.NET source code contains very large strings

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

PE file has nameless sections

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d2c0dcfcf2d60c5aad8a239bbd8b064b4953e536187230aa1d9b5fffbdeb5c39/

Threat name:

Win32.Trojan.Razy

Status:

Malicious

First seen:

2022-11-30 16:35:56 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 40 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2lanz7hs2ygfvlmkeon33cygjnevhzjwdbzdbkq5tnp77ppllq4q._file

Verdict:

malicious

7e4371101f788c3f31179a2d0ee6fdb933367f21cc9dc28a65928373d2253d2f

9a9b6177e715c7461d686b2773507d48c7ee7ce96e26aef62b25e0249e392fef

a484a486e4ccce5d89bed7fd21d3aef4802a85b3147a0445ccca16b3df95267a

a7b9f85870179430e1d8776a0fe5b2bfde0dfee26a168c5ace0287a7a461835c

b14b1aee43f78548e382e6a5b5b59208f65f7c3a8e7aa1e3bdf7d8bea5217146

b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3

e21d4e0b2f711e72b6251d1a0a5f1a703baffb7c7ddd1d1b087bc9068f17aaa8

+ 17'303 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/221130-y41w4aca64/

Behaviour

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ce1ea53d-1cef-4669-81dc-46e78522a14b

Unpacked files

SH256 hash:

35c9c92087b5908c5653fb9c8ab0c551e5874bdff41a2cf71a4cabdee19e34a2

MD5 hash:

503f99efe02897691b5d0d75a78bbaa9

SHA1 hash:

f2b605f847abab158cc50641a8737a91225dd437

Link:

https://www.unpac.me/results/28992336-e803-463b-9261-0f5da14b799b/

SH256 hash:

64a02c079697f9687e852a7baf781734c803aff78c7979bcaf5016663bb1806f

MD5 hash:

6be863a3694621ec72400d98b1fbec7f

SHA1 hash:

fd1b258219e7549f3c8d78d04ac0836ef804f7a6

Link:

https://www.unpac.me/results/28992336-e803-463b-9261-0f5da14b799b/

SH256 hash:

aac68abb910261c7c060a21c9bb9727ec299a1d61c5854b94792fc79da70e0e6

MD5 hash:

f7ed20811c67ac00baf78f1dad486c0c

SHA1 hash:

63ff140a34164cdd0ec2379cd094381f6a01b3e1

Link:

https://www.unpac.me/results/28992336-e803-463b-9261-0f5da14b799b/

SH256 hash:

d2c0dcfcf2d60c5aad8a239bbd8b064b4953e536187230aa1d9b5fffbdeb5c39

MD5 hash:

1760a76983e07bd7d5531504fac7703c

SHA1 hash:

549016d172c8bb59a8142abe51988bb6efdf03ea

Link:

https://www.unpac.me/results/28992336-e803-463b-9261-0f5da14b799b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d2c0dcfcf2d60c5aad8a239bbd8b064b4953e536187230aa1d9b5fffbdeb5c39

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	extracted_at_0x44b Create hunting rule
Author:	cb
Description:	sample - file extracted_at_0x44b.exe
Reference:	Internal Research

Rule name:	INDICATOR_EXE_Packed_Enigma Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Enigma

Rule name:	INDICATOR_EXE_Packed_Loader Create hunting rule
Author:	ditekSHen
Description:	Detects packed executables observed in Molerats

Rule name:	MAL_Unknown_PWDumper_Apr18_3 Create hunting rule
Author:	Florian Roth
Description:	Detects sample from unknown sample set - IL origin
Reference:	Internal Research

Rule name:	MAL_Unknown_PWDumper_Apr18_3_RID312A Create hunting rule
Author:	Florian Roth
Description:	Detects sample from unknown sample set - IL origin
Reference:	Internal Research

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/340755/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample