MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2ecf791e2da89d5f37020d21644d7a6894f24f2f7972841945cd555cd89f974. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2ecf791e2da89d5f37020d21644d7a6894f24f2f7972841945cd555cd89f974
SHA3-384 hash: b01b334967b5a45ede4b0b45535ab21d2ee67988056a1c8cead01902fbd0f212255ddf98ef00b1c1011a10d5b5171801
SHA1 hash: 246dd078f0b8159214732c2ad1783e51c3f38c73
MD5 hash: 756569e9a29b1b351d2f1ae0fd09669d
humanhash: eighteen-gee-bluebird-maine
File name:SecuriteInfo.com.Trojan.MulDrop16.36169.23522.27812
Download: download sample
File size:157'184 bytes
First seen:2021-04-12 10:57:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b863a0170e8607b535791c6f08481ac9 (1 x AveMariaRAT)
ssdeep 3072:kaH9deQsVlaReZhphqrlT7MG9DqDseBguVdu4+rqv8kzY5Bed/rX:k+de+ReLQlpJqBBguF+rKLtdb
Threatray 9 similar samples on MalwareBazaar
TLSH 3CE369D4FCA19830F89A01F7EA5B795F2E6D6D912F833226FE50D3469642E44FB02127
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.MulDrop16.36169.23522.27812
Verdict:
Malicious activity
Analysis date:
2021-04-12 10:58:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5033d600-0244-4c42-b57c-41850dd9b7a5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133729/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop16.36169.23522.27812.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Running batch commands
Sending a UDP request
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5afd6127-eca6-4a07-b796-d93d64b1fafd
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/672909
Signature
Drops VBS files to the startup folder
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 385403 Sample: SecuriteInfo.com.Trojan.Mul... Startdate: 12/04/2021 Architecture: WINDOWS Score: 64 19 Multi AV Scanner detection for submitted file 2->19 21 Sigma detected: Drops script at startup location 2->21 23 Machine Learning detection for sample 2->23 7 SecuriteInfo.com.Trojan.MulDrop16.36169.23522.exe 1 2->7         started        11 wscript.exe 1 2->11         started        process3 file4 17 C:\Users\user\AppData\Roaming\...\flop.vbs, data 7->17 dropped 25 Drops VBS files to the startup folder 7->25 13 cmd.exe 1 7->13         started        signatures5 process6 process7 15 conhost.exe 13->15         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2ecf791e2da89d5f37020d21644d7a6894f24f2f7972841945cd555cd89f974/
Threat name:
Win32.Trojan.Scar
Create hunting rule
Status:
Malicious
First seen:
2021-03-27 09:29:48 UTC
AV detection:
33 of 48 (68.75%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
046ff9f608525faf76e353263ddad485e547ff4797b183ddd850f0f2c8209f91
0567b86ec1e2be772943f8d57bba0d17f24ffb9f6b99ecb1214e74a27bbfe568
0fac83472e461604cdb195068ca091af7c56d39c73794fa41394206e1ede2894
63a7c236bd4ae94b1491b4a6da2f959fa16153cf4b0d4d17fd8810b95aeec49f
698a3c667ded86b3422b8e4839c9ca2743a8c4905fbc449514e59a9b666bda4d
6ce29350390228c4f8cf474b079fc0e786b364cf5c0c8994b7ad1137c185be3b
ae4577de0e93d13f37be12a01ef37f25427124813afffb8ea0396efdd69d0f05
d546bfa64731cb676940e28b5d059862e1e01332b0076449993a1b267e4d3060
eacd4bf6e9ef503d844adb44043c83bd6324b805b6587a3d2b4b27ec0143dedc
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210412-zfh81cdj2e/
Behaviour
Suspicious use of WriteProcessMemory
Drops startup file
Unpacked files
SH256 hash:
d2ecf791e2da89d5f37020d21644d7a6894f24f2f7972841945cd555cd89f974
MD5 hash:
756569e9a29b1b351d2f1ae0fd09669d
SHA1 hash:
246dd078f0b8159214732c2ad1783e51c3f38c73
Link:
https://www.unpac.me/results/1ad8dfc5-4918-4f75-9c91-6468df4b8d1d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/d2ecf791e2da89d5f37020d21644d7a6894f24f2f7972841945cd555cd89f974

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d2ecf791e2da89d5f37020d21644d7a6894f24f2f7972841945cd555cd89f974

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1107181/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/133729/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-14 16:54:11 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0026.002] Data Micro-objective::XOR::Encode Data
2) [C0052] File System Micro-objective::Writes File
3) [C0018] Process Micro-objective::Terminate Process