MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4738cab578682180d9d9c367ad8884dcfbcf629871c11153af22315cd18117d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4738cab578682180d9d9c367ad8884dcfbcf629871c11153af22315cd18117d
SHA3-384 hash: 40122cc749b811153e6fce3f6e1fa92f6d7178166590466e5935e5cbf02561afa5a12ffb68225c548a74ce2896279087
SHA1 hash: b08735d1ebb33cef944893e5824e6fa9fb0025b2
MD5 hash: 7ec5d60b22288d2650228fafdb9c2cd0
humanhash: snake-high-diet-five
File name:docking repair - documents- doc.exe
Download: download sample
File size:568'150 bytes
First seen:2021-08-18 06:16:05 UTC
Last seen:2021-08-18 06:45:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6b1520ba8a8e7d12cecb5bd04c747ffc (2 x AZORult, 1 x Formbook, 1 x SnakeKeylogger)
ssdeep 12288:MvKaRQvF9ur4Vby3dV5j9j/FUi1at8O+0ofdXCQvWNA9k:MvKLF08pGdV5ZjqqzfEQE
Threatray 21 similar samples on MalwareBazaar
TLSH T1ADC4E021A2D1C072E8B3243799F256387A3D6F31472F9AFB63C459794F309C16A21A77
Reporter GovCERT_CH
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
docking repair - documents- doc.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-18 06:22:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3739b3ec-3910-4cdf-bc4e-ca561bc8dc64

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180206/
Detection(s):
SecuriteInfo.com.Variant.Razy.909438.2946.6773.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/80749b5c-7c85-494b-ae47-237e22105d00
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/834893
Signature
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 467324 Sample: docking repair - documents-... Startdate: 18/08/2021 Architecture: WINDOWS Score: 48 20 Initial sample is a PE file and has a suspicious name 2->20 7 docking repair - documents- doc.exe 1 2->7         started        process3 signatures4 22 Maps a DLL or memory area into another process 7->22 10 docking repair - documents- doc.exe 1 7->10         started        12 conhost.exe 7->12         started        process5 process6 14 WerFault.exe 23 9 10->14         started        16 WerFault.exe 2 9 10->16         started        18 conhost.exe 10->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4738cab578682180d9d9c367ad8884dcfbcf629871c11153af22315cd18117d/
Threat name:
Win32.Trojan.Ursnif
Create hunting rule
Status:
Malicious
First seen:
2021-08-18 06:17:10 UTC
AV detection:
17 of 46 (36.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2rzyzk2xq2bbqdm5tq3hvweijxh3z5rjq4obcfj26irrltiycf6q._file
Verdict:
suspicious
Similar samples:
12a8589297e56fc863c7c37209870ff00bf15dcd21f90be9539e3332727761d1
1dc07ea8c5bf1ce511549946e250ee145b10032da89eae19ab9f477a18a9c6d3
203754c6e511e0678e98b709deb230b6ee0a7c83e5c368a3c2e3e2bcc692f80b
3db4d4a2dc190c6ca349f576eb9e87b828b93e8623df8559a420b981b7a3fa26
4a8e92182911cc2ee70ab3c2c869123091d8bef639f97f7bc04d2903bddc78e7
6cbce1d82bb769eb1c517c2c54db572614dfce4c858690d77df761572bc98825
b4918824e1c626c9b8c87be6f1aa34d1672a747e7d0f01d57c232284b62c3061
b6a58224bb0fbca5d4a297bdc2237ffd671e5548ebd6d35434ae1196df97f8d9
d53bae4b5ce931f64224d180b42eda418516d524ae0623571069c6bc30845fa3
ee7768e5b15b6e83c04033a244e19f19cc63aecedbb01786edb6e15318a2a2d2
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210818-scyayva89a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
d4738cab578682180d9d9c367ad8884dcfbcf629871c11153af22315cd18117d
MD5 hash:
7ec5d60b22288d2650228fafdb9c2cd0
SHA1 hash:
b08735d1ebb33cef944893e5824e6fa9fb0025b2
Link:
https://www.unpac.me/results/de0479cd-8ff6-4ead-932f-3f10049cd3d1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4738cab578682180d9d9c367ad8884dcfbcf629871c11153af22315cd18117d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe d4738cab578682180d9d9c367ad8884dcfbcf629871c11153af22315cd18117d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/180206/

Comments