MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4dadc7dc5e003905cdd8f287bec1c4d751d8d9913689cb0894feb999917d791. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4dadc7dc5e003905cdd8f287bec1c4d751d8d9913689cb0894feb999917d791
SHA3-384 hash: cd43abbdd57104b0d612beaa5845370980d50696c4ed82ef633a404ddc930960c04ba563fe715a4903454896d33ab912
SHA1 hash: 57a1deb6b9a8676f699c5b2e75a61cd64cb6ea97
MD5 hash: fdaf1e108b77f7000a5b6417adf143bb
humanhash: bluebird-timing-comet-london
File name:fdaf1e10_by_Libranalysis
Download: download sample
File size:127'672 bytes
First seen:2021-05-05 08:02:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6bfb12c0ac9e50aa509f27c55c68a1e2
ssdeep 3072:cx6AHjYzaFXg+w17jsgS/jHagQg12xiaVN:cxzYzaFXi17j9N
Threatray 5'278 similar samples on MalwareBazaar
TLSH 34C31A0B5FC5A3E2E7A912F127875CD909272B8C6D5B25E3636846D72D20B1128FB31F
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
57
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/149951/
Detection(s):
Win.Malware.KazekageGaara-7111282-1
Create hunting rule

Win.Malware.Ulise-9806846-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows subdirectories
Creating a file in the Windows directory
Creating a process from a recently created file
Creating a process with a hidden window
Sending a UDP request
Searching for the window
Searching for analyzing tools
Changing critical settings of the Internet Explorer browser
Blocking the User Account Control
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Changing the Windows explorer settings to hide files extension
Blocking the System Restore
Changing the Windows explorer settings
Blocking a possibility to launch for the Windows registry editor (regedit.exe)
Enabling autorun with the shell\open\command registry branches
Enabling autorun
Enabling a "Do not show hidden files" option
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a35e2659-ecc3-40f8-b8ad-6a1d9e1c3490
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4dadc7dc5e003905cdd8f287bec1c4d751d8d9913689cb0894feb999917d791/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2020-05-03 08:12:38 UTC
AV detection:
24 of 27 (88.89%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
08e12f6b9796ad1f47062ea86ec73c496028660f61a9917008cce9004fb1d48b
4567d8265b3dec803dfa668da8045b70df22802447b48f385fc4eab009648c4c
5003b65b7f0af2661221ba2a75f633f24648c02ca1d229399397ea3cc796e91e
57aa81416cfdbd76df2a15cb14810f8529ecab0eea978210a4ef3047f35a225e
57efc81b39cedbb515f909f66ff27cc09c1ca699feeffb136a7515f3f444f717
60fe4a1f0ed577bfa8d10195a3d1123b0a7ab551d3579686ee6ac6bc18282fe5
66c84cc2020c62f67f7044dbc3bb6b8f377d545b6e7e4f4f636d26b2d5e4d0da
6812d44b05455b4503ffa118b62d3810304f3867b528042985dc6ebc834ebdfc
840fcf3e185f0a54e8f1aee00cbcaa8b452a7f45bedb258e3afef8cb9fd3e0fd
f9676410bb9da322ef7440edfc31815ff0f0a32f92269770d869f62c8f1ee497
+ 5'268 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware trojan
Link:
https://tria.ge/reports/210505-gagp736pda/
Behaviour
Modifies Control Panel
Modifies Internet Explorer settings
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Drops file in Windows directory
Drops autorun.inf file
Drops file in System32 directory
Sets desktop wallpaper using registry
Adds Run key to start application
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Loads dropped DLL
Disables RegEdit via registry modification
Disables use of System Restore points
Drops file in Drivers directory
Executes dropped EXE
Sets file execution options in registry
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
Modifies visiblity of hidden/system files in Explorer
UAC bypass
Unpacked files
SH256 hash:
0bc1185d56b0fdcaa9d53a97f54140613301d6d40dbcaaf3140c615cd820c41b
MD5 hash:
63b2ebba8b3857de828f4f3357e1e2d9
SHA1 hash:
22c95070739af9080be440cfdae209db30a2661c
Link:
https://www.unpac.me/results/d54b1e96-e984-4068-a3a6-7cc691370095/
SH256 hash:
d4dadc7dc5e003905cdd8f287bec1c4d751d8d9913689cb0894feb999917d791
MD5 hash:
fdaf1e108b77f7000a5b6417adf143bb
SHA1 hash:
57a1deb6b9a8676f699c5b2e75a61cd64cb6ea97
Link:
https://www.unpac.me/results/d54b1e96-e984-4068-a3a6-7cc691370095/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/149951/

Comments