MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d73ce718fea7075ec374fc846dfaf0b8154cc64b6aeed52faab938f69a7a76bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d73ce718fea7075ec374fc846dfaf0b8154cc64b6aeed52faab938f69a7a76bc
SHA3-384 hash: a9471bfce271f744c813327c574c5c2f9d8b6925bbe89e2fa35d31362566d343ed49860356f236dd1ec4653349ef630d
SHA1 hash: a01d710d6a7ad0dda32661f95e4be4b042429f02
MD5 hash: 7fde12e258dacd8a505aa4cded9e7deb
humanhash: berlin-bacon-oxygen-winter
File name:7fde12e258dacd8a505aa4cded9e7deb.dll
Download: download sample
File size:6'873'088 bytes
First seen:2022-11-21 09:04:03 UTC
Last seen:2022-11-21 10:41:28 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 42e00582ade6f6e7a6c786ae70037dd6
ssdeep 196608:sB2fpHcOC3kmQ/0Y0ec8d+AQ/aGyceJAf7di7V4ca3YT:sBA8OCUV0J8d+5/aBJMkh4csYT
Threatray 16'280 similar samples on MalwareBazaar
TLSH T1B3663386EE280176F2730770891771DCD7A90C952839CD7F43EB42CA3AF367A55AE852
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon c8a8e4848484c484
Reporter abuse_ch
Tags:dll

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/336633/
Detection(s):
SecuriteInfo.com.Win32.Packed.NoobyProtect.B.14317.16742.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/637b3f082609334c72c196d1/reports/bb5bbae4-57b5-4f5c-a5b7-521386aa2495/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/651d4baa-554b-410b-ad38-ed9a14448a9e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1117927
Signature
Antivirus / Scanner detection for submitted sample
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 750640 Sample: PFFHOdxpfF.dll Startdate: 21/11/2022 Architecture: WINDOWS Score: 72 22 Antivirus / Scanner detection for submitted sample 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Machine Learning detection for sample 2->26 28 PE file has a writeable .text section 2->28 7 loaddll32.exe 1 2->7         started        process3 signatures4 32 Tries to detect virtualization through RDTSC time measurements 7->32 34 Hides threads from debuggers 7->34 10 rundll32.exe 7->10         started        13 cmd.exe 1 7->13         started        15 rundll32.exe 7->15         started        17 7 other processes 7->17 process5 signatures6 36 Tries to detect virtualization through RDTSC time measurements 10->36 38 Hides threads from debuggers 10->38 19 rundll32.exe 13->19         started        process7 signatures8 30 Hides threads from debuggers 19->30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d73ce718fea7075ec374fc846dfaf0b8154cc64b6aeed52faab938f69a7a76bc/
Threat name:
Win32.Backdoor.Hlux
Create hunting rule
Status:
Malicious
First seen:
2022-11-21 09:05:20 UTC
File Type:
PE (Dll)
Extracted files:
8
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=246oogh6u4dv5q3u7scg36xqxakuzrslnlxnkl5kxe4pngt2o26a._file
Verdict:
unknown
Similar samples:
14096f9b01306019cb0f790402eab8be314a1332b6d9cdb0ccf35c56aed175b7
18459ea969be44966cb9bdd8d65d93d91dc2635d952f02aee69d6e2eaec2c679
1e857555be92a0e4bfa8c0e5dc5b7b91a08e6daea0036e3bf23d3d3de79e495f
31fc16d69939d4b8b18df3d0781b38aedfb4520ad14befa70d64d4f72e27bee6
8aa720fbb142a30d24e082eb17f74ee926a4c28e6f811195518c45c1317faa24
dc4e5d4d2be064137622960cae6b97cc708c81bf79cb3ad5abed78914cdc76a2
+ 16'270 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/221121-k1l2waga3w/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
d73ce718fea7075ec374fc846dfaf0b8154cc64b6aeed52faab938f69a7a76bc
MD5 hash:
7fde12e258dacd8a505aa4cded9e7deb
SHA1 hash:
a01d710d6a7ad0dda32661f95e4be4b042429f02
Link:
https://www.unpac.me/results/873cb8b8-0204-430e-8fd9-24d6bed62dec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d73ce718fea7075ec374fc846dfaf0b8154cc64b6aeed52faab938f69a7a76bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DLL dll d73ce718fea7075ec374fc846dfaf0b8154cc64b6aeed52faab938f69a7a76bc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2428365/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/336633/

Comments