MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d893d3b0e8c2fa238a84eeec1adb6dec0853828d314873be41ee74280541b6d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d893d3b0e8c2fa238a84eeec1adb6dec0853828d314873be41ee74280541b6d0
SHA3-384 hash: 1da98395c4fc402dded31c25868b75b639a7758f03a35159db21efbfc8d0621cba14fe0f4bee69a8073b3a839fa89285
SHA1 hash: 5e464aef69763c3fc25bceadfd8fff32a405d849
MD5 hash: f5eccddc7ee3df74b79df21d04dd56a1
humanhash: tennessee-four-timing-speaker
File name:f5eccddc7ee3df74b79df21d04dd56a1.exe
Download: download sample
File size:297'472 bytes
First seen:2020-11-18 11:10:05 UTC
Last seen:2020-11-18 13:20:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6f5038621d34260011beea41c5a5774e
ssdeep 6144:niLXVcyDs4gQBOJVnl5EIoAxI2ioM+pQDCuaN9T3y3Dw6hjNScK:niLXVKJ93cuYWdT3yzppM1
TLSH D35401713690E132C951A6348425C7B69B7C657137A585C37BB03BBE2F603D1E73A38A
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.dc.9838.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/540908
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found C&C like URL pattern
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 319557 Sample: UvlFyyAvbu.exe Startdate: 18/11/2020 Architecture: WINDOWS Score: 92 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 2 other signatures 2->58 7 UvlFyyAvbu.exe 17 2->7         started        process3 dnsIp4 48 4cnx9s25gsvw.top 45.139.186.121, 49711, 49712, 80 HostingvpsvilleruRU Russian Federation 7->48 30 C:\Users\user\AppData\...\syZsNnTNps[1].vx, PE32 7->30 dropped 32 C:\ProgramData\...\appconfig.dll, PE32 7->32 dropped 60 Detected unpacking (changes PE section rights) 7->60 62 Detected unpacking (overwrites its own PE header) 7->62 64 Contains functionality to detect sleep reduction / modifications 7->64 12 WerFault.exe 20 9 7->12         started        16 WerFault.exe 9 7->16         started        18 WerFault.exe 9 7->18         started        20 7 other processes 7->20 file5 signatures6 process7 dnsIp8 50 192.168.2.1 unknown unknown 12->50 34 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 12->34 dropped 36 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->36 dropped 38 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->38 dropped 40 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->40 dropped 42 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->42 dropped 44 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->44 dropped 46 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->46 dropped 22 conhost.exe 20->22         started        24 conhost.exe 20->24         started        26 reg.exe 20->26         started        28 3 other processes 20->28 file9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d893d3b0e8c2fa238a84eeec1adb6dec0853828d314873be41ee74280541b6d0/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 03:50:11 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
suspicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201118-pnd1l4dw1j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious behavior: RenamesItself
Program crash
Loads dropped DLL
Unpacked files
SH256 hash:
d893d3b0e8c2fa238a84eeec1adb6dec0853828d314873be41ee74280541b6d0
MD5 hash:
f5eccddc7ee3df74b79df21d04dd56a1
SHA1 hash:
5e464aef69763c3fc25bceadfd8fff32a405d849
Link:
https://www.unpac.me/results/4cd54bb2-1e94-4331-8d51-b9327c510283/
SH256 hash:
f96912b9444d7d352d21a03cb568f3e27d3df2fc1e4298ea15e2c9bea86309e8
MD5 hash:
a2c8142e9ca0cab89cbba79d2edd95a6
SHA1 hash:
0be192a3c60dd00bc6b92e1b01dfe24f1d8740c2
Link:
https://www.unpac.me/results/4cd54bb2-1e94-4331-8d51-b9327c510283/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d893d3b0e8c2fa238a84eeec1adb6dec0853828d314873be41ee74280541b6d0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/828188/
  
Delivery method
Distributed via web download

Comments