MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d98d4af19b35e099406b7427b92b428732fcbc6bf2f41c137cbd6a43465fefb3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TriumphLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d98d4af19b35e099406b7427b92b428732fcbc6bf2f41c137cbd6a43465fefb3
SHA3-384 hash: 5da00d8f05bc7365fd0647129e7f6db7f95d23bafa763909a3a219a672f3740a675d4079cfcc6e5f5ffdb81c12f539ea
SHA1 hash: 083edac83f7140231ce631d0b87ca13d96ed88f9
MD5 hash: 5ebe86955c5f902a4827aa2b4a74834f
humanhash: east-dakota-bacon-pasta
File name:SecuriteInfo.com.W32.AIDetectGBM.malware.01.19364.7199
Download: download sample
Signature TriumphLoader
Create hunting rule
File size:377'856 bytes
First seen:2021-02-23 15:16:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bd97df4bd9c954c1a23c5096fea8ef70 (1 x TriumphLoader)
ssdeep 6144:ASOvChRobzM17kjgLeuHgDa720I2yFKB71/E91o2VgjASzGv69ljZZ:ASOvC7RaKHar0ayOnyA3
TLSH 0984F112B6C0C432C49E69314C24C6912A3AF971AA7A55D3B7B83F7DAFB03C19276747
Reporter SecuriteInfoCom
Tags:TriumphLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118632/
Detection(s):
SecuriteInfo.com.W32.AIDetectGBM.malware.01.19364.7199.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Moving of the original file
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Triumph Loader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/615507
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found C&C like URL pattern
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Triumph Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356763 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 28 orvalansterych.xyz 2->28 30 ldencajasigrap.xyz 2->30 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Multi AV Scanner detection for domain / URL 2->40 42 Antivirus detection for URL or domain 2->42 44 4 other signatures 2->44 8 SecuriteInfo.com.W32.AIDetectGBM.malware.01.19364.exe 17 2->8         started        signatures3 process4 dnsIp5 32 ldencajasigrap.xyz 35.228.210.99, 49731, 49732, 49733 GOOGLEUS United States 8->32 34 orvalansterych.xyz 8->34 36 192.168.2.1 unknown unknown 8->36 46 Detected unpacking (changes PE section rights) 8->46 48 Detected unpacking (overwrites its own PE header) 8->48 12 cmd.exe 1 8->12         started        14 cmd.exe 1 8->14         started        16 WerFault.exe 9 8->16         started        18 6 other processes 8->18 signatures6 process7 process8 20 conhost.exe 12->20         started        22 timeout.exe 1 12->22         started        24 conhost.exe 14->24         started        26 reg.exe 1 1 14->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d98d4af19b35e099406b7427b92b428732fcbc6bf2f41c137cbd6a43465fefb3/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-02-23 15:17:05 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210223-5qahgl5tp2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
b1b46deec765f140970f8902a513c532e53b92c56c53da9c98abd811f4e1e59d
MD5 hash:
2dc3e5ca0264d7eab08d11c2698757d1
SHA1 hash:
61c02c4f2932ea0f4b2579fa238bd31d48d60482
Link:
https://www.unpac.me/results/50df48c8-b2de-4862-a2c3-eee0e0a196ec/
SH256 hash:
d98d4af19b35e099406b7427b92b428732fcbc6bf2f41c137cbd6a43465fefb3
MD5 hash:
5ebe86955c5f902a4827aa2b4a74834f
SHA1 hash:
083edac83f7140231ce631d0b87ca13d96ed88f9
Link:
https://www.unpac.me/results/50df48c8-b2de-4862-a2c3-eee0e0a196ec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d98d4af19b35e099406b7427b92b428732fcbc6bf2f41c137cbd6a43465fefb3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TriumphLoader

Executable exe d98d4af19b35e099406b7427b92b428732fcbc6bf2f41c137cbd6a43465fefb3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1025449/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/118632/

Comments