MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbf55407956dcd3184bce35b35697a073f5fa51b6fcb7713e9aef81fa9511ec6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 4

Intelligence 4 IOCs YARA 2 File information Comments

SHA256 hash:	dbf55407956dcd3184bce35b35697a073f5fa51b6fcb7713e9aef81fa9511ec6
SHA3-384 hash:	f95c253716526d0641a2fa53d9d39c58ede14afd5f3405659518b135757e157c082e11c6e96b2d97046dd3932df1ec1c
SHA1 hash:	5fd586c88f0cb843fc91ca1efcd4e5acec20efb3
MD5 hash:	215d58ed2a40c08df76558d77588e09c
humanhash:	lima-october-california-magnesium
File name:	215d58ed_by_Libranalysis
Download:	download sample
File size:	5'911'552 bytes
First seen:	2021-05-08 13:02:13 UTC
Last seen:	2021-05-08 13:46:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d6c9cce97eb4f66698237605d85ef325
ssdeep	98304:HLA6+Im3tNOG8Vm+9fM7xeUwRD2BH/Ay09k7CpAbZogEzQxg08Z5qFvr4r:kIm32VmCkipb9iCpgszsgdr
Threatray	56 similar samples on MalwareBazaar
TLSH	655612239D2590F0C1C5D8F78EFEEDECF1B696764A815C789996A8C0D73B4A1BD03602
Reporter	Libranalysis

Libranalysis

Uploaded as part of the sample sharing project

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/153194/

Detection(s):

SecuriteInfo.com.Mal.VMProtBad-A.21035.10110.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Creating a window

Sending a UDP request

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/718642

Signature

Detected VMProtect packer

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Potential thread-based time evasion detected

Tries to detect debuggers by setting the trap flag for special instructions

Tries to detect virtualization through RDTSC time measurements

Uses dynamic DNS services

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dbf55407956dcd3184bce35b35697a073f5fa51b6fcb7713e9aef81fa9511ec6/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2021-05-08 13:02:27 UTC

AV detection:

16 of 29 (55.17%)

Threat level:

5/5

Verdict:

suspicious

22a49fd2468178e5b33cad08985adde50f0530a33260affc58bee6b2401005a9

44e717206bba160f62320de53005a05ba4a4f51063b81503747197e0497b17ce

586308277bf0f934777f113da1b684233d2cdfbf6b746eebc35d2f8dc8d1c585

6623d3bb74ec56148b4bfb75277142eba255f0613fb9f2eb510b27e985f1c7fd

7831d04c2d11df369d8c3dda50277a00b4bc798f0a4725faf234597e6a0d29c2

a488990c82230074fdf4f22a014a8f05dbb2bdc055c096c4d4a28b3a8055a648

ac839669e7e0d6b42bf9517cc6f4db88c9eacc678df15c1c45be1771309cb020

e8cdc889ac43fb8a641ef365c17196f4600ea07688d0a627e1e6bff7255a4946

eebd330208d3021ba7caf06e78588daaa3e9de826c373025aad1bea09a94865d

+ 46 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

vmprotect

Link:

https://tria.ge/reports/210508-kl3vlqlagj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of NtSetInformationThreadHideFromDebugger

VMProtect packed file

Unpacked files

SH256 hash:

dbf55407956dcd3184bce35b35697a073f5fa51b6fcb7713e9aef81fa9511ec6

MD5 hash:

215d58ed2a40c08df76558d77588e09c

SHA1 hash:

5fd586c88f0cb843fc91ca1efcd4e5acec20efb3

Link:

https://www.unpac.me/results/85f0b64b-8c0d-45f0-acec-87dc3f8f36ff/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.14

Link:

https://yomi.yoroi.company/submissions/dbf55407956dcd3184bce35b35697a073f5fa51b6fcb7713e9aef81fa9511ec6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_VMProtect Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with VMProtect.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/153194/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample