MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddee93284ea3d58e46a5814cdac4b3314d542acad7ef9eef0ee29257639cfa07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	ddee93284ea3d58e46a5814cdac4b3314d542acad7ef9eef0ee29257639cfa07
SHA3-384 hash:	c372a2a810e5f7a0a969389be4b375f4d36a825d5ce3e45d95a457a16da626a2821de1348f8e8e7aaaead51d5c4b97bd
SHA1 hash:	a7f582fdff90f7ffc3d5c7de5c17e6b14134a515
MD5 hash:	82348e9c6fb4f87585ce8a439d914988
humanhash:	emma-potato-pizza-comet
File name:	iec56w4ibovnb4wc.onion_Library__USCYBERCOM__npmproxy.dll.malw
Download:	download sample
File size:	3'299'446 bytes
First seen:	2020-03-18 23:15:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f4e1c3aaec90d5dfa23c04da75ac9501
ssdeep	49152:11Y2apHQbtZdQ15Prdh1cPwPV2PX68tOLvknTLccEPbx6bVF:8dD/PQXlUGQx6bVF
TLSH	D4E52916EBB651E5D9F6C03486636363B9B278598734ABD39A40572B0F33BF0A53E700
Reporter	ov3rflow1
Tags:	malw

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Agent-6973070-0

Gathering data

Threat name:

Win64.Trojan.Sednit

Status:

Malicious

First seen:

2020-03-19 03:56:14 UTC

AV detection:

19 of 31 (61.29%)

Threat level:

2/5

Verdict:

malicious

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ddee93284ea3d58e46a5814cdac4b3314d542acad7ef9eef0ee29257639cfa07

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
URL_MONIKERS_API	Can Download & Execute components	urlmon.dll::ObtainUserAgentString
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW KERNEL32.dll::OpenProcess KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetDriveTypeA KERNEL32.dll::GetDriveTypeW KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::FlushConsoleInputBuffer KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleInputA KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::SetConsoleMode KERNEL32.dll::SetStdHandle
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileA KERNEL32.dll::DeleteFileW KERNEL32.dll::GetFileAttributesW KERNEL32.dll::FindFirstFileW KERNEL32.dll::RemoveDirectoryW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW
WIN_CRYPT_API	Uses Windows Crypt API	CRYPT32.dll::CertDuplicateCertificateContext CRYPT32.dll::CertEnumCertificatesInStore CRYPT32.dll::CertFindCertificateInStore CRYPT32.dll::CertFreeCertificateContext CRYPT32.dll::CertGetCertificateContextProperty CRYPT32.dll::CertOpenStore
WIN_HTTP_API	Uses HTTP services	WINHTTP.dll::WinHttpGetIEProxyConfigForCurrentUser
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW
WIN_SOCK_API	Uses Network to send and receive data	WS2_32.dll::freeaddrinfo WS2_32.dll::getaddrinfo WS2_32.dll::getnameinfo

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample