MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de69f301deb4220ab2a7cded535a18729647aab4c3c8b1d86b3d497b48050166. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	de69f301deb4220ab2a7cded535a18729647aab4c3c8b1d86b3d497b48050166
SHA3-384 hash:	de2a3b2d20c02c1c398d370259998dda4c7fb6ee6d1a715a1b122144fa15b8eed4f904882a8474005817053522f4b1be
SHA1 hash:	2bb1ef28c828664f49b554a09e97ae0b55f91be5
MD5 hash:	c0c13207a9e80aa1479072a734b754b9
humanhash:	april-green-pasta-foxtrot
File name:	c0c13207_by_Libranalysis
Download:	download sample
File size:	409'595 bytes
First seen:	2021-05-05 11:03:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	43df92b7b77db2760430968647afb835 (2 x Ganelp)
ssdeep	3072:IVHgCc4xGvbwcU9KQ2BBAHmaPxiVodb5EwI:VCc4xGxWKQ2Bonxe
Threatray	6 similar samples on MalwareBazaar
TLSH	BD945C21E351C027E8D140FED7AB8775A1AD6F301B5820E793E03AAD2B3A1E5BD3155B
Reporter	Libranalysis

Libranalysis

Uploaded as part of the sample sharing project

Intelligence

File Origin

# of uploads :

1

# of downloads :

65

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/150424/

Detection(s):

Win.Worm.Ganelp-6776766-0

Win.Worm.Lolbot-6787741-0

Win.Worm.Autorun-8027

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the Program Files subdirectories

Creating a file

Creating a process from a recently created file

Sending a UDP request

DNS request

Sending a custom TCP request

Deleting a recently created file

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/de69f301deb4220ab2a7cded535a18729647aab4c3c8b1d86b3d497b48050166/

Threat name:

Win32.Worm.Griptolo

Status:

Malicious

First seen:

2020-05-06 06:00:30 UTC

AV detection:

31 of 31 (100.00%)

Threat level:

5/5

Verdict:

malicious

Similar samples:

09e28b22c749808d439f6a3d4948aad24bf8b1034bf1041c7cd2b8cdb5dd7be3

3b53aa656cfe13b747bf0ae5d19dc0e2edf8b1ad25e5c3b12eba67b570908dc7

8369d8b38904dbb8878e36e8b3b460f2533bc97ce2b736d4779496e9544308f3

a0f055b2f7f302e483c9eb11833120ee6c114252b6a233d25f3016dba17238f1

ddc24f2e6ce31f41e8f9195c2612384abad5baf2797cd3a99f8e48de0430f184

e4784520b1722382c5167856165a57d837b7f877bb8475f441cb3e40b98706c8

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence

Link:

https://tria.ge/reports/210505-aqz1ks743s/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Adds Run key to start application

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

de69f301deb4220ab2a7cded535a18729647aab4c3c8b1d86b3d497b48050166

MD5 hash:

c0c13207a9e80aa1479072a734b754b9

SHA1 hash:

2bb1ef28c828664f49b554a09e97ae0b55f91be5

Link:

https://www.unpac.me/results/6c63fb60-84df-4461-ab8e-221135890896/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/150424/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample