MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 df1decc9154f20f51344ffe9b9916d3aef823d779fbd9494c535c562fadd9cdb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: df1decc9154f20f51344ffe9b9916d3aef823d779fbd9494c535c562fadd9cdb
SHA3-384 hash: 0dd06c5913584db31223e6f24c023c45b5575b707c712341e64fd0b5c63db9e4bc8f921fbbce3d8bac1864c2ac479f40
SHA1 hash: ebe008b49f862c26b4c36fa44828e752c558c6bf
MD5 hash: 9b9dae47e48bc6e9558ba2fe8f8e2cc7
humanhash: item-emma-angel-earth
File name:Windows Defender Sig.exe
Download: download sample
File size:470'448 bytes
First seen:2021-02-04 01:31:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 1536:B7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIffwfP2:17DhdC6kzWypvaQ0FxyNTBffC+
Threatray 36 similar samples on MalwareBazaar
TLSH 48A4AAA932D6C229FFF29F39C0D05009E160FD53E98A6A65A1BA734712B7FD04137792
Reporter r3dbU7z
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/115462/
Detection(s):
PUA.Win.Packer.Purebasic-2
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.34587420.17402.2208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Forced system process termination
Deleting a recently created file
Creating a file in the %temp% subdirectories
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Launching the process to change the firewall settings
Sending a UDP request
Launching a service
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/598635
Signature
Disables Windows Defender (via service or powershell)
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 348347 Sample: Windows Defender Sig.exe Startdate: 04/02/2021 Architecture: WINDOWS Score: 60 18 Multi AV Scanner detection for submitted file 2->18 20 Uses netsh to modify the Windows network and firewall settings 2->20 22 Modifies the windows firewall 2->22 24 Disables Windows Defender (via service or powershell) 2->24 7 Windows Defender Sig.exe 8 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        12 conhost.exe 7->12         started        signatures5 26 Disables Windows Defender (via service or powershell) 9->26 14 powershell.exe 22 9->14         started        16 netsh.exe 3 9->16         started        process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/df1decc9154f20f51344ffe9b9916d3aef823d779fbd9494c535c562fadd9cdb/
Threat name:
Win32.Spyware.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2021-02-04 01:25:33 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
05a8800b05cf0c4293f9dcc297873f36691161746aec7b65e31b0e32c8f0bebb
076dfc0a55afc36cdfd6dff84cfd0feae23029843e745b7f122980b341f7b710
3ae3550b6baf30136ce9b846725c3322f23ee8428c2984750a2cfe02843993e9
8d31cd4a15ce8347ee5d40ec43f3f0f6f1938887613d8dd58962df1cf7bfebca
90929f4e6bd28d6a197fef323930502ac1a3dcc9de8d4dba02dc6702fd570e14
9a55095bce5f28440aeed18e9997322e0b1786208f6029d42a189804dc19738b
db6f7b795e59ba384c7bba66f9c4fe4fd68a6cab3c38b7b70a1154dc2319106b
ef98f9fd8e48c339bbb625437f4a19966c58c47f0e79e99ac320027debb9c9c3
f5e4f8cf4a6691806c1fa4f0718cae9d5ff5ad41088b57a4cbcdabed09dcba2e
fadcffc72696cb639334be446d2aeb90743b270276f48b730efbb59b73505a85
+ 26 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion
Link:
https://tria.ge/reports/210204-xtkg3lfjtx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies Windows Firewall
Unpacked files
SH256 hash:
df1decc9154f20f51344ffe9b9916d3aef823d779fbd9494c535c562fadd9cdb
MD5 hash:
9b9dae47e48bc6e9558ba2fe8f8e2cc7
SHA1 hash:
ebe008b49f862c26b4c36fa44828e752c558c6bf
Link:
https://www.unpac.me/results/49a166a5-cd37-436e-b215-7ddcc9cccf57/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/df1decc9154f20f51344ffe9b9916d3aef823d779fbd9494c535c562fadd9cdb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/115462/

Comments