MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e345b19eff4b3881d8b608fd14278ee602f2f9b2cbde8b248492f80b3514b121. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Metamorfo


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e345b19eff4b3881d8b608fd14278ee602f2f9b2cbde8b248492f80b3514b121
SHA3-384 hash: 9f15f78ddf736b5692f47fe4481d49a7c3d62ed997707e0261e7e472edbd4cf4544f1f851cd9e43fa476bbb06c44dcb3
SHA1 hash: 00038b6c158a14ec7e301ccff839888aa4096184
MD5 hash: 3aebe9048bc905a6e9c7e8deda7157ff
humanhash: mars-saturn-alabama-glucose
File name:__semqhn7_Q
Download: download sample
Signature Metamorfo
Create hunting rule
File size:4'404'224 bytes
First seen:2023-10-31 12:42:53 UTC
Last seen:2023-10-31 14:40:32 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 58fc9a0a0ea32a098187db88ebb8c215 (1 x Metamorfo)
ssdeep 49152:B4DW/LRMhSXfSKeTSDzk0BYDdcFtR2p2Vck96zP8XtPfSFzoxGo6MO+XmzRDfv4O:kWXv1eTSDfsdO2pY9oq8pooeCzlv4J
Threatray 2 similar samples on MalwareBazaar
TLSH T14C16127385807EC7E1B557BA7C2285088D29FD769F12123AF12F76A182B658CCFB0764
TrID 35.7% (.EXE) Win32 Executable (generic) (4505/5/1)
16.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
16.0% (.EXE) OS/2 Executable (generic) (2029/13)
15.8% (.EXE) Generic Win/DOS Executable (2002/3)
15.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon f8f8c9c9c9e9f0c8 (2 x Metamorfo, 2 x XRed, 1 x LummaStealer)
Reporter JAMESWT_WT
Tags:casbaneiro dll MetaMorfo ponteiro

Intelligence

File Origin
# of uploads :
2
# of downloads :
310
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457377/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.17712.10090.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Сreating synchronization primitives
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control lolbin packed shell32
Link:
https://www.filescan.io/uploads/6540f658390b22a61e54530b/reports/0806b6b1-4acf-4fe8-9e2d-e85e96d2aec9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e345b19eff4b3881d8b608fd14278ee602f2f9b2cbde8b248492f80b3514b121
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6e32b4dd-2184-47d8-98bf-d1eb08b7df70
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1334863
Signature
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1334863 Sample: __semqhn7_Q.dll Startdate: 31/10/2023 Architecture: WINDOWS Score: 80 33 sni1gl.wpc.nucdn.net 2->33 35 scdn1f003.wpc.ad629.nucdn.net 2->35 37 ambjulio.com 2->37 41 Multi AV Scanner detection for domain / URL 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Machine Learning detection for sample 2->45 47 PE file contains section with special chars 2->47 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 53 Query firmware table information (likely to detect VMs) 9->53 55 Hides threads from debuggers 9->55 57 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->57 12 rundll32.exe 12 9->12         started        16 cmd.exe 1 9->16         started        18 rundll32.exe 9->18         started        20 6 other processes 9->20 process6 dnsIp7 39 ambjulio.com 154.56.63.216, 49717, 49720, 49722 COGENT-174US United States 12->39 59 Tries to detect sandboxes and other dynamic analysis tools (window names) 12->59 61 Hides threads from debuggers 12->61 63 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->63 22 rundll32.exe 16->22         started        25 WerFault.exe 18->25         started        27 WerFault.exe 2 16 20->27         started        29 WerFault.exe 20->29         started        signatures8 process9 signatures10 49 Hides threads from debuggers 22->49 51 Tries to detect sandboxes / dynamic malware analysis system (registry check) 22->51 31 WerFault.exe 23 16 22->31         started        process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e345b19eff4b3881d8b608fd14278ee602f2f9b2cbde8b248492f80b3514b121
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e345b19eff4b3881d8b608fd14278ee602f2f9b2cbde8b248492f80b3514b121/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-10-24 00:52:10 UTC
File Type:
PE (Dll)
Extracted files:
22
AV detection:
16 of 23 (69.57%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4nc3dhx7jm4idwfwbd6rij4o4ybpf6nszppiwjeesl4awniuweqq._file
Verdict:
malicious
Similar samples:
eb8455a49caa35beaa645fb26a4b760a84e2abcce810b9261518fc978d6027c9
Metamorfo
f291b68a9b9889a01d736cb0079c8be1e3f576d19ba1f4762cf2302984455bd2
Metamorfo
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/231031-pxxfnaaa83/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
16bda1d6a37394d49462b7edf5b56fe4e79f0c43e719ceb04e9ed0dbdfbc7ebb
MD5 hash:
0a4adf37312b45a387196864d55f1000
SHA1 hash:
40a4927405d660f08ed92e70b575ae93ca847232
Link:
https://www.unpac.me/results/10b8804e-0afb-4d2c-bf59-8a0f506ac36d/
SH256 hash:
e345b19eff4b3881d8b608fd14278ee602f2f9b2cbde8b248492f80b3514b121
MD5 hash:
3aebe9048bc905a6e9c7e8deda7157ff
SHA1 hash:
00038b6c158a14ec7e301ccff839888aa4096184
Link:
https://www.unpac.me/results/10b8804e-0afb-4d2c-bf59-8a0f506ac36d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Metamorfo
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/e345b19eff4b3881d8b608fd14278ee602f2f9b2cbde8b248492f80b3514b121

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/457377/

Comments