MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3623c2440b692f6b557a862719dc95f41d2e9ad7b560e837d3b59bfe4b8b774. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Lazarus


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3623c2440b692f6b557a862719dc95f41d2e9ad7b560e837d3b59bfe4b8b774
SHA3-384 hash: bd95bb9dcd1106cc11b595e78563175e20960d7a820ead71e6069499a22ed8629df0307b49e8c9566638a73c2a4c8af6
SHA1 hash: b040433fb50d679b2e287d7fcc1667a415fb60b0
MD5 hash: 24b3614d5c5e53e40b42b4e057001770
humanhash: asparagus-gee-lemon-enemy
File name:24b3614d5c5e53e40b42b4e057001770
Download: download sample
Signature Lazarus
Create hunting rule
File size:30'330'443 bytes
First seen:2021-02-18 01:19:54 UTC
Last seen:2021-02-18 02:35:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cbc19a820310308f17b0a7c562d044e0 (1 x Lazarus)
ssdeep 786432:Dj2fi5nBGPBMNekleUtOaZ13vcdkIXX0kfp:+65AP+QAeUtOKvc+c0kR
Threatray 2 similar samples on MalwareBazaar
TLSH F467231752A1C02EF5B11832DD5F9DF2D2992CB3CA312B47B690FE287DF11817A53A1A
Reporter c3rb3ru5d3d53c2
Tags:Lazarus

Intelligence

File Origin
# of uploads :
2
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Deleting a recently created file
Creating a process from a recently created file
Creating a window
Launching a process
Sending a UDP request
Result
Verdict:
UNKNOWN
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/610983
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Injects code into the Windows Explorer (explorer.exe)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 354510 Sample: zj98tFdVjF Startdate: 18/02/2021 Architecture: WINDOWS Score: 60 34 unioncrypto.vip 2->34 36 cdn.onenote.net 2->36 44 Multi AV Scanner detection for domain / URL 2->44 46 Multi AV Scanner detection for submitted file 2->46 8 zj98tFdVjF.exe 7 2->8         started        11 UnionCryptoUpdater.exe 2->11         started        15 svchost.exe 2->15         started        17 11 other processes 2->17 signatures3 process4 dnsIp5 30 C:\Users\user\AppData\...\zj98tFdVjF.exe, PE32 8->30 dropped 32 C:\Users\...\zj98tFdVjF.exe:Zone.Identifier, ASCII 8->32 dropped 19 zj98tFdVjF.exe 7 8->19         started        38 unioncrypto.vip 11->38 40 192.168.2.1 unknown unknown 11->40 54 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->54 56 Changes security center settings (notifications, updates, antivirus, firewall) 15->56 22 MpCmdRun.exe 1 15->22         started        42 127.0.0.1 unknown unknown 17->42 file6 signatures7 process8 signatures9 48 Multi AV Scanner detection for dropped file 19->48 50 Injects code into the Windows Explorer (explorer.exe) 19->50 52 Writes to foreign memory regions 19->52 24 msiexec.exe 5 19->24         started        26 explorer.exe 19->26         started        28 conhost.exe 22->28         started        process10
Gathering data
Threat name:
Win32.Trojan.UnionCryptoTrader
Create hunting rule
Status:
Malicious
First seen:
2021-02-17 07:05:21 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
344b323928698d9982c7577e5405a1cb587c45f94a0f6745827648381397f255
Lazarus
7e5781736b54a7fa874ce94e54f6c5540aa2b223c2875570a94db1e554cf4936
Lazarus
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210218-hwl9g25kdx/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3623c2440b692f6b557a862719dc95f41d2e9ad7b560e837d3b59bfe4b8b774

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments