MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3e22fc13470b9e42503c6b6add667cc3366a167b88dd99b14366b70926b31ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 2

Intelligence 2 IOCs YARA File information Comments

SHA256 hash:	e3e22fc13470b9e42503c6b6add667cc3366a167b88dd99b14366b70926b31ca
SHA3-384 hash:	aca3bb568432a6fc8a8e18199d22b7e22d037aa3aa4234fe03ed6c9fe84ceb10eaf28baab17e2e261d589eb162d66417
SHA1 hash:	756d891e00898b714ce87da78e7db1ab1a75c6ad
MD5 hash:	b522e74f924632cc63f96409735a7305
humanhash:	winner-massachusetts-two-eight
File name:	e3e22fc13470b9e42503c6b6add667cc3366a167b88dd99b14366b70926b31ca
Download:	download sample
File size:	6'383'576 bytes
First seen:	2020-03-23 16:24:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	483f0c4259a9148c34961abbda6146c1 (17 x ValleyRAT, 8 x AsyncRAT, 7 x QuasarRAT)
ssdeep	196608:Ssp3c1OtMnvkOhSN3SUtK9yTFK5uyyAoDa:SsxftMnvkiySUteC7xL+
TLSH	B7563332B3C2C872E15106BC9C16E1586D37BD242DF9A4693EFDCB8D4E79282687D291
Reporter	Marco_Ramilli
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Malware.Speedingupmypc-6718419-0

PUA.Win.Packer.Pequake-4

SecuriteInfo.com.Trojan.DownLoader13.67.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Ramnit

Status:

Malicious

First seen:

2017-03-24 19:10:39 UTC

AV detection:

20 of 44 (45.45%)

Threat level:

5/5

Verdict:

unknown

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe e3e22fc13470b9e42503c6b6add667cc3366a167b88dd99b14366b70926b31ca

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/163817/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high
CHECK_TRUST_INFO	Requires Elevated Execution (level:requireAdministrator)	high

Reviews

ID	Capabilities	Evidence
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessW advapi32.dll::OpenProcessToken kernel32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExW kernel32.dll::LoadLibraryW kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceW kernel32.dll::GetCommandLineW
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryW kernel32.dll::CreateFileW kernel32.dll::DeleteFileW kernel32.dll::GetWindowsDirectoryW kernel32.dll::GetFileAttributesW kernel32.dll::FindFirstFileW
WIN_BASE_USER_API	Retrieves Account Information	advapi32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExW advapi32.dll::RegQueryValueExW
WIN_USER_API	Performs GUI Actions	user32.dll::PeekMessageW user32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample