MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e45164555700bc491659b55361a3c3fd44a7b1c411aa8f2e32ed11c4ec703ee6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e45164555700bc491659b55361a3c3fd44a7b1c411aa8f2e32ed11c4ec703ee6
SHA3-384 hash: 371c171954b330a31c1e8537a5adfb104c067013058f0c5bb868b434f91bcf23006b8457c23368b963ac85883a6f875f
SHA1 hash: ebaa385ca38e1cc94c2cea2b629169b22ed19dcf
MD5 hash: a115f8ce5297ee91348fec49889eea23
humanhash: chicken-golf-mirror-foxtrot
File name:a115f8ce5297ee91348fec49889eea23
Download: download sample
File size:6'457'344 bytes
First seen:2021-06-26 04:07:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b07ab959f99397ac2b65e475966d4148
ssdeep 196608:5xCpGLeUrrz3yY6SpyVYbVudVyNuWAD3:2ODPz3ygpz8dVyD
Threatray 87 similar samples on MalwareBazaar
TLSH 3656237726660146C0EACC3A992B7DE4B1F197365F82DC7816EA6DC023328F5F31B952
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a115f8ce5297ee91348fec49889eea23
Verdict:
No threats detected
Analysis date:
2021-06-26 04:08:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dab975c7-d5a3-443a-978f-aa189c6b4d56

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168414/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.27425.18870.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/40ac547b-b65b-42ce-96f2-655080074368
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/808380
Signature
Antivirus / Scanner detection for submitted sample
Detected VMProtect packer
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e45164555700bc491659b55361a3c3fd44a7b1c411aa8f2e32ed11c4ec703ee6/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-26 04:08:10 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
22a49fd2468178e5b33cad08985adde50f0530a33260affc58bee6b2401005a9
4098b54c9d27b00ce34d04ffac24213ed28993a2854827851b157d63407c2e4e
477ea4ac94a63aa7e55baf53f5a0fba0e264f3c155f413edc03da1f5181d9999
4aef3c75f9d11a676991551a14ab76a0fe502f4cffd27701ce7cbf5581fd796f
4f4a33f70099855f5f503716515f388da3a5daa1e2fac59ec6c881e89ef7d072
e254c8211a93032ccb0c99d0e912120264a71bbf3aff978b54afeb4b14263342
eebd330208d3021ba7caf06e78588daaa3e9de826c373025aad1bea09a94865d
f822a951f06c56d5b907aa500c60a832faccbcb603a38a330cd53ad683a7adda
fc0eee220cef0c364edb4cb6ff45e12b2d3c035b2be1072c627e40c4a298ea72
fc8f0522f5dcffc6ef41ce4c075a245d3f1ee55dda8a63c647eee6fdba4da25a
+ 77 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
vmprotect
Link:
https://tria.ge/reports/210626-5k3tjkgx4s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
VMProtect packed file
Unpacked files
SH256 hash:
b9c2c23b3c61f32683470a6d6f3d25d8f85bfc8ba071ee18985f72a562e86b68
MD5 hash:
dc40e33abc452a63713f6a71285b71b8
SHA1 hash:
d940464d9bd8d8ae5ce91cd8562dca2a9962ee4b
Link:
https://www.unpac.me/results/c0cea41c-2ec5-44cc-a8fe-745b6cf830b7/
SH256 hash:
d4ec5d63863e1504264bb2a9e71dcfadee8bbb7e4e9a9034138d5a057af636d0
MD5 hash:
56d41f745f3679da7ae4697eaac933e5
SHA1 hash:
e0cae0d4af2aca1a4a2665aa36d8284686e16553
Link:
https://www.unpac.me/results/c0cea41c-2ec5-44cc-a8fe-745b6cf830b7/
SH256 hash:
e45164555700bc491659b55361a3c3fd44a7b1c411aa8f2e32ed11c4ec703ee6
MD5 hash:
a115f8ce5297ee91348fec49889eea23
SHA1 hash:
ebaa385ca38e1cc94c2cea2b629169b22ed19dcf
Link:
https://www.unpac.me/results/c0cea41c-2ec5-44cc-a8fe-745b6cf830b7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/e45164555700bc491659b55361a3c3fd44a7b1c411aa8f2e32ed11c4ec703ee6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e45164555700bc491659b55361a3c3fd44a7b1c411aa8f2e32ed11c4ec703ee6

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168414/

Comments