MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e52ea54cfe3afd93a53e368245c5630425e326291bf1b2599b75dbf8e75b7aeb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e52ea54cfe3afd93a53e368245c5630425e326291bf1b2599b75dbf8e75b7aeb
SHA3-384 hash: 444e34a5722bd59d9de3f9071b8b228628bc7f05e8245201ae1e3eeb3c2d364f33e8fdc10433b666c682f58a4e0f31e0
SHA1 hash: b919c61e0546e320353fa52fe4c377a95b80f4f3
MD5 hash: 1529176ad0bb4ef126074c0cf22f5361
humanhash: mexico-six-six-timing
File name:e52ea54cfe3afd93a53e368245c5630425e326291bf1b2599b75dbf8e75b7aeb
Download: download sample
File size:8'621'656 bytes
First seen:2021-07-12 07:06:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 91802a615b3a5c4bcc05bc5f66a5b219 (18 x Glupteba, 6 x Rhadamanthys, 3 x CobaltStrike)
ssdeep 49152:XwmLWBVVEX2Fbo8APNr9Sqco2oLDuPi6Ef3wZo0NHJhiIBwpYbMcyI0hAOqVGt3V:AayymFs8APNrvKUuw3GbW+A3
Threatray 38 similar samples on MalwareBazaar
TLSH T1F7969F13FCA544F9C1FEF130866697227A7178A9833177A31F9896961A66FD0BB3D300
Reporter JAMESWT_WT
Tags:BIOPASS exe signed

Code Signing Certificate

Organisation:Rhaon Entertainment Inc
Issuer:thawte SHA256 Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2019-01-02T00:00:00Z
Valid to:2021-03-02T23:59:59Z
Serial number: 06808c5934da036a1297a936d72e93d4
Intelligence: 35 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: b3ba6284885eadff7d2f7469c8c4aa2facc804ef21e54266fc543cc28e7c0cd4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e52ea54cfe3afd93a53e368245c5630425e326291bf1b2599b75dbf8e75b7aeb
Verdict:
No threats detected
Analysis date:
2021-07-12 07:29:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/73b08048-8e84-4268-a65d-aa76c504294d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170924/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader36.63453.5414.31623.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/afd7217f-4ec1-41bc-93aa-f6625a6e5b3b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
66 / 100
Link:
https://www.joesandbox.com/analysis/814749
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Execution from Suspicious Folder
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447157 Sample: jMsROA4853 Startdate: 12/07/2021 Architecture: WINDOWS Score: 66 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 3 other signatures 2->48 7 jMsROA4853.exe 7 2->7         started        process3 dnsIp4 40 fuck.flashi.com.cn 8.210.108.117, 49742, 49744, 49747 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 7->40 28 C:\Users\Public\Music\flash.exe, PE32 7->28 dropped 11 cmd.exe 3 7->11         started        14 cmd.exe 1 7->14         started        16 powershell.exe 17 7->16         started        file5 process6 file7 30 C:\Users\Public\Videos\system.exe, PE32+ 11->30 dropped 32 C:\Users\...\system.exe:Zone.Identifier, ASCII 11->32 dropped 18 conhost.exe 11->18         started        20 flash.exe 3 230 14->20         started        24 conhost.exe 14->24         started        26 conhost.exe 16->26         started        process8 dnsIp9 34 36d6250f.tweb.sched.ovscdns.com 101.33.11.110, 443, 49753, 49755 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 20->34 36 36d6250d.tweb.sched.ovscdns.com 211.152.136.89, 443, 49752 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 20->36 38 6 other IPs or domains 20->38 50 Detected unpacking (changes PE section rights) 20->50 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e52ea54cfe3afd93a53e368245c5630425e326291bf1b2599b75dbf8e75b7aeb/
Threat name:
Win64.Backdoor.BountyGlad
Create hunting rule
Status:
Malicious
First seen:
2021-03-02 16:31:22 UTC
File Type:
PE+ (Exe)
Extracted files:
14
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
02efd5f4d8dedabeab8e75f3e49a8fdb05c28dfd39bc1e5c96e8213fe3212e9f
3175976cea0ac6b13312f1922423fca3f3d0bf99848f6b575c1063ed0f0cb8f4
4961954c47ef2395dd73b8cc4bb36827f71e08a13f9ec4cc1daba51715334fc9
4c433048f3e18eac45505cc860215a304e3bc9267cef376f65af100424d36b7f
6b01eeef147d9e0cd6445f90e55e467b930df2de5d74e3d2f7610e80f2c5a2cd
6ee8f6a0c514a5bd25f7a32210f4b3fe878d9d417a7ebe07befc285131bae10e
9b921d4c8c3eea84615365d78a2e7223ebf42764aa1b61122762b950bee3ea4a
a5a4d88e2fe16d319aef6f7550ca2379d253a943d467dedc21e7ea3deb19410e
a8f0dbc38f4fa81b8dc71d6a69df4a5a9963ad57de7c491a61044dbe42f586e5
f2a8bdf135caca0d7359a7163a4343701a5bdfbc8007e71424649e45901ab7e2
+ 28 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210712-dcj3w7q3es/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Executes dropped EXE
Unpacked files
SH256 hash:
e52ea54cfe3afd93a53e368245c5630425e326291bf1b2599b75dbf8e75b7aeb
MD5 hash:
1529176ad0bb4ef126074c0cf22f5361
SHA1 hash:
b919c61e0546e320353fa52fe4c377a95b80f4f3
Link:
https://www.unpac.me/results/43e5dab1-1ea9-4e48-b786-2e5e85cf213f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.03
Link:
https://yomi.yoroi.company/submissions/e52ea54cfe3afd93a53e368245c5630425e326291bf1b2599b75dbf8e75b7aeb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170924/

Comments