MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6ecad8148c06e8e0fa14f1e3c9026703891b291c25180fe4936260c967d1c15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 2


Intelligence 2 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6ecad8148c06e8e0fa14f1e3c9026703891b291c25180fe4936260c967d1c15
SHA3-384 hash: a456fd05a8451259ba3f7ac15e0eac95c2ac881d7cb433a3e09ab0c9995822c4bc34365170735a3e7fbe2a01ab637f00
SHA1 hash: b00426007ebeef662736087ca828a075179a48ae
MD5 hash: 28722f39887a80ea4d78972865fc43f7
humanhash: foxtrot-angel-island-quiet
File name:1.dll
Download: download sample
File size:115'200 bytes
First seen:2021-09-24 08:42:54 UTC
Last seen:2021-09-24 09:54:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:5unMWo3ItOu6JE6iAT2Z4iGekSPmgcXsFVNeNRyssQ6SJVk6nh1ZE5:MnNaItY6X6i51MuVwNRqJEVk6ru5
Threatray 10 similar samples on MalwareBazaar
TLSH T142B3D0F23F98C209EF3DBEB8699AE8108D76DF57119E43D701406C6B6DF53D9482A068
Reporter 0x3c7
Tags:dll exe iso

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1.dll
Verdict:
No threats detected
Analysis date:
2021-09-24 08:44:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9a12d76d-b21d-47f8-9433-3c9a8f68474e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/191110/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.6699.14382.UNOFFICIAL
Create hunting rule

Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a4d536d1-9d6b-454f-9e10-23bd08357b5a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/857233
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: UNC2452 Process Creation Patterns
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 489664 Sample: 1.dll Startdate: 24/09/2021 Architecture: WINDOWS Score: 68 69 clientconfig.passport.net 2->69 71 a-0019.a.dns.azurefd.net 2->71 81 Sigma detected: UNC2452 Process Creation Patterns 2->81 83 Sigma detected: CobaltStrike Load by Rundll32 2->83 11 loaddll64.exe 1 2->11         started        13 rundll32.exe 2->13         started        signatures3 process4 process5 15 rundll32.exe 11->15         started        17 cmd.exe 1 11->17         started        20 rundll32.exe 11->20         started        22 10 other processes 11->22 signatures6 24 cmd.exe 1 15->24         started        77 Uses ping.exe to sleep 17->77 79 Uses ping.exe to check the status of other devices and networks 17->79 28 rundll32.exe 17->28         started        30 cmd.exe 1 20->30         started        32 cmd.exe 1 22->32         started        34 cmd.exe 1 22->34         started        process7 dnsIp8 73 192.0.2.29 unknown Reserved 24->73 85 Uses ping.exe to sleep 24->85 36 rundll32.exe 24->36         started        38 conhost.exe 24->38         started        40 PING.EXE 1 24->40         started        75 192.0.2.164 unknown Reserved 30->75 42 rundll32.exe 30->42         started        48 2 other processes 30->48 44 rundll32.exe 32->44         started        50 2 other processes 32->50 46 rundll32.exe 34->46         started        52 2 other processes 34->52 signatures9 process10 process11 54 cmd.exe 36->54         started        56 cmd.exe 36->56         started        process12 58 reg.exe 54->58         started        61 conhost.exe 54->61         started        63 conhost.exe 56->63         started        65 timeout.exe 56->65         started        67 rundll32.exe 56->67         started        signatures13 87 Creates an autostart registry key pointing to binary in C:\Windows 58->87
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6ecad8148c06e8e0fa14f1e3c9026703891b291c25180fe4936260c967d1c15/
Verdict:
suspicious
Similar samples:
1bf28e7bb5cf75e005c6a8f647b7cd0a6a5b5e1455a8a902a81aef774aac27e6
4ef27aa805d70d310dd56575525553be1baf7a48d4e7327f056ca0a5859c6ff6
508a816001e6d2f7b6617d9009e97c533d02d366055dad4eb17a9ee38915fa4b
60e3f1aa7f85ea1f92ad1415eb2fd129b790d84954a6537761be3e63338f2de7
627219a8c4acc280da7a247fe4a6eb5f10e38a0f96bb31e11b6b22d0e616cc0e
8a47b898b7c8aa16abef0d692c9c7bc123cee04c37027ac109df1c6d1fbd6f00
8e4c165eb5f1072f84dfd76fd4966e455eaeb0df3a14d20559253d2ebabf7114
b0912554158dfc4bad48096f61b9312405ee97e802447fdfa52ed64ee4bf023d
b23360e8388e32799d7ffa2e427131a8d5d9aa0dfa9c46c1392c1de9032be54c
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210924-kmlh7agdc9/
Behaviour
Delays execution with timeout.exe
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
Unpacked files
SH256 hash:
e6ecad8148c06e8e0fa14f1e3c9026703891b291c25180fe4936260c967d1c15
MD5 hash:
28722f39887a80ea4d78972865fc43f7
SHA1 hash:
b00426007ebeef662736087ca828a075179a48ae
Link:
https://www.unpac.me/results/7a251596-bd83-4b8f-a951-4f80b01546c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.44
Link:
https://yomi.yoroi.company/submissions/e6ecad8148c06e8e0fa14f1e3c9026703891b291c25180fe4936260c967d1c15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_generic_DLL_exports_Sep2021_1
Create hunting rule
Author:Nils Kuhnert
Description:Triggers on malicious DLLs distributed along LNK files in ISO attachments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

aafa35279420a6bf5333028e089d29b2083c22b27bd5af713ae2c93864af9c57

Executable exe e6ecad8148c06e8e0fa14f1e3c9026703891b291c25180fe4936260c967d1c15

(this sample)

  
Dropped by
SHA256 aafa35279420a6bf5333028e089d29b2083c22b27bd5af713ae2c93864af9c57
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/191110/

Comments