MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e832fe2b9251b58442d1c9e380ae5f5d338af57a43329f79786e333c15507ec4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e832fe2b9251b58442d1c9e380ae5f5d338af57a43329f79786e333c15507ec4
SHA3-384 hash: b60b62e6e44911c983038955a9ce88236370667851caff5ed38d962702498c18cd1bf4c50308845835c260de76e5116f
SHA1 hash: 5303a417bbab160923b15c4702836fdb20cf58b3
MD5 hash: 8a5d1e11c3d30417bdaeb869346b69e6
humanhash: yellow-muppet-october-undress
File name:Dr.Fone_v3.8.bin
Download: download sample
File size:928'706 bytes
First seen:2020-09-03 14:43:19 UTC
Last seen:2020-09-03 15:57:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 12288:z5393whFOBbJ3KJEPMvYMAAqYuV4+zAgBflEapmSE2TUd7ny2kY:z53uhFW3KJEPMv1HupzDjEaEBEUdby/Y
Threatray 14 similar samples on MalwareBazaar
TLSH 2415E0EDB3A291FDC483393994255B30F5EBEA388330C3DA03D6550C5D7AAD65DBA260
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
3
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54820/
Detection(s):
PUA.Win.Trojan.Generic-6843329-0
Create hunting rule

PUA.Win.Dropper.Driverpack-6931197-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.File.Generic-7135455-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
DNS request
Delayed writing of the file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling the 'hidden' option for recently created files
Searching for the window
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/458472
Signature
Contains functionality to register a low level keyboard hook
Delayed program exit found
Drops PE files with a suspicious file extension
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Certutil Command
Uses nslookup.exe to query domains
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 281650 Sample: Dr.Fone_v3.8.bin Startdate: 03/09/2020 Architecture: WINDOWS Score: 100 64 Multi AV Scanner detection for dropped file 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Sigma detected: Drops script at startup location 2->68 70 4 other signatures 2->70 10 Dr.Fone_v3.8.exe 7 2->10         started        process3 file4 52 C:\Users\user\...\lZaAeJGTxYLdiJNWVh.com, COM 10->52 dropped 80 Contains functionality to register a low level keyboard hook 10->80 14 cmd.exe 1 10->14         started        16 cmd.exe 1 10->16         started        signatures5 process6 signatures7 19 cmd.exe 2 14->19         started        23 conhost.exe 14->23         started        62 Drops PE files with a suspicious file extension 16->62 25 conhost.exe 16->25         started        process8 file9 46 C:\Users\user\AppData\Local\Temp\...\lsm.com, PE32 19->46 dropped 72 Uses ping.exe to sleep 19->72 27 lsm.com 19->27         started        30 PING.EXE 1 19->30         started        33 PING.EXE 1 19->33         started        35 certutil.exe 2 19->35         started        signatures10 process11 dnsIp12 82 Multi AV Scanner detection for dropped file 27->82 84 Drops PE files with a suspicious file extension 27->84 37 lsm.com 6 27->37         started        58 127.0.0.1 unknown unknown 30->58 60 Qojli.cCMlh 33->60 signatures13 process14 dnsIp15 54 eeq.eeq 37->54 48 C:\Users\user\AppData\...\mintSoftware.com, PE32 37->48 dropped 50 C:\Users\user\AppData\...\mintSoftware.url, MS 37->50 dropped 74 Uses nslookup.exe to query domains 37->74 76 Writes to foreign memory regions 37->76 78 Maps a DLL or memory area into another process 37->78 42 nslookup.exe 12 37->42         started        file16 signatures17 process18 dnsIp19 56 eebucks.com 217.8.117.29, 49730, 49740, 80 CREXFEXPEX-RUSSIARU Russian Federation 42->56 86 Delayed program exit found 42->86 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e832fe2b9251b58442d1c9e380ae5f5d338af57a43329f79786e333c15507ec4/
Threat name:
Win32.Trojan.Bluteal
Create hunting rule
Status:
Malicious
First seen:
2020-08-23 17:11:03 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
1630f3fabf80e99d1990176b5736835496bdbd74610d1e43eefd7088e2529a6e
23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928
637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868
77867995d1e8388230c9f71fee5e835b346bfcfef3fde418c6a773eea11b4afd
94dc4632159764895ff15118dacc7c5b4c3f84722b4ae5c89b9b120adeec92bf
ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42
cb04bfdeb1a12eaab0a0442ecdf62ce49d2c1daa5b4345412cf3462b9ab26803
ce2644d2d9973ab0a3004942cef2d74d210882bea29d8b698c7af02d308b289e
ed5215be40b05fe324dfd185a741a48c604215482095e1953bfdad62725c8092
+ 4 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200903-sb6hz1ejaa/
Behaviour
Runs ping.exe
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Drops startup file
Executes dropped EXE
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e832fe2b9251b58442d1c9e380ae5f5d338af57a43329f79786e333c15507ec4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/54820/

Comments