MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea6bafd96818930f83200987d64c970ad03afcae9d69fbde9dd18f2ace154a99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Dharma


Vendor detections: 3


Intelligence 3 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea6bafd96818930f83200987d64c970ad03afcae9d69fbde9dd18f2ace154a99
SHA3-384 hash: 35db05448584bc06311b26c58dc735b7fc4a7f1f5d03403b9283d96be0d13f5aa5e91880c66d3ea763d88131e3dc846e
SHA1 hash: 435dd07d0f04aec7da02d66b665573e3ee4fe80d
MD5 hash: e6eb304d38c6426faa5eaa3576dd72c3
humanhash: bulldog-colorado-jersey-triple
File name:1testserver.exe
Download: download sample
Signature Dharma
Create hunting rule
File size:540'160 bytes
First seen:2020-03-24 03:53:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fd44c9faedcbda650077f5e6fa038938 (1 x Dharma)
ssdeep 12288:KJzUXNiNnAqFMOg4J6H2Ewuedhx4oUK41HnntYKJ:7elgh6uedhY7ZntYKJ
Threatray 54 similar samples on MalwareBazaar
TLSH 6FB4E122B2E08C3EE4B306F91D355F959A3AF83547E19ACF63841E1E4C757D0463E6A2
Reporter Jirehlov
Tags:Dharma exe Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
2'132
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Dropback
Create hunting rule
Status:
Malicious
First seen:
2020-03-23 19:48:21 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
0424b503bc1150372d0e31c85f9cef36d0b656a7c0d3f59663e6a468d0d7ba00
Dharma
227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3
Dharma
2d0eb35f04745646d8c6eb3d1ab1c3e8bc8c30f1a9dc0ad89ea260e898ed9d4e
Dharma
2f2e75affe9217c7211043936678fb1777e2db4a8f1986b8805ddb1e84e9e99b
Dharma
45e9481702b87e03705d35c12c5a8a3d795d42f91d562cba539999846c729686
Dharma
4ae809a33d01626e77dcfd591902815692405d2fa1f6ae7df13ca248507e4562
Dharma
65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7
Dharma
6985917d29596b66d9bbc745a13d5577110d9b0408719c5559d23dd59a9e4f0b
Dharma
b23eb66e588b47a73b393c87467b0b2b0431d9d346368efeaa36a76c7877cd27
Dharma
c855a83b6b0b51c9e9bc1b2676d5644f1c578b87734517ce63820ca33d155707
Dharma
+ 44 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Ransomware_Wadhrama
Create hunting rule
Author:Florian Roth
Description:Detects Wadhrama Ransomware via Imphash
Reference:Internal Research
Rule name:win_dharma_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::SetEntriesInAclW
ADVAPI32.dll::InitializeSecurityDescriptor
RAS_APIUses Remote AccessRASAPI32.dll::RasGetSubEntryHandleW
RASAPI32.dll::RasGetSubEntryPropertiesW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetTempPathA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyA
ADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::WSALookupServiceEnd
WS2_32.dll::WSANtohs
WS2_32.dll::WSAProviderConfigChange
WIN_USER_APIPerforms GUI ActionsUSER32.dll::FindWindowExA
USER32.dll::FindWindowA
USER32.dll::CreateWindowExA

Comments