MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecf763f4bacb053f371a3c84421af642694013c2a3ed2a451c8269b1ab2d71ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ecf763f4bacb053f371a3c84421af642694013c2a3ed2a451c8269b1ab2d71ca
SHA3-384 hash: 44e385dcdd89f1eff3944ac54727e25b2e97e990f90c46ac7d64c803f7e71c2f0febbb69532258010026f4c86edbc13a
SHA1 hash: 160adb6fda866cac0231daea654d4aa8843c23e9
MD5 hash: bede1b60932c3176bfcfb1f04d9cff9e
humanhash: sink-lima-tango-lithium
File name:ecf763f4bacb053f371a3c84421af642694013c2a3ed2a451c8269b1ab2d71ca
Download: download sample
File size:1'617'920 bytes
First seen:2022-08-03 10:28:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a00164459a73eecbdd307551bd77b018
ssdeep 24576:3DaZLRX5ojPBB/D5HeV97FjAqDq2rTNXc4iDb+etf6JIpUHDpAqIoXUOry:OZFmNu5lD7s4iX+ewqaqqIoI
Threatray 13'990 similar samples on MalwareBazaar
TLSH T1AF7512C2ED581A76D4721BF09023A4BCE4B50ED12D38D57B43F1B6A7F6F22A1593A183
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 6327161b1b1b4908
Reporter JAMESWT_WT
Tags:exe Hangzhou Saifan Technology Co. Ltd.

Intelligence

File Origin
# of uploads :
1
# of downloads :
301
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ecf763f4bacb053f371a3c84421af642694013c2a3ed2a451c8269b1ab2d71ca
Verdict:
Suspicious activity
Analysis date:
2022-08-03 10:33:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c0a8d67f-d02d-4459-8b2d-e38b7fd53f54

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296157/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Creating a service
Launching a service
Loading a system driver
Creating a file in the Windows subdirectories
Enabling autorun for a service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62ea4e3ab7eec6562787db10/reports/5bfdc8b1-6967-4948-88b4-e95f50439813/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/323d5fbc-d7a7-40ef-86b9-d5f6bd30db32
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1045527
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found driver which could be used to inject code into processes
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sample is not signed and drops a device driver
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ecf763f4bacb053f371a3c84421af642694013c2a3ed2a451c8269b1ab2d71ca/
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2022-05-24 19:38:54 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5t3wh5f2zmct6ny2hsceegxwijuuae6cupwsuri4qju3dkznohfa._file
Verdict:
malicious
Similar samples:
18a5c872854f70b391af0696978bfb35d8ae08059971dd9eb8219f5aef40c026
1e857555be92a0e4bfa8c0e5dc5b7b91a08e6daea0036e3bf23d3d3de79e495f
7b483b575f88d063ec7d84405be25d5d29579133e9951e5f7b5e2b0d9632472f
887aae4c40ef5ac852dcb98c50598ae087e21ba02456b35da67365fcfa6fea9b
8ec16e4c4fd0a80322418ea661e4dd3b427f7369078d85f64069588624752bdc
9c7feb98fb5804f1f80dd03db1f84a06b68ea6043d2d34ab53edce82b83827b2
9f665e80fd30880ad8a4e5955dcc7159d05d89dbaa691d7e4d162d402952b4e9
ab631126a17db88906bb50154d9f7c064a3fb8d4d2ff29863705786bca72e30f
+ 13'980 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/220803-mh85ssaag9/
Behaviour
Suspicious behavior: LoadsDriver
Suspicious use of SetWindowsHookEx
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
ecf763f4bacb053f371a3c84421af642694013c2a3ed2a451c8269b1ab2d71ca
MD5 hash:
bede1b60932c3176bfcfb1f04d9cff9e
SHA1 hash:
160adb6fda866cac0231daea654d4aa8843c23e9
Link:
https://www.unpac.me/results/14c1310f-7920-4925-86fd-dbb530179bce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ecf763f4bacb053f371a3c84421af642694013c2a3ed2a451c8269b1ab2d71ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/296157/

Comments