MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee65930105d9e058d574cc2ede4d4625dd738b115cec21a0830753ea6a0bcc3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee65930105d9e058d574cc2ede4d4625dd738b115cec21a0830753ea6a0bcc3d
SHA3-384 hash: 5363b81ace4107e5396f6d8ba62e20c3bc3642344c268b96f71df45f607dfbe8bffd2cf6a1d4e1a1ecf18922a4af1faa
SHA1 hash: 584a74f25b63136457c89b35b9464c70719ad10d
MD5 hash: 642f95753c5174c43c3ecd14ee8a2531
humanhash: louisiana-princess-angel-pasta
File name:ee65930105d9e058d574cc2ede4d4625dd738b115cec21a0830753ea6a0bcc3d
Download: download sample
File size:360'448 bytes
First seen:2020-03-23 15:58:22 UTC
Last seen:2020-03-23 16:17:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4047ade11825c3992f855c619717151d
ssdeep 6144:ILEDUSAKeC/pNJoeIysG3LUa+7pwA4U4ELdn2ifW+z8DV7fH+ki7F6/:JAKeC/pN6i3oaTPGLMwWO8xbTG6
Threatray 239 similar samples on MalwareBazaar
TLSH 6D74CF11F5E1B031D1B342B24A24EB0216BEBDB25A766D6B7BDC0D8C1E345D1A736B23
Reporter Marco_Ramilli
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2019-06-18 01:42:21 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
23096a2bc9feeabd37a9704d0653f4628ef740cdfe24af364ee09d379ec39d95
4447dee4424f298d64e15a4ba543090afe27afc9b839cb186ce4ddad3ca6e6b7
60eb2878e6ae481bcc0945d0cfaa8d2b8cca6e576da62804d9081662a0ed372b
9f9ec018f395592b0cd8726972e6bf1400eeb13b8535cf314de5f135bb65fdec
b927203812bd5776ed375a59e3131046750b5050b3847bf79f61a491026f1b25
c3ed8705aecf16a07e86717d4dd6a33847cf0b87bb2d58e56a502bbf952d5f03
f402a9ec5c591f5aec5177bdd33794319ac3e69fd31dd553e80db9824c09ae91
f568ba27a1779678459b3f2920a25973e34ed44c294c6bda0170f19a5b7f5ab6
f99723f1961f7ba1ea05a528a60558df653fac5a4046cfa70865419548e51fc8
fce4810786155e188851f14000159c67656b152b5e1bf6f1aafa27dce4837a49
+ 229 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sodinokobi
Create hunting rule
Author:McAfee ATR team
Description:This rule detect Sodinokobi Ransomware in memory in old samples and perhaps future.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ee65930105d9e058d574cc2ede4d4625dd738b115cec21a0830753ea6a0bcc3d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/209979/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAccessAllowedObjectAce
ADVAPI32.dll::SetSecurityDescriptorControl
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleOutputA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::PeekConsoleInputW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA

Comments