MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9452ba1966aee0e4c1713a6293c9551b3ff97d4fbf065696d4691ad339878b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	f9452ba1966aee0e4c1713a6293c9551b3ff97d4fbf065696d4691ad339878b8
SHA3-384 hash:	16a753142e6998a11ddb0b96623a6daf515228a0fc3dda579d2865746cc19aac43f2a0532550454aec5479501cd6a651
SHA1 hash:	83bd473ab43c0b3ddcf2dfda16fcc73880e375fa
MD5 hash:	f03b9dca5327c2b42c7920d661bb5381
humanhash:	colorado-enemy-arizona-london
File name:	Google Update Setup.exe
Download:	download sample
File size:	152'064 bytes
First seen:	2020-04-03 08:52:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d247eb32e40024e5ea2397d2ef97d776
ssdeep	3072:DTHg3cV3Uh7cWbpoZouthEkJY4RpJzJj0KAXYC/l:DThkhFIoSVJPL6XY
Threatray	52 similar samples on MalwareBazaar
TLSH	BCE39D4BFEA58531D49606F00C379791FF63BD269AF011AB6790761B5C233E088BCA4E
Reporter	Jirehlov
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Purebasic-2

PUA.Win.Packer.Upx-6

PUA.Win.Packer.Upx-4

Win.Dropper.Tiggre-7061386-0

SecuriteInfo.com.BAT.Starter.D.237.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Killmbr

Status:

Malicious

First seen:

2020-03-16 11:44:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

30 of 31 (96.77%)

Threat level:

5/5

Verdict:

malicious

1c6c9635f0c01cc93b504293351215058cf9ef8b62ca38ce71012a4875fbe0a4

2b2166f900572c98775661fd3905d86451e7470c2e548fe234f20f2069c93331

557fc548c91a029ed6f24456c57ac7c458fa53d2f042854297a167bdde569aff

5ef0b6ab46bb6853ddf281a6b12ca1b6c9d77a6b25a8db00e5f0771e793357a5

730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a

82732e47492148243ee3fb338c93d43b9a9984f39e3409327600cffc5766af1b

d92edeb61ad7636386c2b3f47a4bb95ca27489b4806a7088bf3c012b7619a5b1

f632b6e822d69fb54b41f83a357ff65d8bfc67bc3e304e88bf4d9f0c4aedc224

fc93e1dd000a589799d43e1f3ad70aa716a67f1be15512a6eaf6f0490828114a

+ 42 additional samples on MalwareBazaar

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f9452ba1966a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://www.bleepingcomputer.com/news/security/new-coronavirus-themed-malware-locks-you-out-of-windows/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high
CHECK_TRUST_INFO	Requires Elevated Execution (level:highestAvailable)	high

Reviews

ID	Capabilities	Evidence
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExA
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.DLL::CreateProcessA KERNEL32.DLL::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.DLL::TerminateProcess KERNEL32.DLL::LoadLibraryA KERNEL32.DLL::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	KERNEL32.DLL::CreateDirectoryA KERNEL32.DLL::CreateFileA KERNEL32.DLL::DeleteFileA KERNEL32.DLL::GetTempFileNameA KERNEL32.DLL::GetTempPathA
WIN_USER_API	Performs GUI Actions	USER32.dll::PeekMessageA USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample