MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd59571b52f8bfc7244a8ecf6cc057f1690964091b7141227ddd8315bba4d93a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd59571b52f8bfc7244a8ecf6cc057f1690964091b7141227ddd8315bba4d93a
SHA3-384 hash: ebd4c23a6381c7c1c2fca4adbc6f6bd48a7fc274469da262fbc1f29c48623196cb73efe46cd7faf8da4f648e268a8708
SHA1 hash: 1881044258f1cc1d956586b36c2941f198d900b7
MD5 hash: 9492f527b9191d6d652489bfbddace89
humanhash: edward-charlie-alpha-skylark
File name:handler.sfx.exe
Download: download sample
File size:320'071 bytes
First seen:2020-11-05 04:29:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 6144:5dRVzSkGTxSLD8uq5CaOPs47bhqUdUtX+t49fkVjW:5hqxSLo5C1Ps4XhitX+t498VjW
Threatray 271 similar samples on MalwareBazaar
TLSH 0B64B002B9C189B2D53219355A39AB11693D7C301F28CEEFA3E4696DDB311D1B634BB3
Reporter TCMYT_

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/83042/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching a process
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Creating a file
Unauthorized injection to a recently created process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/520918
Signature
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Disables Windows Defender (via service or powershell)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 309555 Sample: handler.sfx.exe Startdate: 05/11/2020 Architecture: WINDOWS Score: 56 38 Binary contains a suspicious time stamp 2->38 40 Disables Windows Defender (via service or powershell) 2->40 8 handler.sfx.exe 9 2->8         started        process3 file4 36 C:\Users\user\AppData\Local\...\handler.exe, PE32 8->36 dropped 11 handler.exe 2 8->11         started        process5 signatures6 42 Antivirus detection for dropped file 11->42 44 Disables Windows Defender (via service or powershell) 11->44 14 powershell.exe 22 11->14         started        16 powershell.exe 22 11->16         started        18 powershell.exe 21 11->18         started        20 11 other processes 11->20 process7 process8 22 conhost.exe 14->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 20->30         started        32 conhost.exe 20->32         started        34 8 other processes 20->34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd59571b52f8bfc7244a8ecf6cc057f1690964091b7141227ddd8315bba4d93a/
Threat name:
ByteCode-MSIL.Trojan.AntiWD
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 04:31:03 UTC
AV detection:
29 of 48 (60.42%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
01f936785968394ba82a93a816c897d77879a247b12621b42e12b2a7592a4f6d
2ca24ab7850aa7b67af4817c98c938b7c6e48f96028dee2c7fbe01f95d6f3ba1
77ec4cc85d8c34393dcbd4e1290e39dcee07c3468aff17e312929b84c9b6a2bf
829b3df0c75971b19d658fd980bdf0302351bdf6ddbdf5e2f5d83632df72215d
86b0b53349b935048562758a34e08ae6190c67fa522e8742f60702b334625d36
896983bee32da4a300d89878e8c5f284dec5288d60b3610439146f46cb59fbe8
8f605ce63b7211720f2a1ec7d951a11aa8073bdf8124788119b3b02a2cbb1cd9
a28b4a9bffc95f778a6c6593763cfad5ca96aa10843851e2c76446b4fea9a878
bcee5b3f4acfc85f500a2edd23402b92b87bca11263ffc3ef31f8c0a6c31f6a6
ee2e84f75b0b6043c2a2e3b84bdeabc0be4a4a1e4c6ec6a3ff255963b545425d
+ 261 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/201105-afgzxb6qma/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
Windows security modification
Executes dropped EXE
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
22703e48feec622e9d9327ff6da761f7a83ea8991ffe72b269e9dbd2996eab1d
MD5 hash:
441eeacdc465424f77e10ae23c15fce1
SHA1 hash:
ffcce6cefa17ecf2506358f133ae515508145404
Link:
https://www.unpac.me/results/1c1e1d82-4eb9-459f-bcee-a5ddf2307211/
SH256 hash:
fd59571b52f8bfc7244a8ecf6cc057f1690964091b7141227ddd8315bba4d93a
MD5 hash:
9492f527b9191d6d652489bfbddace89
SHA1 hash:
1881044258f1cc1d956586b36c2941f198d900b7
Link:
https://www.unpac.me/results/1c1e1d82-4eb9-459f-bcee-a5ddf2307211/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/83042/

Comments