MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd81b3ed300db65a7a31b2b10011c9bfa9a2349571e2ccb532bc714856241b8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 5 File information Comments

SHA256 hash:	fd81b3ed300db65a7a31b2b10011c9bfa9a2349571e2ccb532bc714856241b8e
SHA3-384 hash:	9f6145c5555c3c3e65aebac67ddfb6f76aa22bf325f2d3fc40b68c5855c9cdc95781e302aadb94cdbafeead4e6eafd4b
SHA1 hash:	53eebcbcefa781e1b07d93bac60ed7619ae6d3ca
MD5 hash:	9f5ca63fe197bcd6130d9ebc83ea00e9
humanhash:	whiskey-dakota-equal-friend
File name:	SecuriteInfo.com.Mal.Generic-S.10464.4570
Download:	download sample
File size:	9'106'395 bytes
First seen:	2020-12-29 12:48:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e1e8417f4591da7741a300229f9e8e8b (1 x BazaLoader)
ssdeep	196608:73KtJVu8dVmGLTIUQ1cMczALRZ+9gXVa3eDcSMOJ+NrA1dREpFwcgCW1R:UxdVmx6qFkugxcsrmREpFP
Threatray	40 similar samples on MalwareBazaar
TLSH	B49633E9396401F1E3A512349E71DC74EA733C2A0323A55F56AB1321AE1364BFE2D739
Reporter	SecuriteInfoCom

Intelligence

File Origin

# of uploads :

# of downloads :

159

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Mal.Generic-S.10464.4570

Verdict:

No threats detected

Analysis date:

2020-12-29 12:49:45 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/cc6feab4-2480-4039-afe8-ff69c1fc163d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/109767/

Detection(s):

SecuriteInfo.com.Mal.Generic-S.10464.4570.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% subdirectories

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad.mine

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/571413

Signature

Found strings related to Crypto-Mining

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fd81b3ed300db65a7a31b2b10011c9bfa9a2349571e2ccb532bc714856241b8e/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2020-12-22 11:18:00 UTC

AV detection:

15 of 48 (31.25%)

Threat level:

5/5

Verdict:

malicious

13af08593a4bd73dfcf9620842e8c86b24d6e30a2afe5b17aee21274eaf8a8b3

3aee007de2648d8a6c64bf1dfd6ed605bd380a22892e00b5c5d1e3643aebe71d

4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6

4ddfd623ef499cb59cd55be3a72e22acefb23488d1631692baaff001471b2bea

55b4275af49cec66a8f4373a43d676e21824e9868b36b8eae3d036d821ec364f

8d3c6da3f4d6513a1d38058a6cf6028e0c07210a5c0509f47150152362093636

b6bfb18cb265786cbf4373a6dc82d4b8ec586d90f6a6e2cc72a1a3d20b60dda9

e8c00468964966dfdbae2de1d15a8a24b5ba4dbe7dddd482888568f4430d4db1

f29a85a0a8d5c438141903be9402dfea15cc0eb89e356da5b53d31edfabed15e

+ 30 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

pyinstaller upx

Link:

https://tria.ge/reports/201229-tssj55k5mn/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

JavaScript code in executable

Loads dropped DLL

UPX packed file

Unpacked files

SH256 hash:

fd81b3ed300db65a7a31b2b10011c9bfa9a2349571e2ccb532bc714856241b8e

MD5 hash:

9f5ca63fe197bcd6130d9ebc83ea00e9

SHA1 hash:

53eebcbcefa781e1b07d93bac60ed7619ae6d3ca

Link:

https://www.unpac.me/results/da807f48-1dc0-4c91-89d1-ad30a9cd8085/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Password Stealer

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/fd81b3ed300db65a7a31b2b10011c9bfa9a2349571e2ccb532bc714856241b8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Keylog_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Contains Keylog

Rule name:	PE_File_pyinstaller Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)
Description:	Detect PE file produced by pyinstaller
Reference:	https://isc.sans.edu/diary/21057

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller.

Rule name:	shad0w_beacon_16June Create hunting rule
Author:	SBousseaden
Description:	Shad0w beacon compressed
Reference:	https://github.com/bats3c/shad0w

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe fd81b3ed300db65a7a31b2b10011c9bfa9a2349571e2ccb532bc714856241b8e

(this sample)

Cape

https://www.capesandbox.com/analysis/109767/

URLhaus

https://urlhaus.abuse.ch/url/944446/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample