MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0367ec4f514399dfae2b74ed8b9303f1f47e527d5bc7bd7cb900710937add0a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0367ec4f514399dfae2b74ed8b9303f1f47e527d5bc7bd7cb900710937add0a4
SHA3-384 hash: 85a625d152744791ab54d92cba16444c5e1b625b4a8eb5415139fd4f53feea75540c1a2646be54930a5df804fa6449d7
SHA1 hash: bf541ef3fa1fb164fec9b474749476e586701160
MD5 hash: 8135d7128edf6c5509a3824434042584
humanhash: moon-winner-wisconsin-dakota
File name:8135d7128edf6c5509a3824434042584.exe
Download: download sample
File size:565'321 bytes
First seen:2021-01-02 08:12:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cb51e0c804dba5e5487181a8a13e00c
ssdeep 12288:QVyHh0h2artEwutTZV/qb9ylN28aE2GThX8xbv:Q4htLNZEbCfCGTqxL
Threatray 12 similar samples on MalwareBazaar
TLSH 00C4EF5237E14476C3A73230CAE467B5A2B5FB248F74864B6F758B0D2C3064E5E2AF25
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8135d7128edf6c5509a3824434042584.exe
Verdict:
Malicious activity
Analysis date:
2021-01-02 08:13:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/90365b68-644a-4d0b-b03f-db37d3239cca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110289/
Detection(s):
Win.Keylogger.Deepscan-9640645-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Creating a process from a recently created file
Creating a window
Creating a file in the drivers directory
Loading a system driver
DNS request
Sending an HTTP GET request
Creating a file
Deleting a recently created file
Creating a file in the %temp% directory
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Launching a process
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/572905
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sample is not signed and drops a device driver
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 335515 Sample: MoQCvCpfgw.exe Startdate: 02/01/2021 Architecture: WINDOWS Score: 100 66 Antivirus detection for URL or domain 2->66 68 Antivirus detection for dropped file 2->68 70 Antivirus / Scanner detection for submitted sample 2->70 72 5 other signatures 2->72 9 Dtldt.exe 2->9         started        12 MoQCvCpfgw.exe 1 2 2->12         started        15 svchost.exe 2->15         started        17 8 other processes 2->17 process3 file4 78 Antivirus detection for dropped file 9->78 80 Multi AV Scanner detection for dropped file 9->80 82 Drops executables to the windows directory (C:\Windows) and starts them 9->82 19 Dtldt.exe 14 15 9->19         started        56 C:\Windows\SysWOW64\Dtldt.exe, PE32 12->56 dropped 58 C:\Windows\...\Dtldt.exe:Zone.Identifier, ASCII 12->58 dropped 24 cmd.exe 1 12->24         started        84 Changes security center settings (notifications, updates, antivirus, firewall) 15->84 26 MpCmdRun.exe 15->26         started        signatures5 process6 dnsIp7 60 23.251.52.119, 49716, 8080 VPSQUANUS United States 19->60 62 zxcvb12345.cf 104.28.27.189, 49717, 80 CLOUDFLARENETUS United States 19->62 50 C:\Windows\System32\drivers\QAssist.sys, PE32+ 19->50 dropped 52 C:\Users\user\AppData\Local\Temp\hwid.exe, PE32 19->52 dropped 54 C:\Users\user\AppData\Local\...\hwid[1].exe, PE32 19->54 dropped 74 Sample is not signed and drops a device driver 19->74 28 hwid.exe 8 19->28         started        64 127.0.0.1 unknown unknown 24->64 76 Uses ping.exe to sleep 24->76 31 conhost.exe 24->31         started        33 PING.EXE 1 24->33         started        35 conhost.exe 26->35         started        file8 signatures9 process10 signatures11 94 Multi AV Scanner detection for dropped file 28->94 37 cmd.exe 1 28->37         started        39 conhost.exe 28->39         started        process12 process13 41 WMIC.exe 1 37->41         started        44 WMIC.exe 1 37->44         started        46 WMIC.exe 1 37->46         started        48 2 other processes 37->48 signatures14 86 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 41->86 88 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 41->88 90 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 41->90 92 Queries memory information (via WMI often done to detect virtual machines) 41->92
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0367ec4f514399dfae2b74ed8b9303f1f47e527d5bc7bd7cb900710937add0a4/
Threat name:
Win32.Hacktool.Mimikatz
Create hunting rule
Status:
Malicious
First seen:
2020-12-30 05:34:38 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
02965941d39eef787b6d2483095f7c5c6eec84a2a97ce4e85eee9e0e610506e2
1305139a7ad70ad2c9af4c10be27e65da65b9273fe92c75b4ea8c6aa94e6c98d
238057ab39a12934ed501e0c9b1a895a7e80c40db43f5f5787edc088997d773d
4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9
81daafd1fe82aa9bd555418f56f8330bbd4c204160bdbe99400e8238ee574335
a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
a66d1021e54269963e9a54892869d569ffa1c74d9fb1b67f023ea5fdfd90c1a6
c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e
d19b02a35003c637360cc342d5fcdae87dc7336fc7925f07f5c0636eae22ba37
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210102-zbepzp2ble/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Enumerates connected drives
Deletes itself
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Sets service image path in registry
UPX packed file
Unpacked files
SH256 hash:
0367ec4f514399dfae2b74ed8b9303f1f47e527d5bc7bd7cb900710937add0a4
MD5 hash:
8135d7128edf6c5509a3824434042584
SHA1 hash:
bf541ef3fa1fb164fec9b474749476e586701160
Link:
https://www.unpac.me/results/a6a4bb2a-0776-49da-b744-f5c999ff8f8f/
SH256 hash:
d42acdd0449b9fc69c9a667655625d42117548751ae9b8dbbc55512d1cdf5cb3
MD5 hash:
6f47a706c6592b611fefdaec1a6ae11f
SHA1 hash:
04d3f2b86d8ad8f71cec097ac7816c9228cc9686
Link:
https://www.unpac.me/results/a6a4bb2a-0776-49da-b744-f5c999ff8f8f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farfli
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0367ec4f514399dfae2b74ed8b9303f1f47e527d5bc7bd7cb900710937add0a4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/110289/

Comments