MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d74919198834de59ddbf74322fc291019df6bd42319a9eceb8c4a9a932870a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Miniduke


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d74919198834de59ddbf74322fc291019df6bd42319a9eceb8c4a9a932870a1
SHA3-384 hash: 731ee61c6cb73c397d0fbb8c8a85ae3ebaa5ee5039f712f0454838ce227f13f9d0ec27423a26dc215cc63c1e2d082fe9
SHA1 hash: 6813ad0f381a2e5d3e93e6ce75642f013106eb03
MD5 hash: b6244650e0f4c783d2e06f030ba1c248
humanhash: nevada-beryllium-apart-texas
File name:5d74919198834de59ddbf74322fc291019df6bd42319a9eceb8c4a9a932870a1
Download: download sample
Signature Miniduke
Create hunting rule
File size:2'296'963 bytes
First seen:2022-03-05 21:48:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 28fddcffc23c8d6bd8c14acfa01b5fae (3 x Miniduke)
ssdeep 24576:Pe6u/p6D3RSYGP/aTfHCvZaaJLwsparXMIUegpE1PAfORMMKrxhkEeTv:POB6zY6gU4sVrXMZzpE2Tlhx6v
TLSH T1E3B52320B7828073C26725B44AE5F7B85779BDA22BF299CF17C556F80F242C1927731A
File icon (PE):PE icon
dhash icon 71f0b28a8cc8e061 (3 x Miniduke)
Reporter Anonymous
Tags:exe miniduke

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/247593/
Detection(s):
Win.Trojan.CosmicDuke-3
Create hunting rule

Win.Trojan.Agent-1143497
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun
Creating a service
Creating a window
Сreating synchronization primitives
Creating a file
Reading critical registry keys
Enabling autorun for a service
Stealing user critical data
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8335/overview
Behaviour
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
APT29
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7c70428f-6cd9-4a10-8a10-134d72f92be3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/951287
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Creates an undocumented autostart registry key
Disable Task List ballon tips (likely to surpress security warnings)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 583768 Sample: 3sNsWsm8y3 Startdate: 05/03/2022 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 4 other signatures 2->47 7 3sNsWsm8y3.exe 14 34 2->7         started        12 lsant.exe 2->12         started        14 svchost.exe 2->14         started        16 9 other processes 2->16 process3 dnsIp4 35 46.246.120.178, 21, 49800, 49802 PORTLANEwwwportlanecomSE Sweden 7->35 37 199.231.188.109, 21, 80 IS-AS-1US United States 7->37 27 C:\Windows\SysWOW64\wmudf.exe, PE32 7->27 dropped 29 C:\Windows\SysWOW64\urlpptp.scr, PE32 7->29 dropped 31 C:\Windows\SysWOW64\rassys.exe, PE32 7->31 dropped 33 9 other files (7 malicious) 7->33 dropped 53 Submitted sample is a known malware sample 7->53 55 Creates an undocumented autostart registry key 7->55 57 Tries to steal Instant Messenger accounts or passwords 7->57 65 6 other signatures 7->65 18 wmudf.exe 1 7->18         started        59 Antivirus detection for dropped file 12->59 61 Machine Learning detection for dropped file 12->61 63 Changes security center settings (notifications, updates, antivirus, firewall) 14->63 21 MpCmdRun.exe 1 14->21         started        39 127.0.0.1 unknown unknown 16->39 file5 signatures6 process7 signatures8 49 Antivirus detection for dropped file 18->49 51 Machine Learning detection for dropped file 18->51 23 conhost.exe 18->23         started        25 conhost.exe 21->25         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d74919198834de59ddbf74322fc291019df6bd42319a9eceb8c4a9a932870a1/
Threat name:
Win32.Backdoor.MiniDuke
Create hunting rule
Status:
Malicious
First seen:
2018-03-12 10:38:11 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
27 of 27 (100.00%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/220305-1pcxtsbafm/
Behaviour
Modifies Control Panel
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
outlook_win_path
Drops file in System32 directory
Accesses Microsoft Outlook profiles
Checks installed software on the system
Enumerates connected drives
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
9e3c407d3bbf2a69cf6509994ffb17b45c58c3adaf3dc876b23e7d0575e24ca0
MD5 hash:
38a1745e9ec3bfb9c29b398e6a70f14c
SHA1 hash:
fb3b8f6494b211386381a7e4f6524d3e4643c9e9
Link:
https://www.unpac.me/results/f6cbfddb-ab19-47bd-87ab-a37d4f826df8/
Parent samples :
b5c571cbe24b37359eb4018bac19e37a2ffc6108d6d1cb5c8c22640397c47596
77cd2b705612246823a22afa826ac4a67d8c6a9fd0f9559abf9d7304703be2bd
1936043f5cfcffbee69201b5d3c77696d3a1a017bf401b5093f8f10b27339f86
SH256 hash:
4384c0df5f666c14a4ae9a799f7bde1e16fee3c003d81627c16e5f9a443fae2e
MD5 hash:
188f01b204c94f73486fa00191cce8c3
SHA1 hash:
9a915fe38f7dadfc6d41e7e5965fe6e2d36f5c1c
Link:
https://www.unpac.me/results/f6cbfddb-ab19-47bd-87ab-a37d4f826df8/
SH256 hash:
5d74919198834de59ddbf74322fc291019df6bd42319a9eceb8c4a9a932870a1
MD5 hash:
b6244650e0f4c783d2e06f030ba1c248
SHA1 hash:
6813ad0f381a2e5d3e93e6ce75642f013106eb03
Link:
https://www.unpac.me/results/f6cbfddb-ab19-47bd-87ab-a37d4f826df8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5d74919198834de59ddbf74322fc291019df6bd42319a9eceb8c4a9a932870a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CosmicDuke
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Miniduke

Executable exe 5d74919198834de59ddbf74322fc291019df6bd42319a9eceb8c4a9a932870a1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/247593/

Comments