MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77cd2b705612246823a22afa826ac4a67d8c6a9fd0f9559abf9d7304703be2bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Miniduke


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77cd2b705612246823a22afa826ac4a67d8c6a9fd0f9559abf9d7304703be2bd
SHA3-384 hash: 7fb303d0eb03430efd38802be646d96516251bb744c4416c3a77370bb7ce1b61cf3a48b03b3187d7b669dbe9dd2718ca
SHA1 hash: 54b77de5b018d2cd5ef18dd6320a83bd8a9675ab
MD5 hash: 7b16b59f5d2e9f06ec1c4c18db3a65da
humanhash: utah-tennessee-twelve-failed
File name:chrome.exe
Download: download sample
Signature Miniduke
Create hunting rule
File size:2'313'586 bytes
First seen:2025-05-03 06:51:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 28fddcffc23c8d6bd8c14acfa01b5fae (3 x Miniduke)
ssdeep 24576:de6u/p6D3RSDuYB1UtHyXqkYR8xcjGp4ZM5eO9L1URWMoywKZehk/ooe:dOB6zY+0X6mjp4ZQB9LSvMhare
Threatray 5 similar samples on MalwareBazaar
TLSH T1FBB52320B7828073C26725B44AE5F7B85779BDA22BF299CF17C556F80F242C1927731A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 71f0b28a8cc8e061 (3 x Miniduke)
Reporter adm1n_usa32
Tags:CosmicDuke exe miniduke


Avatar
adm1n_usa32
features screensaver hijack

Intelligence

File Origin
# of uploads :
1
# of downloads :
438
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
chrome.exe
Verdict:
Malicious activity
Analysis date:
2025-05-03 06:50:04 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/097aac06-4d14-49f3-a450-205386f8e156

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.CosmicDuke-3
Create hunting rule

Win.Trojan.Agent-1143497
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6815c1784355f44aee68e798
Tags:
cosmicduke miniduke
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun
Creating a service
Creating a window
Сreating synchronization primitives
Creating a file
Reading critical registry keys
Connection attempt
Enabling autorun for a service
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context fingerprint microsoft_visual_cc overlay packed packer_detected
Link:
https://www.filescan.io/uploads/6815bd1ac7418694c8a4c2f2/reports/4abf44f1-086c-43df-8164-9fc6728f7585/overview
Verdict:
Malicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/77cd2b705612246823a22afa826ac4a67d8c6a9fd0f9559abf9d7304703be2bd
Malware family:
APT29
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ae20d66c-d5a3-4825-a222-f9a130b26b68
Result
Threat name:
MiniDuke
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1680451
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Task List ballon tips (likely to surpress security warnings)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Sigma detected: rundll32 run dll from internet
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Yara detected MiniDuke
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1680451 Sample: chrome.exe Startdate: 03/05/2025 Architecture: WINDOWS Score: 100 49 Antivirus detection for dropped file 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 5 other signatures 2->55 7 chrome.exe 14 34 2->7         started        12 fwcpl.exe 9 19 2->12         started        14 svchost.exe 2->14         started        16 6 other processes 2->16 process3 dnsIp4 43 199.231.188.109, 21, 49732, 49733 IS-AS-1US United States 7->43 45 46.246.120.178, 21, 80 PORTLANEwwwportlanecomSE Sweden 7->45 35 C:\Windows\SysWOW64\tapieng.exe, PE32 7->35 dropped 37 C:\Windows\SysWOW64\nteng.scr, PE32 7->37 dropped 39 C:\Windows\SysWOW64\msdns.exe, PE32 7->39 dropped 41 11 other malicious files 7->41 dropped 59 Detected unpacking (changes PE section rights) 7->59 61 Detected unpacking (overwrites its own PE header) 7->61 63 Submitted sample is a known malware sample 7->63 73 5 other signatures 7->73 18 msdns.exe 1 7->18         started        65 Antivirus detection for dropped file 12->65 67 Tries to steal Instant Messenger accounts or passwords 12->67 69 Tries to steal Mail credentials (via file / registry access) 12->69 75 2 other signatures 12->75 71 Changes security center settings (notifications, updates, antivirus, firewall) 14->71 21 MpCmdRun.exe 1 14->21         started        47 127.0.0.1 unknown unknown 16->47 23 rundll32.exe 6 16->23         started        25 rundll32.exe 16->25         started        27 rundll32.exe 16->27         started        29 2 other processes 16->29 file5 signatures6 process7 signatures8 57 Antivirus detection for dropped file 18->57 31 conhost.exe 18->31         started        33 conhost.exe 21->33         started        process9
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/77cd2b705612246823a22afa826ac4a67d8c6a9fd0f9559abf9d7304703be2bd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77cd2b705612246823a22afa826ac4a67d8c6a9fd0f9559abf9d7304703be2bd/
Threat name:
Win32.Dropper.MiniDuke
Create hunting rule
Status:
Malicious
First seen:
2025-05-03 06:52:14 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 24 (95.83%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o7gsw4cwcisgqi5cfl5ie2weuz6yy2u72d4vlgv7tvzqi4b34k6q._file
Verdict:
malicious
Label(s):
cosmicduke
Create hunting rule
Similar samples:
5d74919198834de59ddbf74322fc291019df6bd42319a9eceb8c4a9a932870a1
Miniduke
77cd2b705612246823a22afa826ac4a67d8c6a9fd0f9559abf9d7304703be2bd
Miniduke
7fd0cda9395aea226447c9dd8a25caddb71e6b72001d9a8565e43f7a00332f7a
Miniduke
b5c571cbe24b37359eb4018bac19e37a2ffc6108d6d1cb5c8c22640397c47596
Miniduke
error
Miniduke
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/250503-hm497aslx3/
Behaviour
Modifies Control Panel
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
System Location Discovery: System Language Discovery
Drops file in System32 directory
Accesses Microsoft Outlook profiles
Checks installed software on the system
Enumerates connected drives
Executes dropped EXE
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
apt Win.Trojan.CosmicDuke-3
YARA:
detect_apt_APT29
Link:
https://app.threat.zone/submission/95777627-f942-43c6-9297-f9616f6c49a4
Unpacked files
SH256 hash:
77cd2b705612246823a22afa826ac4a67d8c6a9fd0f9559abf9d7304703be2bd
MD5 hash:
7b16b59f5d2e9f06ec1c4c18db3a65da
SHA1 hash:
54b77de5b018d2cd5ef18dd6320a83bd8a9675ab
Detections:
win_cosmicduke_w0
Create hunting rule
Link:
https://www.unpac.me/results/c67483c0-ee18-409f-a9d8-6fc83eafc35d/
SH256 hash:
d61ef2e75638ab0e34f5dc269d084ad96f8156e50a246eef6de8dba0095b4c16
MD5 hash:
22951886667ea0f8066602a1defb74d0
SHA1 hash:
d5288cb9fe67e991c2bbfd7f8f724e89aa5dc64e
Link:
https://www.unpac.me/results/c67483c0-ee18-409f-a9d8-6fc83eafc35d/
SH256 hash:
9e3c407d3bbf2a69cf6509994ffb17b45c58c3adaf3dc876b23e7d0575e24ca0
MD5 hash:
38a1745e9ec3bfb9c29b398e6a70f14c
SHA1 hash:
fb3b8f6494b211386381a7e4f6524d3e4643c9e9
Detections:
win_cosmicduke_w0
Create hunting rule
win_cosmicduke_auto
Create hunting rule
detect_apt_APT29
Create hunting rule
Link:
https://www.unpac.me/results/c67483c0-ee18-409f-a9d8-6fc83eafc35d/
Parent samples :
b5c571cbe24b37359eb4018bac19e37a2ffc6108d6d1cb5c8c22640397c47596
77cd2b705612246823a22afa826ac4a67d8c6a9fd0f9559abf9d7304703be2bd
1936043f5cfcffbee69201b5d3c77696d3a1a017bf401b5093f8f10b27339f86
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/77cd2b705612/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77cd2b705612246823a22afa826ac4a67d8c6a9fd0f9559abf9d7304703be2bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CosmicDuke
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_apt_APT29
Create hunting rule
Author:@malgamy12
Description:detect_APT32_malware
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_cosmicduke_w0
Create hunting rule
Author:@malgamy12
Description:detect cosmicduke

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments