MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3
SHA3-384 hash: 3d12dd0581674172c7a2ffe9bd6961ad93d43380d332150297533d4af4a86b88b0bd9718b1346d2935d2a55f2775b627
SHA1 hash: 95ce92fd3ecab7d8d5d3dfbaba3b825c31c5c1c1
MD5 hash: b05ef332fdb673343ef00b7d017fa637
humanhash: illinois-equal-july-tango
File name:b05ef332fdb673343ef00b7d017fa637.exe
Download: download sample
File size:4'882'432 bytes
First seen:2021-01-01 07:32:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8d6f4729220c8fd97a5586924944ada1
ssdeep 98304:DsOsum8RmjKEb0CLdjEbseZnPOk3W42oRA3QkT:08REp+WmW4sJ
Threatray 64 similar samples on MalwareBazaar
TLSH 52369E43A383AD9FF62B29759501977A90DFE321EC3E516EFB564C2DC5929F08AC3600
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b05ef332fdb673343ef00b7d017fa637.exe
Verdict:
No threats detected
Analysis date:
2021-01-01 07:34:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c57fc0a9-af96-4e8a-8709-36f087e81152

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110254/
Detection(s):
Win.Keylogger.Deepscan-9640645-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows directory
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Creating a file in the drivers directory
Loading a system driver
DNS request
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Creating a file
Sending a UDP request
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/572744
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: System File Execution Location Anomaly
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 335436 Sample: dC5i7RPJtz.exe Startdate: 01/01/2021 Architecture: WINDOWS Score: 100 41 296659692.f3322.net 2->41 49 Antivirus detection for dropped file 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 6 other signatures 2->55 9 dC5i7RPJtz.exe 1 1 2->9         started        13 Stlmn.exe 2->13         started        15 svchost.exe 1 2->15         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 39 C:\Windows\lsass.exe, PE32 9->39 dropped 65 Drops executables to the windows directory (C:\Windows) and starts them 9->65 67 Drops PE files with benign system names 9->67 20 lsass.exe 1 1 9->20         started        69 Antivirus detection for dropped file 13->69 71 Multi AV Scanner detection for dropped file 13->71 73 Machine Learning detection for dropped file 13->73 24 Stlmn.exe 13 1 13->24         started        47 192.168.2.1 unknown unknown 15->47 file6 signatures7 process8 dnsIp9 35 C:\Windows\SysWOW64\Stlmn.exe, PE32 20->35 dropped 57 Antivirus detection for dropped file 20->57 59 Multi AV Scanner detection for dropped file 20->59 61 Machine Learning detection for dropped file 20->61 27 cmd.exe 1 20->27         started        43 296659692.f3322.net 118.123.96.148, 10087 CHINANET-SCIDC-AS-APCHINANETSiChuanTelecomInternetData China 24->43 37 C:\Windows\System32\drivers\QAssist.sys, PE32+ 24->37 dropped 63 Sample is not signed and drops a device driver 24->63 file10 signatures11 process12 dnsIp13 45 127.0.0.1 unknown unknown 27->45 75 Uses ping.exe to sleep 27->75 31 conhost.exe 27->31         started        33 PING.EXE 1 27->33         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3/
Threat name:
Win32.PUA.FlyStudio
Create hunting rule
Status:
Malicious
First seen:
2020-11-28 13:48:41 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
02965941d39eef787b6d2483095f7c5c6eec84a2a97ce4e85eee9e0e610506e2
1495a59a2300245b0c8cfdfe2e467de7f79a4d287e10e9119a96cdac0a1b7c5b
2e13c882d28c2236893a0a543e67c74a4f2e560d98c98b800f95c07938156a37
4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9
56133c0d017af35f49253926e3583cf72c36146ab7faa65b6058971685166652
7722f9fc1c3104b305915e49413e86df71e233fc2ac2914eee60ab7a59fcdf14
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
b867428ec9adc7134924cf71e05558eb35a64e1ed17ada1d41788fa8a213ed84
c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e
d19b02a35003c637360cc342d5fcdae87dc7336fc7925f07f5c0636eae22ba37
+ 54 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210101-94yphpggle/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Sets service image path in registry
UPX packed file
Unpacked files
SH256 hash:
a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3
MD5 hash:
b05ef332fdb673343ef00b7d017fa637
SHA1 hash:
95ce92fd3ecab7d8d5d3dfbaba3b825c31c5c1c1
Link:
https://www.unpac.me/results/8a901eef-3050-4e50-9d08-b920fa42f79c/
SH256 hash:
1ca8bd2ff2af88179f18caa516e8f5809e915098a5013ca1a9547e71dd44f863
MD5 hash:
d977d5e9d177739c9709b358e031ad4c
SHA1 hash:
00921fcb4b2222baf7928a35a8687a19d9782b8b
Link:
https://www.unpac.me/results/8a901eef-3050-4e50-9d08-b920fa42f79c/
SH256 hash:
d42acdd0449b9fc69c9a667655625d42117548751ae9b8dbbc55512d1cdf5cb3
MD5 hash:
6f47a706c6592b611fefdaec1a6ae11f
SHA1 hash:
04d3f2b86d8ad8f71cec097ac7816c9228cc9686
Link:
https://www.unpac.me/results/8a901eef-3050-4e50-9d08-b920fa42f79c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farfli
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/110254/

Comments