MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5c571cbe24b37359eb4018bac19e37a2ffc6108d6d1cb5c8c22640397c47596. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Miniduke


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5c571cbe24b37359eb4018bac19e37a2ffc6108d6d1cb5c8c22640397c47596
SHA3-384 hash: b29ed85c37827bb8be680b97e6ac26a10fb78b82cf7d23b1f270a7fd02601aa965cbd69918cb9601499631621c7b7e4a
SHA1 hash: d7697c61fe6ca142da8d9a3b14af32ad78778622
MD5 hash: af67f113f6de4648aadc9d7a0be4d0ca
humanhash: idaho-mirror-colorado-lima
File name:chrome.exe
Download: download sample
Signature Miniduke
Create hunting rule
File size:2'307'951 bytes
First seen:2024-08-28 00:37:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 28fddcffc23c8d6bd8c14acfa01b5fae (3 x Miniduke)
ssdeep 24576:Pe6u/p6D3RSWGDBqSfHfXBYnvakaYhF+Ma1eCFd1Zz9ItONK+ehkrh2J:POB6zYBvGv95F+MqZFdHwVhOcJ
Threatray 1 similar samples on MalwareBazaar
TLSH T119B52220B7828073C26725B44AE5F7B85779BDA22BF299CF17C556F80F242C1927731A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 71f0b28a8cc8e061 (3 x Miniduke)
Reporter adm1n_usa32
Tags:APT29 CosmicDuke exe miniduke

Intelligence

File Origin
# of uploads :
1
# of downloads :
583
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
chrome.exe
Verdict:
Malicious activity
Analysis date:
2024-08-28 00:36:08 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/227016fb-cec9-423d-be4d-a2b18f6de6eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.CosmicDuke-3
Create hunting rule

Win.Trojan.Agent-1143497
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66ce716bfe69a9e560499bf1
Tags:
Encryption Generic Infostealer Other Stealth Trojan Cosmicduke
Result
Verdict:
Malware
Maliciousness:

Behaviour
Moving a file to the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun
Creating a service
Creating a window
Сreating synchronization primitives
Creating a file
Reading critical registry keys
Connection attempt
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Enabling autorun for a service
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cosmicduke epmicrosoft_visual_cc fingerprint microsoft_visual_cc miniduke overlay packed stealer zusy
Link:
https://www.filescan.io/uploads/66ce716c1c7fd2cfb705b27a/reports/b0ff7eba-3954-4f9e-9575-d353a3baaf55/overview
Verdict:
Malicious
Labled as:
Trojan.CosmicDuke
Link:
https://www.hybrid-analysis.com/sample/b5c571cbe24b37359eb4018bac19e37a2ffc6108d6d1cb5c8c22640397c47596
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
APT29
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a89fe8b9-3881-465d-9920-2c2189474ec7
Result
Threat name:
n/a
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1500214
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Task List ballon tips (likely to surpress security warnings)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Query firmware table information (likely to detect VMs)
Sigma detected: rundll32 run dll from internet
Submitted sample is a known malware sample
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500214 Sample: chrome.exe Startdate: 28/08/2024 Architecture: WINDOWS Score: 100 42 time.windows.com 2->42 48 Suricata IDS alerts for network traffic 2->48 50 Antivirus detection for dropped file 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 7 other signatures 2->54 8 chrome.exe 14 34 2->8         started        13 envmon.exe 9 19 2->13         started        15 svchost.exe 2->15         started        17 11 other processes 2->17 signatures3 process4 dnsIp5 44 46.246.120.178, 21, 49720, 49721 PORTLANEwwwportlanecomSE Sweden 8->44 46 199.231.188.109, 21, 49719, 49722 IS-AS-1US United States 8->46 34 C:\Windows\SysWOW64\srvhost.exe, PE32 8->34 dropped 36 C:\Windows\SysWOW64\msras.exe, PE32 8->36 dropped 38 C:\Windows\SysWOW64\monusb.scr, PE32 8->38 dropped 40 11 other malicious files 8->40 dropped 62 Detected unpacking (changes PE section rights) 8->62 64 Detected unpacking (overwrites its own PE header) 8->64 66 Submitted sample is a known malware sample 8->66 78 5 other signatures 8->78 19 srvhost.exe 1 8->19         started        68 Antivirus detection for dropped file 13->68 70 Tries to steal Instant Messenger accounts or passwords 13->70 72 Tries to steal Mail credentials (via file / registry access) 13->72 80 3 other signatures 13->80 74 Changes security center settings (notifications, updates, antivirus, firewall) 15->74 22 MpCmdRun.exe 15->22         started        76 Query firmware table information (likely to detect VMs) 17->76 24 rundll32.exe 17->24         started        26 rundll32.exe 17->26         started        28 rundll32.exe 17->28         started        file6 signatures7 process8 signatures9 56 Antivirus detection for dropped file 19->56 58 Multi AV Scanner detection for dropped file 19->58 60 Machine Learning detection for dropped file 19->60 30 conhost.exe 19->30         started        32 conhost.exe 22->32         started        process10
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b5c571cbe24b37359eb4018bac19e37a2ffc6108d6d1cb5c8c22640397c47596
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5c571cbe24b37359eb4018bac19e37a2ffc6108d6d1cb5c8c22640397c47596/
Threat name:
Win32.Dropper.MiniDuke
Create hunting rule
Status:
Malicious
First seen:
2022-03-26 10:32:00 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
37 of 38 (97.37%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wxcxds7cjm3tlhvuagf2ygpdpix7yyii23i4wxemejsahf6eowla._file
Verdict:
malicious
Similar samples:
5d74919198834de59ddbf74322fc291019df6bd42319a9eceb8c4a9a932870a1
Miniduke
Result
Malware family:
n/a
Score:
  9/10
Tags:
collection credential_access discovery spyware stealer
Link:
https://tria.ge/reports/240828-ay2pfazeqq/
Behaviour
Modifies Control Panel
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
outlook_win_path
System Location Discovery: System Language Discovery
Drops file in System32 directory
Accesses Microsoft Outlook profiles
Checks installed software on the system
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Credentials from Password Stores: Credentials from Web Browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1c3b2446-0850-4115-b3a1-99092bd65841
Unpacked files
SH256 hash:
9e3c407d3bbf2a69cf6509994ffb17b45c58c3adaf3dc876b23e7d0575e24ca0
MD5 hash:
38a1745e9ec3bfb9c29b398e6a70f14c
SHA1 hash:
fb3b8f6494b211386381a7e4f6524d3e4643c9e9
Detections:
win_cosmicduke_auto
Create hunting rule
win_cosmicduke_w0
Create hunting rule
detect_apt_APT29
Create hunting rule
Link:
https://www.unpac.me/results/25767963-b718-431f-beb9-569ae7029780/
Parent samples :
b5c571cbe24b37359eb4018bac19e37a2ffc6108d6d1cb5c8c22640397c47596
77cd2b705612246823a22afa826ac4a67d8c6a9fd0f9559abf9d7304703be2bd
1936043f5cfcffbee69201b5d3c77696d3a1a017bf401b5093f8f10b27339f86
SH256 hash:
041a307d125f459e37787b0ec4f330802e2925dbb2fb12ee8f63462822967b2b
MD5 hash:
6362ca2526c606679f87bc3fd80dfa9e
SHA1 hash:
4cefdd466a49a630e1be49a5a173e94e07aa3409
Link:
https://www.unpac.me/results/25767963-b718-431f-beb9-569ae7029780/
SH256 hash:
b5c571cbe24b37359eb4018bac19e37a2ffc6108d6d1cb5c8c22640397c47596
MD5 hash:
af67f113f6de4648aadc9d7a0be4d0ca
SHA1 hash:
d7697c61fe6ca142da8d9a3b14af32ad78778622
Detections:
win_cosmicduke_w0
Create hunting rule
detect_apt_APT29
Create hunting rule
Link:
https://www.unpac.me/results/25767963-b718-431f-beb9-569ae7029780/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b5c571cbe24b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b5c571cbe24b37359eb4018bac19e37a2ffc6108d6d1cb5c8c22640397c47596

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CosmicDuke
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_apt_APT29
Create hunting rule
Author:@malgamy12
Description:detect_APT32_malware
Rule name:win_cosmicduke_w0
Create hunting rule
Author:@malgamy12
Description:detect cosmicduke

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/227016fb-cec9-423d-be4d-a2b18f6de6eb

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments