MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e
SHA3-384 hash: b7e66946b08c7a4e8a41962b1e5a463709c04b8796085fca44aa104fd299484295c8b2a2e5075e8e2238b627a2a80a0f
SHA1 hash: 8ce723c43ef826ab94a717b77f894274abd605fc
MD5 hash: 7dfde265addcb6aedc4341195e97e33c
humanhash: delaware-beer-chicken-avocado
File name:c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e
Download: download sample
File size:565'312 bytes
First seen:2020-09-01 09:26:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2ab169de0dd3739923572013ba5dc976
ssdeep 12288:EF4/usbjutTZV/qb9ylN28aE2GThX8xb7:EF4UNZEbCfCGTqx/
Threatray 3 similar samples on MalwareBazaar
TLSH B0C4EF6173F28872C3AB3270C9E41635A6B1FF708E35854B6F759B0D1D30A8D5A2AF25
Reporter JAMESWT_WT
Tags:Ample Digital Limited

Code Signing Certificate

Organisation:thawte SHA256 Code Signing CA
Issuer:thawte Primary Root CA
Algorithm:sha256WithRSAEncryption
Valid from:Dec 10 00:00:00 2013 GMT
Valid to:Dec 9 23:59:59 2023 GMT
Serial number: 71A0B73695DDB1AFC23B2B9A18EE54CB
Intelligence: 9 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: C4D18E0A58E4EFFD17ED77C840B613EF15F551076EA92C2B77F6609A6C2557C7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53940/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Creating a process from a recently created file
Creating a window
Creating a file in the drivers directory
Running batch commands
Creating a process with a hidden window
Loading a system driver
Sending a custom TCP request
Launching a process
Creating a file
Enabling autorun for a service
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/456449
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected potential unwanted application
Drops executables to the windows directory (C:\Windows) and starts them
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 280619 Sample: d6Ide0bYbh Startdate: 01/09/2020 Architecture: WINDOWS Score: 100 45 Antivirus detection for dropped file 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 5 other signatures 2->51 7 Gwogw.exe 2->7         started        10 d6Ide0bYbh.exe 1 2 2->10         started        13 svchost.exe 2->13         started        15 7 other processes 2->15 process3 dnsIp4 55 Antivirus detection for dropped file 7->55 57 Multi AV Scanner detection for dropped file 7->57 59 Drops executables to the windows directory (C:\Windows) and starts them 7->59 18 Gwogw.exe 14 1 7->18         started        35 C:\Windows\SysWOW64behaviorgraphwogw.exe, PE32 10->35 dropped 37 C:\Windows\...behaviorgraphwogw.exe:Zone.Identifier, ASCII 10->37 dropped 22 cmd.exe 1 10->22         started        61 Changes security center settings (notifications, updates, antivirus, firewall) 13->61 25 MpCmdRun.exe 1 13->25         started        43 192.168.2.1 unknown unknown 15->43 file5 signatures6 process7 dnsIp8 39 47.110.230.244, 49719, 49723, 49729 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 18->39 33 C:\Windows\System32\drivers\QAssist.sys, PE32+ 18->33 dropped 41 127.0.0.1 unknown unknown 22->41 53 Uses ping.exe to sleep 22->53 27 conhost.exe 22->27         started        29 PING.EXE 1 22->29         started        31 conhost.exe 25->31         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e/
Threat name:
Win32.Hacktool.Mimikatz
Create hunting rule
Status:
Malicious
First seen:
2020-08-22 23:05:37 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
21 of 29 (72.41%)
Threat level:
  1/5
Verdict:
suspicious
Similar samples:
82c8c241387c128a1d00eb9a96ec415ccad32461600441cb9a6c9176cfebd617
851f2df17ce8673bc0747d4ec64b2904b3749a5e9028acbc65db70613b3e5ad5
a66d1021e54269963e9a54892869d569ffa1c74d9fb1b67f023ea5fdfd90c1a6
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx persistence
Link:
https://tria.ge/reports/200901-1htcx1kcmx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Drops file in System32 directory
Modifies service
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Drivers directory
Executes dropped EXE
Sets service image path in registry
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farfli
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/53940/

Comments