MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3c07ceb0ca4710adc66bee177fd0ec160b14b4c7c059e680ab4324b455bb08d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.PushWare


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3c07ceb0ca4710adc66bee177fd0ec160b14b4c7c059e680ab4324b455bb08d
SHA3-384 hash: f75e165f6008607b13ad5389f2ea4c489cc2fe809eb9845a28375017c87bbb9a8b9aeb99d025cbefea6e086883b16558
SHA1 hash: 83d4101a541835b71980ff188fb3c1634d3dc6de
MD5 hash: 9c14f93b7867fae79540fe7462a4afcb
humanhash: grey-nuts-happy-two
File name:QQPCDownload1600.exe
Download: download sample
Signature Adware.PushWare
Create hunting rule
File size:2'410'066 bytes
First seen:2022-04-28 06:17:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:74tHNaGGojg8Vot+tqlv+lZkaxPEccn9edc6WkLbKIw:7axGojXmt+Yv+nKcc9edc6WYKD
Threatray 1'839 similar samples on MalwareBazaar
TLSH T17BB52202A98149B3D7E229352524A600AA7B7DE05FEF8E9F33D43D29C7721CD7634762
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon e896868eb2cc69b2 (1 x Adware.PushWare, 1 x Meterpreter)
Reporter yingxin1996
Tags:Adware.PushWare exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
314
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d3c07ceb0ca4710adc66bee177fd0ec160b14b4c7c059e680ab4324b455bb08d.zip
Verdict:
Malicious activity
Analysis date:
2022-04-29 02:47:13 UTC
Tags:
loader
Link:
https://app.any.run/tasks/d3d5606d-7973-4a4d-92b6-22846de2f4af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/267382/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% subdirectories
DNS request
Sending an HTTP GET request
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/626a31a00d3e2bd52d0e77ff/reports/adef88fb-7a9e-440a-85c9-2e7a8d80e85f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6e8b6fc3-7a09-42fc-9a56-af5d3ae45fff
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/984556
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 617053 Sample: QQPCDownload1600.exe Startdate: 28/04/2022 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 5 other signatures 2->43 7 QQPCDownload1600.exe 7 2->7         started        process3 file4 23 C:\Windows\Temp\QQPCDownload1600.exe, PE32 7->23 dropped 25 C:\Windows\Temp\HELLO.EXE, PE32+ 7->25 dropped 10 HELLO.EXE 1 7->10         started        13 QQPCDownload1600.exe 24 7->13         started        process5 dnsIp6 47 Contains functionality to inject code into remote processes 10->47 49 Writes to foreign memory regions 10->49 51 Allocates memory in foreign processes 10->51 53 2 other signatures 10->53 17 VSSVC.exe 10->17         started        21 conhost.exe 10->21         started        31 masterconn11.qq.com 58.251.106.185, 443, 49743, 49751 UNICOM-SHENZHEN-IDCChinaUnicomGuangdongIPnetworkCN China 13->31 33 sparta.qb.mig.tencent-cloud.net 203.205.253.183, 49744, 49745, 80 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 13->33 35 2 other IPs or domains 13->35 27 C:\Users\user\AppData\...\QQPCDownload.dll, PE32 13->27 dropped file7 signatures8 process9 dnsIp10 29 203.25.209.81, 49736, 49746, 49747 CHINANET-SICHUAN-CHUANXI-IDCSichuanChuanxnIDCCN China 17->29 45 Contains functionality to detect sleep reduction / modifications 17->45 signatures11
Detection:
cobaltstrike
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d3c07ceb0ca4710adc66bee177fd0ec160b14b4c7c059e680ab4324b455bb08d/
Threat name:
Win32.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2022-04-28 06:18:14 UTC
File Type:
PE (Exe)
Extracted files:
33
AV detection:
7 of 26 (26.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2pahz2ymuryqvxdgx3qxp7ioyfqlcs2mpqcz42akwqzewrk3wcgq._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
Similar samples:
41609e0f1ff71e0b6421e8e3bfbac0307c0f5f80f9e1b3b60de547a54a80de51
Adware.PushWare
4549d36771e2a7b7425b3853a4fcd6a80a926a36df36eec0942199f9aa3d2be7
Adware.PushWare
4b2c39847825cdbc53f5a1afa37f047eeba06b7b490b191967e88cba0706df3e
Adware.PushWare
4c25202298f76f1598a1e169ca435b80541e1db59c542f55e1eb8e3cbf76a419
Adware.PushWare
6624ce134dd16a37d6615483002f24b74c74c55b45259bc5408b7ae804d0fe22
Adware.PushWare
99612e143d65598f830df1494e16eace445f0904218f3d6335f3cbd29d0378b5
Adware.PushWare
a144d424d0ace63551d67ee67efe8ff6242df2b5c55d8f2494e0731f2d88f711
Adware.PushWare
a5a4d88e2fe16d319aef6f7550ca2379d253a943d467dedc21e7ea3deb19410e
Adware.PushWare
da58d100900745d6a15113e8b8cb5c2a3252a3c4a063ccc64fd09cc75cfb21ff
Adware.PushWare
dca75ab5314cd4b2e9a5afa203862991c02ee5b2ed16b6a5b9667bc3a1a704eb
Adware.PushWare
+ 1'829 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:0 botnet:426352781 backdoor bootkit persistence suricata trojan
Link:
https://tria.ge/reports/220428-g2lkysbbd8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Writes to the Master Boot Record (MBR)
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Cobaltstrike
suricata: ET MALWARE Cobalt Strike Beacon Observed
suricata: ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
Malware Config
C2 Extraction:
http://203.25.209.81:8003/j.ad
Unpacked files
SH256 hash:
d7f257a3f85eaa917ce91d536c14348d22ede1e7d247e0e21d250752b798947e
MD5 hash:
859205befe152486599f4131b858b243
SHA1 hash:
67f1341f8cd5744ca7dcfe7fe61ffdf688e3907e
Link:
https://www.unpac.me/results/93edb4c2-1265-4491-b571-fb01e92c825f/
SH256 hash:
df3e7a8b3cbf103d7e234ff260a49ed88bdfb1650106fdbf34c645b72a8b1c11
MD5 hash:
af8be34c83cb0c1a3d710316e6e9610b
SHA1 hash:
9f2779aab1d55a163a3a30a6cd838d995eb36188
Link:
https://www.unpac.me/results/93edb4c2-1265-4491-b571-fb01e92c825f/
SH256 hash:
d3c07ceb0ca4710adc66bee177fd0ec160b14b4c7c059e680ab4324b455bb08d
MD5 hash:
9c14f93b7867fae79540fe7462a4afcb
SHA1 hash:
83d4101a541835b71980ff188fb3c1634d3dc6de
Link:
https://www.unpac.me/results/93edb4c2-1265-4491-b571-fb01e92c825f/
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d3c07ceb0ca4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3c07ceb0ca4710adc66bee177fd0ec160b14b4c7c059e680ab4324b455bb08d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/267382/

Comments