MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 008ba1ba1b98285078098137058a51ec8e7a0808d93efade3618dc76755f0468. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 008ba1ba1b98285078098137058a51ec8e7a0808d93efade3618dc76755f0468
SHA3-384 hash: cbbe8f91ebf3684f57a95110221b5fd1c5eadc36c97d06d85a0979bd42bdcadc1e7f2592c4dac0e0b360c11971cd8ce0
SHA1 hash: 0c47d2285099636846d8b611cefa4801d3ce4724
MD5 hash: c337803cf727ff01f1e6befe515b37c8
humanhash: johnny-william-earth-seven
File name:俇淕20210915.exe
Download: download sample
File size:38'379'008 bytes
First seen:2021-09-19 08:35:57 UTC
Last seen:2021-09-19 09:50:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3c1bc37fad736b34c5bde4babbb3579d
ssdeep 49152:GHbsBjuuZ6cHSu9VBqjPpepNfLAteG3Iw:GHb6jiS9EPskewIw
Threatray 5'388 similar samples on MalwareBazaar
TLSH T1DB8711618B34112DB17B4560DF25F1FEDE66089FD5299326FED2E691BE232F01D2E082
Reporter honor2016tw
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853455
Signature
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to determine the online IP of the system
Contains functionality to modify Windows User Account Control (UAC) settings
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Uses cmd line tools excessively to alter registry or file data
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 485886 Sample: #U4fc7#U6dd520210915.exe Startdate: 19/09/2021 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Multi AV Scanner detection for dropped file 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 4 other signatures 2->73 9 #U4fc7#U6dd520210915.exe 2 2->9         started        13 iusb3mon.exe 2->13         started        15 iusb3mon.exe 2->15         started        process3 file4 57 C:\...\DeviceAssociationFrameworProvider.exe, PE32 9->57 dropped 59 DeviceAssociationF...exe:Zone.Identifier, ASCII 9->59 dropped 97 Detected unpacking (changes PE section rights) 9->97 99 Tries to detect virtualization through RDTSC time measurements 9->99 101 Hides threads from debuggers 9->101 17 DeviceAssociationFrameworProvider.exe 3 15 9->17         started        signatures5 process6 dnsIp7 65 43.250.174.166, 36060, 49778, 49833 VPSQUANUS China 17->65 55 C:\ProgramData\Data\upx.exe, PE32 17->55 dropped 81 Multi AV Scanner detection for dropped file 17->81 83 Detected unpacking (changes PE section rights) 17->83 85 Contains functionality to determine the online IP of the system 17->85 87 6 other signatures 17->87 22 iusb3mon.exe 17->22         started        25 cmd.exe 1 17->25         started        27 cmd.exe 1 17->27         started        29 21 other processes 17->29 file8 signatures9 process10 file11 89 Tries to evade analysis by execution special instruction which cause usermode exception 22->89 91 Tries to detect virtualization through RDTSC time measurements 22->91 93 Hides threads from debuggers 22->93 32 cmd.exe 22->32         started        95 Uses cmd line tools excessively to alter registry or file data 25->95 34 conhost.exe 25->34         started        36 attrib.exe 1 25->36         started        38 conhost.exe 27->38         started        40 attrib.exe 1 27->40         started        61 C:\ProgramData\Program\qbcore.dll, PE32 29->61 dropped 63 C:\ProgramData\Program\iusb3mon.exe, PE32 29->63 dropped 42 conhost.exe 29->42         started        44 conhost.exe 29->44         started        46 conhost.exe 29->46         started        48 29 other processes 29->48 signatures12 process13 process14 50 rundll32.exe 32->50         started        53 conhost.exe 32->53         started        signatures15 75 Tries to detect sandboxes and other dynamic analysis tools (window names) 50->75 77 Tries to detect virtualization through RDTSC time measurements 50->77 79 Hides threads from debuggers 50->79
Gathering data
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2021-09-17 01:34:33 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1e857555be92a0e4bfa8c0e5dc5b7b91a08e6daea0036e3bf23d3d3de79e495f
32e30f494b7bb01ab18836029193c2a79fb63795f978eeed31103f368c6d8fba
6c827d61cbe6d4b9c2851c1c234353265188e805cc27ebe195b9133e1f8fcc80
7b483b575f88d063ec7d84405be25d5d29579133e9951e5f7b5e2b0d9632472f
887aae4c40ef5ac852dcb98c50598ae087e21ba02456b35da67365fcfa6fea9b
9f3805a821c12122b67395c50e390d35c70e83d5b82a6e5741e56c0087960a60
ae0a99c5cc44699f19c5967df89e034876b214da707275a33bcf7298697ac184
+ 5'378 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210919-khlcmaedgl/
Behaviour
Suspicious use of NtSetInformationThreadHideFromDebugger
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/008ba1ba1b98285078098137058a51ec8e7a0808d93efade3618dc76755f0468

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments