MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01f936785968394ba82a93a816c897d77879a247b12621b42e12b2a7592a4f6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01f936785968394ba82a93a816c897d77879a247b12621b42e12b2a7592a4f6d
SHA3-384 hash: 8d7721f6e5cd5ad11bdfff517ac35dd0c87b764b83c4316d6e1c7716eb00215642535fb19af11dc8fb7b05d7de74c1a1
SHA1 hash: 9e12ee9621624f5905a5837652fbc73ce7746a89
MD5 hash: de26468fc5b2c2f00c408f9e810f6129
humanhash: william-coffee-undress-leopard
File name:Duck Porn.exe
Download: download sample
File size:789'925 bytes
First seen:2020-06-24 11:46:49 UTC
Last seen:2020-06-24 12:53:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:ehqxSLo5C1Ps4Xh1pTQQuPupd8p1ogsjeLQjHbZOffj0Uuc33:eHLmCiIh1pk3P2eCjeLQ/YnTn
Threatray 716 similar samples on MalwareBazaar
TLSH 22F4E1256FEDCC70C0A11C711974261959BEAC300FBFD783E7B56C65D678AD23A30AA2
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
2
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/13666/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Running batch commands
Launching a process
Forced system process termination
Deleting a recently created file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Creating a file
Creating a process with a hidden window
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Enabling autorun with Startup directory
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01f936785968394ba82a93a816c897d77879a247b12621b42e12b2a7592a4f6d/
Threat name:
Win32.Trojan.Samas
Create hunting rule
Status:
Malicious
First seen:
2020-06-24 11:48:06 UTC
File Type:
PE (Exe)
Extracted files:
29
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
12859bb50366c248e9488a8852c0923bcb4135f8fcedcbac19228fe329ff39a7
17c38ccce635b7567fb09e4e48c53b5661bdd29e827917a447f0de7741694d71
1a91efaddc2a122cf1f3bb023992a47f75ce62242a9b2bafaf5ad3a43ac9b123
25babc8d9be2e6cc3cdd408fac70bea0d9c3f0c3480945d3bcb374c88b6f82c1
682be0853ccd6f60deb69d27941a628758c4e13e7d2e6ee95a95f415f3a9f0c6
a4df5e9015f70b47dc4f2e6bae0fbeb9d108979e0cda7ef54aa123a0d33bdf8b
aa9c8f532405507cb8a00d6c0d4ecd6888df2524037cde8d3d6fb33ff52bfb91
abf47c435677a41483b6390b005cc01939197f9ee5666c1c3f7d8b822ad36439
c2e6a6a4dcceeb65c2b769b92223c4b5c6de325709146391a4863dd56f4eb3d1
f0e0f6dc0ab4b552d2e5fd7053c5c57c7e6c6f21a11fe34da5fd9a01f0b24753
+ 706 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan persistence
Link:
https://tria.ge/reports/200624-ty1brvsvwx/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies service
Loads dropped DLL
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Modifies security service
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/13666/

Comments