MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0204588ca4e01c306d247a6dfc7ec1e3a29014e08d2ee0ce73d756ebbc429b6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0204588ca4e01c306d247a6dfc7ec1e3a29014e08d2ee0ce73d756ebbc429b6b
SHA3-384 hash: f0b54ea818a5faf1dddd3210c1d698e654fd7dc09244ffd115aa9952da798cbc8588b3415502c47e12155b610d7d7519
SHA1 hash: f8200558ef6bbf31474023d913642fed52b97e2f
MD5 hash: bd2068cfbffbe0eeb388f40ba17724d2
humanhash: robert-zebra-football-blossom
File name:InjCht.exe
Download: download sample
File size:6'694'341 bytes
First seen:2021-05-11 14:04:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b78ecf47c0a3e24a6f4af114e2d1f5de (295 x GuLoader, 23 x Formbook, 21 x RemcosRAT)
ssdeep 196608:3RXFGRPWtWAXMp+puiDUN9xdlKMUlA3qT5FfMEEt8Z:3R1GRPkJpunjdYXBT57pZ
Threatray 1 similar samples on MalwareBazaar
TLSH 196633915AD895EBFA3352326A2B76F759D234B390B0C8844F4CC71CFA459B8A4C85CF
Reporter Anonymous

Intelligence

File Origin
# of uploads :
1
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/155135/
Detection(s):
SecuriteInfo.com.BackDoor.Siggen2.2488.26461.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the Windows directory
Creating a service
Launching a service
Creating a process from a recently created file
Creating a window
Deleting a recently created file
Sending a custom TCP request
Sending a UDP request
Launching the process to interact with network services
Enabling autorun for a service
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/778717
Signature
Detected VMProtect packer
Disables security and backup related services
Drops executables to the windows directory (C:\Windows) and starts them
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 411119 Sample: InjCht.exe Startdate: 11/05/2021 Architecture: WINDOWS Score: 100 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected Xmrig cryptocurrency miner 2->57 59 Detected VMProtect packer 2->59 61 4 other signatures 2->61 8 drvmngr.exe 2->8         started        12 InjCht.exe 1 17 2->12         started        15 svchost.exe 1 2->15         started        process3 dnsIp4 53 192.168.2.1 unknown unknown 8->53 63 Multi AV Scanner detection for dropped file 8->63 65 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->65 67 Machine Learning detection for dropped file 8->67 69 Tries to detect virtualization through RDTSC time measurements 8->69 47 C:\Windows\drvmngr.exe, PE32 12->47 dropped 49 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 12->49 dropped 51 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 12->51 dropped 71 Disables security and backup related services 12->71 17 cmd.exe 1 12->17         started        19 cmd.exe 1 12->19         started        21 cmd.exe 1 12->21         started        23 2 other processes 12->23 file5 signatures6 process7 process8 25 net.exe 1 17->25         started        27 conhost.exe 17->27         started        29 net.exe 1 19->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 sc.exe 1 21->35         started        37 conhost.exe 23->37         started        39 conhost.exe 23->39         started        41 2 other processes 23->41 process9 43 net1.exe 1 25->43         started        45 net1.exe 1 29->45         started       
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0204588ca4e01c306d247a6dfc7ec1e3a29014e08d2ee0ce73d756ebbc429b6b/
Verdict:
unknown
Similar samples:
38602e2e2f729e174440339fd1551e133ae03d93e16bbcef8f0b9c8aa1da9b1c
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/210511-g849nz7x7x/
Behaviour
Modifies data under HKEY_USERS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Launches sc.exe
Loads dropped DLL
Creates new service(s)
Executes dropped EXE
Stops running service(s)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/0204588ca4e01c306d247a6dfc7ec1e3a29014e08d2ee0ce73d756ebbc429b6b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/155135/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-11 15:05:11 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [C0032.001] Data Micro-objective::CRC32::Checksum
2) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0045] File System Micro-objective::Copy File
6) [C0046] File System Micro-objective::Create Directory
7) [C0048] File System Micro-objective::Delete Directory
8) [C0047] File System Micro-objective::Delete File
9) [C0049] File System Micro-objective::Get File Attributes
10) [C0051] File System Micro-objective::Read File
11) [C0050] File System Micro-objective::Set File Attributes
12) [C0052] File System Micro-objective::Writes File
13) [E1510] Impact::Clipboard Modification
14) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
15) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
16) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
17) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
18) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
19) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
20) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
21) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
22) [C0017] Process Micro-objective::Create Process
23) [C0038] Process Micro-objective::Create Thread
24) [C0018] Process Micro-objective::Terminate Process