MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 028ec268176707aadc2cf8e65a28236cbed214f9fd65fc3346ee34e859e50057. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SchoolBoy


Vendor detections: 7


Intelligence 7 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 028ec268176707aadc2cf8e65a28236cbed214f9fd65fc3346ee34e859e50057
SHA3-384 hash: c727f94aa65b7312d1aa1e6f7a7830850329e0b12740493dfbd004c0ebd57a6f87a760d4496eb0e09d237bec343117b4
SHA1 hash: 2d2ec5fc1f778d8ce070743791296106abadacdf
MD5 hash: 35cc7255ba16d183a4a132650d67d2df
humanhash: xray-stairway-summer-november
File name:028ec268176707aadc2cf8e65a28236cbed214f9fd65fc3346ee34e859e50057.bin
Download: download sample
Signature SchoolBoy
Create hunting rule
File size:183'808 bytes
First seen:2020-10-17 15:22:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1c5c15b8a7860407aff788a9e447dadc (2 x SchoolBoy)
ssdeep 3072:qHuNxPJ9ImCz9EClod2ZTXyc+l5kC1N19ubfIOhcGOLr923CNUK0R+:SuNxTImCz9Hod2wc+lasN19LGsr923CL
Threatray 2 similar samples on MalwareBazaar
TLSH 4F043A37B2B1A036C16B4433769A1677276B6B310179585BDFCC26416BB4B86EF302B3
Reporter Arkbird_SOLG
Tags:KPOT SchoolBoy unpacked

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'938
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72570/
Detection(s):
Win.Dropper.KpotStealer-9322564-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a UDP request
Reading critical registry keys
Creating a window
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/494473
Signature
Antivirus / Scanner detection for submitted sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
May check the online IP address of the machine
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/028ec268176707aadc2cf8e65a28236cbed214f9fd65fc3346ee34e859e50057/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-17 15:23:04 UTC
File Type:
PE (Exe)
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=akhme2axm4d2vxbm7dtfukbdns7nefhz7vs7ym2g5y2oqwpfablq._file
Verdict:
unknown
Similar samples:
3419cd3aa1836577742af73aefa4d0fd5a198cbc4474af670408e6752f0dd89e
SchoolBoy
e73eb64f139fbfe78f487764bdd6c3a98f2f5383becc3905fbb9ac2a9918a91e
SchoolBoy
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware discovery
Link:
https://tria.ge/reports/201017-nrt472bl4a/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
028ec268176707aadc2cf8e65a28236cbed214f9fd65fc3346ee34e859e50057
MD5 hash:
35cc7255ba16d183a4a132650d67d2df
SHA1 hash:
2d2ec5fc1f778d8ce070743791296106abadacdf
Detections:
win_sinowal_w1
Create hunting rule
Link:
https://www.unpac.me/results/0035c8da-2c72-43ac-9bf5-a62ce9b56b5f/
Parent samples :
e73eb64f139fbfe78f487764bdd6c3a98f2f5383becc3905fbb9ac2a9918a91e
028ec268176707aadc2cf8e65a28236cbed214f9fd65fc3346ee34e859e50057
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Torpig
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/028ec268176707aadc2cf8e65a28236cbed214f9fd65fc3346ee34e859e50057

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Quarian
Create hunting rule
Author:Seth Hardy
Description:Quarian
Rule name:QuarianCode
Create hunting rule
Author:Seth Hardy
Description:Quarian code features
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:win_sinowal_w1
Create hunting rule
Author:Seth Hardy
Description:Quarian code features

File information

The table below shows additional information about this malware sample such as delivery method and external references.

SchoolBoy

Executable exe e73eb64f139fbfe78f487764bdd6c3a98f2f5383becc3905fbb9ac2a9918a91e

SchoolBoy

Executable exe 028ec268176707aadc2cf8e65a28236cbed214f9fd65fc3346ee34e859e50057

(this sample)

  
X
https://twitter.com/JAMESWT_MHT/status/1317432050379612161
  
Dropped by
SHA256 e73eb64f139fbfe78f487764bdd6c3a98f2f5383becc3905fbb9ac2a9918a91e
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/72570/

Comments