MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02c2d998d15695f75ee2768a4fc0cbc30898ef772ae081518d1fc78b5e1decbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02c2d998d15695f75ee2768a4fc0cbc30898ef772ae081518d1fc78b5e1decbb
SHA3-384 hash: 6e16f54c4c1eb2579661c42cccc69483299e5cc43ef7fce6c9a2f0fcf6417f9a89f873e06c4ca05520afbf158ba5d173
SHA1 hash: e1212710726edd46307071c651fbaa8847b6c6a1
MD5 hash: 0eac667cbce1c13116b0a40908d8695f
humanhash: indigo-sink-batman-skylark
File name:1.exe
Download: download sample
File size:40'578 bytes
First seen:2024-04-24 09:04:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 87bed5a7cba00c7e1f4015f1bdae2183 (3'034 x Jadtre, 23 x IcedID, 23 x Blackmoon)
ssdeep 768:A9ffDAAAbXAQJtw6jgO5RroZJ76739AzUJQ+CiiK1Cy6sgSq1cJpZ/i3:A+ge+Zk7qzUJBC2KsgSMcJzi
Threatray 1 similar samples on MalwareBazaar
TLSH T11903F187BBA16D0BC4CE99BCC4630EB3B9A6D46B15220D3170E3330D2D65261FE54AED
dhash icon fcdef65eda96beb8
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
335
Origin country :
HK HK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
02c2d998d15695f75ee2768a4fc0cbc30898ef772ae081518d1fc78b5e1decbb.exe
Verdict:
Malicious activity
Analysis date:
2024-04-24 09:06:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/17ba5d76-80e0-4a59-9bfd-49a7150fe33e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packed winupack
Link:
https://www.filescan.io/uploads/6628cb4b14fabb16f400a6fb/reports/19480940-38f8-4e6f-b807-91e1cd9309f0/overview
Verdict:
Malicious
Labled as:
Viking.Generic
Link:
https://www.hybrid-analysis.com/sample/02c2d998d15695f75ee2768a4fc0cbc30898ef772ae081518d1fc78b5e1decbb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4bb008f8-cb70-4a4b-922e-c5202f5f9b9f
Result
Threat name:
Hancitor
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1430913
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Creates files in the recycle bin to hide itself
Disables security and backup related services
Drops executable to a common third party application directory
Infects executable files (exe, dll, sys, html)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Suspicious Windows Service Tampering
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected Hancitor
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430913 Sample: 1.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Antivirus detection for dropped file 2->46 48 8 other signatures 2->48 7 1.exe 1 1001 2->7         started        process3 dnsIp4 36 192.168.2.100 unknown unknown 7->36 38 192.168.2.101 unknown unknown 7->38 40 98 other IPs or domains 7->40 28 C:\Windows\rundl132.exe, PE32 7->28 dropped 30 C:\Windows\Dll.dll, PE32 7->30 dropped 32 C:\ProgramData\Microsoft\...\integrator.exe, PE32 7->32 dropped 34 44 other malicious files 7->34 dropped 50 Creates files in the recycle bin to hide itself 7->50 52 Creates an undocumented autostart registry key 7->52 54 Injects code into the Windows Explorer (explorer.exe) 7->54 56 5 other signatures 7->56 12 net.exe 1 7->12         started        14 net.exe 1 7->14         started        16 explorer.exe 100 5 7->16 injected file5 signatures6 process7 process8 18 conhost.exe 12->18         started        20 net1.exe 1 12->20         started        22 conhost.exe 14->22         started        24 net1.exe 1 14->24         started        26 notepad.exe 5 16->26         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/02c2d998d15695f75ee2768a4fc0cbc30898ef772ae081518d1fc78b5e1decbb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02c2d998d15695f75ee2768a4fc0cbc30898ef772ae081518d1fc78b5e1decbb/
Threat name:
Win32.Worm.Viking
Create hunting rule
Status:
Malicious
First seen:
2024-04-24 09:05:05 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
23 of 23 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=albntggrk2k7oxxco2fe7qglymejr33xflqicumnd7dywxq55s5q._file
Verdict:
malicious
Similar samples:
30f1233c3ff4700a11e179f579008b3c9e57d193dede2df2e6b6ee7addd04743
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/240424-k16fhsgc27/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates connected drives
Drops startup file
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
f578fbff6c4e6c3a471ad9649bb7c5325d263f29a43d6a31e0cf3b675cb3417e
MD5 hash:
8768c92c1e01b466d860862b780b6ae7
SHA1 hash:
150a7f4bcc80982643d2edfc745bc71c6ae2f8eb
Link:
https://www.unpac.me/results/46fb2ce6-b570-4186-82b1-46d46657ed79/
SH256 hash:
c13b1bc6b962b5fb1d2cb89d40981a5222ced5bebb865ccc54401468d24bbfd6
MD5 hash:
2f680f1e837fbb974f6666a2cabb420b
SHA1 hash:
3c3022136ea5bd53abea079c865c0afcc1369dbc
Link:
https://www.unpac.me/results/46fb2ce6-b570-4186-82b1-46d46657ed79/
SH256 hash:
d0e0690bf0448a4ca43c41e48aa6b41322fd15af93d2d79242463470a2a7da0a
MD5 hash:
da98ecd326cb8616b181f4a4f012c256
SHA1 hash:
083931716ea1b3c09f9d72323786fcc43c7c7b29
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/46fb2ce6-b570-4186-82b1-46d46657ed79/
SH256 hash:
02c2d998d15695f75ee2768a4fc0cbc30898ef772ae081518d1fc78b5e1decbb
MD5 hash:
0eac667cbce1c13116b0a40908d8695f
SHA1 hash:
e1212710726edd46307071c651fbaa8847b6c6a1
Link:
https://www.unpac.me/results/46fb2ce6-b570-4186-82b1-46d46657ed79/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/02c2d998d156/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Viking
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02c2d998d15695f75ee2768a4fc0cbc30898ef772ae081518d1fc78b5e1decbb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:Upack024027beta028alphaDwing
Create hunting rule
Author:malware-lu
Rule name:Upackv01xv02xDwing
Create hunting rule
Author:malware-lu
Rule name:Upackv024v028AlphaDwing
Create hunting rule
Author:malware-lu
Rule name:Upackv029Betav031BetaDwing
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments