MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05cc7a32e5a0023f9e1c790f97b069ccd27ada59ea8b9864f7f9069e3049663c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05cc7a32e5a0023f9e1c790f97b069ccd27ada59ea8b9864f7f9069e3049663c
SHA3-384 hash: 72758cb9d76e38eb58b0a67d72ff40bc76f983b336af4af3742076f6a1d14d86920bd3dc15494f8fa666c5615527e76a
SHA1 hash: 8d689f1749d2862df85bef7a70d52482b08d8a49
MD5 hash: 7745b093e167b6103c910bcafd0aa27d
humanhash: wolfram-lamp-queen-quebec
File name:熊猫烧香终极版.exe
Download: download sample
File size:12'684'820 bytes
First seen:2025-01-05 13:34:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a56f115ee5ef2625bd949acaeec66b76 (53 x Stealc, 49 x PureHVNC, 35 x CoinMiner)
ssdeep 393216:LNyhvRvQnbLvlx2K97wsJXrXhrGyR8ovz4v/:ZyVREU4JXtiZqzW/
TLSH T173D633473849DD0AEE299BB90132CAB13652BF75A575916D3BC1BE9BF8331C76C040A3
TrID 28.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
25.5% (.EXE) Win32 Executable (generic) (4504/4/1)
11.6% (.ICL) Windows Icons Library (generic) (2059/9)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
File icon (PE):PE icon
dhash icon 33e8d4b2b2716063
Reporter zhuzhu0009
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
531
Origin country :
JP JP
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
熊猫烧香终极版.exe
Verdict:
Suspicious activity
Analysis date:
2025-01-05 13:37:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cf9865d7-faa3-497c-a78a-a32db4cde57d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownLoad4.14729.22553.889.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=677a8b2ac029bd73f282e9ef
Tags:
dropper virus madi sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt installer-heuristic microsoft_visual_cc obfuscated overlay overlay packed packed packed themidawinlicense virus
Link:
https://www.filescan.io/uploads/6919a158a4cfab8e885c85ec/reports/0504807c-8bdf-4bcf-ad7f-5f358a89c6aa/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/05cc7a32e5a0023f9e1c790f97b069ccd27ada59ea8b9864f7f9069e3049663c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6b2eefa-4370-446d-9d1a-380e8de9fe6c
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1584436
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Excessive usage of taskkill to terminate processes
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: New File Association Using Exefile
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1584436 Sample: #U718a#U732b#U70e7#U9999#U7... Startdate: 05/01/2025 Architecture: WINDOWS Score: 100 66 Antivirus / Scanner detection for submitted sample 2->66 68 Multi AV Scanner detection for dropped file 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 4 other signatures 2->72 8 #U718a#U732b#U70e7#U9999#U7ec8#U6781#U7248.exe 93 2->8         started        12 explorer.exe 2->12         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        process3 file4 58 C:\panda.exe, PE32 8->58 dropped 60 C:\gamesetup.exe, PE32 8->60 dropped 62 C:\Users\user\AppData\Local\Temp\...\spec.fne, PE32 8->62 dropped 64 8 other malicious files 8->64 dropped 82 Query firmware table information (likely to detect VMs) 8->82 84 Excessive usage of taskkill to terminate processes 8->84 86 Hides threads from debuggers 8->86 88 Tries to detect sandboxes / dynamic malware analysis system (registry check) 8->88 18 gamesetup.exe 5 3 8->18         started        21 taskkill.exe 1 8->21         started        23 taskkill.exe 1 8->23         started        25 21 other processes 8->25 signatures5 process6 signatures7 74 Antivirus detection for dropped file 18->74 76 Multi AV Scanner detection for dropped file 18->76 78 Creates an undocumented autostart registry key 18->78 80 Machine Learning detection for dropped file 18->80 27 cmd.exe 1 18->27         started        30 cmd.exe 1 18->30         started        32 cmd.exe 1 18->32         started        34 conhost.exe 21->34         started        36 conhost.exe 23->36         started        38 conhost.exe 25->38         started        40 conhost.exe 25->40         started        42 conhost.exe 25->42         started        44 18 other processes 25->44 process8 signatures9 90 Excessive usage of taskkill to terminate processes 27->90 46 taskkill.exe 1 27->46         started        48 conhost.exe 27->48         started        50 explorer.exe 5 5 27->50         started        52 taskkill.exe 1 30->52         started        54 conhost.exe 30->54         started        56 conhost.exe 32->56         started        process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/05cc7a32e5a0023f9e1c790f97b069ccd27ada59ea8b9864f7f9069e3049663c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05cc7a32e5a0023f9e1c790f97b069ccd27ada59ea8b9864f7f9069e3049663c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-01-05 13:35:06 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
11 of 23 (47.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=axghumxfuabd7hq4pehzpmdjztjhvwsz5kfzqzhx7edj4mcjmy6a._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion themida trojan
Link:
https://tria.ge/reports/250105-qt3zpsxpeq/
Behaviour
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/045a553e-5222-4aaa-ae1a-fc2b3bf53e88
Unpacked files
SH256 hash:
d1d5f7cdc1ec41bba0ae3391d58409c8d710e5526559168cac5f0fdc510d245b
MD5 hash:
f5efa94419f190dd8b6af402efc8ac7f
SHA1 hash:
f8dfef0b9096d0bc9853548458d05612023f5d3a
Link:
https://www.unpac.me/results/35906328-8b2c-4fc6-81db-2389752b4a04/
SH256 hash:
a8b14f31098a191631696db5ddc77e029b48999542e0ec15b63df02220c66d37
MD5 hash:
dba5fdbe7ec94463b3f6fdf2162c9f95
SHA1 hash:
a97137b4f2b77166b2a23da1f58e0bdb7365f4f2
Detections:
win_xiaoba_auto
Create hunting rule
Link:
https://www.unpac.me/results/35906328-8b2c-4fc6-81db-2389752b4a04/
Parent samples :
05cc7a32e5a0023f9e1c790f97b069ccd27ada59ea8b9864f7f9069e3049663c
0def3cbaec84dc2729761b4a47590d888cf93ed2097d6dfd6dda7d3b29471ef3
0b2a852742c7d974fe16a45a7c6fb5efcf7b03f19e7029f9c43284a2ea5be84f
b59199454fb6665bfd64c5a88d13532eb56b22735b83ba262cc643dd290d5f97
e30a9bee5ee26e31edbdd2654969551cbabd2694b8703539f768c04b53c19be0
70936a7ded2bf6c07a625459583d8ad4bf36258002235ad2f81db9158b3aef6f
907f18fc619a027a1d40b9f21d91b2b0029f1e893065c99f1d5563cd7f14dd37
SH256 hash:
0a12fcbe6832aad4143dd2ad87a60e9ff4f04fa440831f910557f820ba21fe18
MD5 hash:
9c80fda2e1e98f3ab0873a2ea3e6be7f
SHA1 hash:
6eac9c5ef36a4d799bdf683823a4f3e912f4f470
Link:
https://www.unpac.me/results/35906328-8b2c-4fc6-81db-2389752b4a04/
SH256 hash:
53483523c316ad8c022c2b07a5cabfff3339bc5cb5e4ac24c3260eea4f4d9731
MD5 hash:
7c1ff88991f5eafab82b1beaefc33a42
SHA1 hash:
5ea338434c4c070aaf4e4e3952b4b08b551267bc
Link:
https://www.unpac.me/results/35906328-8b2c-4fc6-81db-2389752b4a04/
SH256 hash:
58e5d6246a0555c2afeeac51ae12ecda459f377e87b92cb4d7a0ddc055abbbca
MD5 hash:
4ea6c6b972965aa0a0f11515ec46ec0c
SHA1 hash:
114f24efb002d64b93357c718167ba018a00b579
Link:
https://www.unpac.me/results/35906328-8b2c-4fc6-81db-2389752b4a04/
SH256 hash:
a9f85778f5ff42d901197c3ec224b3fc98e3eee40e8ed3190f740093ecb0f2e4
MD5 hash:
4d5dca29d7be00e0221b91e5d5c98119
SHA1 hash:
021da11533769d198151ec6e10de0435725ddc0a
Link:
https://www.unpac.me/results/35906328-8b2c-4fc6-81db-2389752b4a04/
SH256 hash:
db548219cd7599ebc666b2ab6977da98dcf2b3180c092e4c4d03c91724997df8
MD5 hash:
c4fb1d0017699d4fc89f8b9187131f41
SHA1 hash:
5ef05b5f62743b6aab94b24d4452f371e429b534
Link:
https://www.unpac.me/results/35906328-8b2c-4fc6-81db-2389752b4a04/
SH256 hash:
0377585ec50ed2e1b3d8519be272599f31024accd20b484ddae8240e09cc83b4
MD5 hash:
13d3997b43c3d5cbafb0ff10b6f0dee1
SHA1 hash:
e650a76f3fa8d28e2ff3751ccf44d124ef2b82bd
Link:
https://www.unpac.me/results/35906328-8b2c-4fc6-81db-2389752b4a04/
SH256 hash:
00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb
MD5 hash:
bd1f243ee2140f2f6118a7754ea02a63
SHA1 hash:
cdf7dd7dd1771edcc473037af80afd7e449e30d9
Link:
https://www.unpac.me/results/35906328-8b2c-4fc6-81db-2389752b4a04/
SH256 hash:
ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0
MD5 hash:
a35ee23aaab26afc575ac83df9572b57
SHA1 hash:
81ea38c694ce9702faddfb961f17c1bbf628a76d
Link:
https://www.unpac.me/results/35906328-8b2c-4fc6-81db-2389752b4a04/
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
Link:
https://www.unpac.me/results/35906328-8b2c-4fc6-81db-2389752b4a04/
SH256 hash:
05cc7a32e5a0023f9e1c790f97b069ccd27ada59ea8b9864f7f9069e3049663c
MD5 hash:
7745b093e167b6103c910bcafd0aa27d
SHA1 hash:
8d689f1749d2862df85bef7a70d52482b08d8a49
Link:
https://www.unpac.me/results/35906328-8b2c-4fc6-81db-2389752b4a04/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/05cc7a32e5a0023f9e1c790f97b069ccd27ada59ea8b9864f7f9069e3049663c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:kill_explorer
Create hunting rule
Author:iam-py-test
Description:Detect files killing explorer.exe
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_3f060b9c
Create hunting rule
Author:Elastic Security
Rule name:Windows_Generic_Threat_bc6ae28d
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high

Comments