MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06139d63dd6245a7ddc44c5d812a80da0b23b984c42fde376465238cb4430064. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06139d63dd6245a7ddc44c5d812a80da0b23b984c42fde376465238cb4430064
SHA3-384 hash: 93479f0312a922b8ef1724bc24f9e2a360e2489ca45da988520ed83c60006e7995dcc6fed5f7fb31b786722c7eb2e5ab
SHA1 hash: 944a8636ba0864f3a145015443204f4818233948
MD5 hash: 3ae4c6261afc64a9f47f1948787c095a
humanhash: queen-wolfram-blossom-eleven
File name:06139d63dd6245a7ddc44c5d812a80da0b23b984c42fde376465238cb4430064
Download: download sample
File size:2'725'176 bytes
First seen:2021-12-29 08:08:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 49152:HllTI4jBs6oYy3Pw8yI0cpTRn61r3VTHw5quirM6u4jPhXcH+rq6Ljm:HHCL/PyI06R61TVTQ5qLM6u4zWH+b
TLSH T174C533D594304DAAEDB42978FA6CE7338CBCD12567988EDB2B564D420B533C13A7CB81
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter JAMESWT_WT
Tags:exe signed Xiamen Tongbu Networks Ltd.

Code Signing Certificate

Organisation:Xiamen Tongbu Networks Ltd.
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2019-06-20T00:00:00Z
Valid to:2022-06-19T23:59:59Z
Serial number: 0690ee21e99b1cb3b599bba7b9262cdc
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: eaab14a49c761096c973b4cc4b2cf6257ae5de58ba11dfaa7fcb85fa05980a54
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
06139d63dd6245a7ddc44c5d812a80da0b23b984c42fde376465238cb4430064
Verdict:
Malicious activity
Analysis date:
2021-12-29 08:12:06 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/652ec53a-c7b8-4be8-8a5a-159c98f0bf8d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216778/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
DNS request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3477/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger keylogger overlay packed
Link:
https://www.filescan.io/uploads/61cc17a28991ba72b39e1b09/reports/b1812e92-c696-4604-9108-10df1599026b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/44c94c30-4c81-4158-bc9c-11034ffc27e2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
93 / 100
Link:
https://www.joesandbox.com/analysis/913716
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Hides threads from debuggers
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
PE file has nameless sections
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Windows Update Standalone Installer command line found (may be used to bypass UAC)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 546194 Sample: eW8Jsngljx Startdate: 29/12/2021 Architecture: WINDOWS Score: 93 54 Multi AV Scanner detection for dropped file 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Windows Update Standalone Installer command line found (may be used to bypass UAC) 2->58 60 2 other signatures 2->60 7 eW8Jsngljx.exe 19 2->7         started        11 nav.exe 10 2->11         started        13 svchost.exe 1 2->13         started        16 3 other processes 2->16 process3 dnsIp4 40 C:\Users\user\AppData\Local\...\SomeFile.txt, ASCII 7->40 dropped 42 C:\Users\user\AppData\Local\...\System.dll, PE32 7->42 dropped 66 Maps a DLL or memory area into another process 7->66 68 Opens the same file many times (likely Sandbox evasion) 7->68 70 Injects a PE file into a foreign processes 7->70 18 eW8Jsngljx.exe 5 7->18         started        72 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->72 74 Contains functionality to inject threads in other processes 11->74 76 Writes to foreign memory regions 11->76 78 4 other signatures 11->78 21 svchost.exe 9 11->21         started        25 svchost.exe 3 11->25         started        52 192.168.2.1 unknown unknown 13->52 file5 signatures6 process7 dnsIp8 36 C:\Users\user\AppData\Local\Temp\navlu.dll, PE32 18->36 dropped 38 C:\Users\user\AppData\Local\...\VPDN_LU.exe, PE32 18->38 dropped 27 VPDN_LU.exe 1 4 18->27         started        31 wscript.exe 18->31         started        50 update.fasterwall.com 23.106.124.116, 443, 49784, 49785 LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG Singapore 21->50 62 System process connects to network (likely due to code injection or exploit) 21->62 64 Contains functionality to inject threads in other processes 21->64 33 svchost.exe 8 25->33         started        file9 signatures10 process11 dnsIp12 44 C:\ProgramData\nav\navlu.dll (copy), PE32 27->44 dropped 46 C:\ProgramData\nav\nav.exe (copy), PE32 27->46 dropped 80 Contains functionality to inject threads in other processes 27->80 82 Contains functionality to inject code into remote processes 27->82 84 Deletes itself after installation 27->84 88 2 other signatures 27->88 48 update.fasterwall.com 33->48 86 System process connects to network (likely due to code injection or exploit) 33->86 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06139d63dd6245a7ddc44c5d812a80da0b23b984c42fde376465238cb4430064/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-12-16 23:38:43 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
11 of 27 (40.74%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:metasploit backdoor trojan
Link:
https://tria.ge/reports/211229-j15njsdbhq/
Behaviour
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Deletes itself
Loads dropped DLL
Executes dropped EXE
MetaSploit
Unpacked files
SH256 hash:
dadca335ab25517609326de40001ea5aaeb0bfa1139f3458df26b07209dc121b
MD5 hash:
5f2a0d681844db68511822247258b551
SHA1 hash:
8fc493af235064349122c82d6bdfb010762734c3
Link:
https://www.unpac.me/results/eb0aaf1b-b282-4d49-9d79-7e023e80f27b/
SH256 hash:
fcbc6feab6eeca65107cc340e32a06d3be35c9fdcfbc0e48f8a59f0d2087f782
MD5 hash:
ae544312f78e1c7972672eedcb4c6f80
SHA1 hash:
5ea02da0f0e8fa1c4a322342efea3295860de4d1
Link:
https://www.unpac.me/results/eb0aaf1b-b282-4d49-9d79-7e023e80f27b/
SH256 hash:
e426a0658e9cf73ba84bae528c5d14ae636c33352957e6ccbdae73b3674ce1ea
MD5 hash:
1a8b8484e9d2aee092b1bddfe000c3de
SHA1 hash:
e6b332af8c373811544508f65671b44e157fe8a2
Link:
https://www.unpac.me/results/eb0aaf1b-b282-4d49-9d79-7e023e80f27b/
SH256 hash:
15ce636ed9903afae753efe4ce58114ed8119fcf75e935312806e92f8bf2b349
MD5 hash:
0b6de9dfca12fb8e23607ec188b87174
SHA1 hash:
4e97639cb8bea7c7b4c9e96ee7ae70096cd5ea2d
Link:
https://www.unpac.me/results/eb0aaf1b-b282-4d49-9d79-7e023e80f27b/
SH256 hash:
251e0a330478b81cf7df2439ea2c9d857140038d411b90017a8ec700fa26d616
MD5 hash:
b2922e8ef2a4543c6b3ad5829471cd77
SHA1 hash:
bf5c544ee586a3fee61a42e60298e05ee46acd6e
Link:
https://www.unpac.me/results/eb0aaf1b-b282-4d49-9d79-7e023e80f27b/
SH256 hash:
ad4d41c1c72ef1802007c58e515d0872f3ed631d2dc515f55b2bf5ca054fc5af
MD5 hash:
e2117943ac203da1554335e852bfda7c
SHA1 hash:
a106a29d5a3988e992cf3df93a1c38cbfa6a7684
Link:
https://www.unpac.me/results/eb0aaf1b-b282-4d49-9d79-7e023e80f27b/
SH256 hash:
06139d63dd6245a7ddc44c5d812a80da0b23b984c42fde376465238cb4430064
MD5 hash:
3ae4c6261afc64a9f47f1948787c095a
SHA1 hash:
944a8636ba0864f3a145015443204f4818233948
Link:
https://www.unpac.me/results/eb0aaf1b-b282-4d49-9d79-7e023e80f27b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/06139d63dd62/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/06139d63dd6245a7ddc44c5d812a80da0b23b984c42fde376465238cb4430064

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/216778/

Comments