MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06b7205ba6898b1f45883d5a313c1e3e39d8c226eec0ae289f42106af070e8db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06b7205ba6898b1f45883d5a313c1e3e39d8c226eec0ae289f42106af070e8db
SHA3-384 hash: 7cde6a4a6b61606a1b069f8d99c007c60d992af5593ca27512afc13991745bfdb4a06529c575899bc576672d93c140d6
SHA1 hash: 4799b8384d8dd83ac3be05a6050be7c20a54d021
MD5 hash: 1dfe903a52f9ac3411a5a5acc9dcd270
humanhash: kilo-may-pasta-berlin
File name:ds1.exe
Download: download sample
File size:110'592 bytes
First seen:2020-10-10 04:17:12 UTC
Last seen:2020-10-10 04:35:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 1536:DMYvpxWs1ylUcJL3emLs/7IL7trMtcVAL3MSHwhB:Ddvp1qh7Ls/07ZMtcVYHwb
Threatray 66 similar samples on MalwareBazaar
TLSH CEB3A707C6AB6833FF4435BAB8696C58CF3584585A13FB7E0506D6EC0E5E39B4CA3129
Reporter TrappmanRhett

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69677/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file
Creating a file in the Windows subdirectories
Launching a process
Creating a window
Changing a file
Setting a global event handler
Running batch commands
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Searching for the window
Forced system process termination
Creating a process with a hidden window
Possible injection to a system process
Unauthorized injection to a recently created process
Launching a tool to kill processes
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/487371
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296129 Sample: ds1.exe Startdate: 10/10/2020 Architecture: WINDOWS Score: 92 62 Antivirus / Scanner detection for submitted sample 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 Machine Learning detection for sample 2->66 68 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->68 8 cmd.exe 1 2->8         started        10 ds1.exe 1 2->10         started        14 taskkill.exe 1 2->14         started        process3 file4 16 xg50ptmx.exe 2 8->16         started        19 conhost.exe 8->19         started        21 conhost.exe 8->21         started        54 C:\Users\user\AppData\Local\...\ds1.exe.log, ASCII 10->54 dropped 70 Injects a PE file into a foreign processes 10->70 23 ds1.exe 4 10->23         started        26 conhost.exe 14->26         started        signatures5 process6 file7 56 Antivirus detection for dropped file 16->56 58 Multi AV Scanner detection for dropped file 16->58 60 Detected unpacking (overwrites its own PE header) 16->60 28 powershell.exe 21 16->28         started        30 powershell.exe 22 16->30         started        32 powershell.exe 16->32         started        36 10 other processes 16->36 52 C:\Windows\Temp\xg50ptmx.exe, PE32 23->52 dropped 34 cmstp.exe 9 7 23->34         started        signatures8 process9 process10 38 conhost.exe 28->38         started        40 conhost.exe 30->40         started        42 conhost.exe 32->42         started        44 conhost.exe 36->44         started        46 conhost.exe 36->46         started        48 conhost.exe 36->48         started        50 5 other processes 36->50
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06b7205ba6898b1f45883d5a313c1e3e39d8c226eec0ae289f42106af070e8db/
Threat name:
ByteCode-MSIL.Trojan.AntiWD
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 16:37:06 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1f0e1ce3138f2bea6283f0b28e127952c7d33118056bd7c3b745892aa36ba1e7
2e4775c5d181f37f4a0802a9982601352f0a7de1ffd74909024150572ed6522b
2e6b47bbdb9f281c1432dc63d92d67ca891adf87e20edfa456789c8724a4b7b1
483c603c9fb09c2e908d782f7e6f3f04e6e26b7eaaf8ac637733a4e4a32c80e7
975a65aa0395ac8ec58660540e947df075ab6dbd4a6ecf921fef7fd850f02caa
b4267cab9e3e8255b44e1947b4c6bb40901d9f0654c2d0ab40690851fcacf16c
be64654bb507094ad7ace4a1da27dfe42dd6451d9dadb24b8310aa50e8ff5f34
d1d245f4d408bf9dbaed6c59f68c995e427d95bd8316cc358377ec7ee43fb2f2
d8f37e199f10881b2045823553fd64f3f52ec616e24f2235a47dae7c435a3c72
ed184e1c76f982d9537a281ac7cc805179e72d9ca538e7ff202e7be38bfee6ae
+ 56 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/201010-qpgme5w756/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Kills process with taskkill
Suspicious use of SetThreadContext
Executes dropped EXE
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
06b7205ba6898b1f45883d5a313c1e3e39d8c226eec0ae289f42106af070e8db
MD5 hash:
1dfe903a52f9ac3411a5a5acc9dcd270
SHA1 hash:
4799b8384d8dd83ac3be05a6050be7c20a54d021
Link:
https://www.unpac.me/results/94bfea29-66d7-4cba-9ed7-ca9f37a7d83b/
SH256 hash:
087d0c0315da38a9c29aab66a628d05b169013d8135de9652e6a83bee15e8d8d
MD5 hash:
215d10c58de49c8d224e9a77d42961db
SHA1 hash:
2bb0effd16fb00c44aa78ba949a0e0d9a1cb4f94
Link:
https://www.unpac.me/results/94bfea29-66d7-4cba-9ed7-ca9f37a7d83b/
SH256 hash:
165b6353a27653c087637f372f70713e4e0af658e87f03ba0703d8b975525243
MD5 hash:
112730ad698bcb62cfb8c64c4862640a
SHA1 hash:
6b42b1f3f372785c40b4f80c35d6aa2e0d012429
Link:
https://www.unpac.me/results/94bfea29-66d7-4cba-9ed7-ca9f37a7d83b/
SH256 hash:
fb53f249042cc5f481012d1e3721cc14029cdc08a8ddf19284de444ecbd17dc3
MD5 hash:
bf73308c515441c8a8699eeca98fd8c8
SHA1 hash:
8437a030db1d32fefedf81232dbc97ad44334834
Link:
https://www.unpac.me/results/94bfea29-66d7-4cba-9ed7-ca9f37a7d83b/
SH256 hash:
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
MD5 hash:
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1 hash:
ca70ec96d1a65cb2a4cbf4db46042275dc75813b
Link:
https://www.unpac.me/results/94bfea29-66d7-4cba-9ed7-ca9f37a7d83b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06b7205ba6898b1f45883d5a313c1e3e39d8c226eec0ae289f42106af070e8db

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69677/

Comments