MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 076060213e85fd0ce5632de3a579668d6ac167700380fe8c200c54d609d2521f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 076060213e85fd0ce5632de3a579668d6ac167700380fe8c200c54d609d2521f
SHA3-384 hash: 9d7db48b11562e974d72d3bf37ceff5c262a48c1564e917a4f7286c22cd678facc105d207571b0855ae02955ff4fb0af
SHA1 hash: 1c69b00ab944b30bb422706ac5de6a7269946d24
MD5 hash: f8085b291d4112af7796e300f6778269
humanhash: juliet-magazine-fourteen-east
File name:BAB一月份.公-司数据-报表.ex~
Download: download sample
File size:1'118'208 bytes
First seen:2021-02-17 02:51:38 UTC
Last seen:2021-02-17 04:54:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f36709d8a49489e80c0f692660b22464
ssdeep 24576:L2BnM621eTuNMdJqdgeI5MQOPSvU+Aib8ykMlv6qV1thYKx:SBMB4iN0sdIeQ4j6SMlhtKY
Threatray 11 similar samples on MalwareBazaar
TLSH 083533237453A797E09B2BB87A53DC736B6DBDE28497340C05B97F8E83B98021D0A157
Reporter vm001cn
Tags:exe UPX

Intelligence

File Origin
# of uploads :
2
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BAB一月份.公-司数据-报表.exe
Verdict:
Malicious activity
Analysis date:
2021-02-17 02:47:54 UTC
Tags:
loader
Link:
https://app.any.run/tasks/1ba87ed4-d0d5-4426-bdd4-c2d592deea6e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117462/
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.52.21375.30320.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Searching for many windows
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
SharpShooter
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/609729
Signature
Contains functionality to detect virtual machines (IN, VMware)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses known network protocols on non-standard ports
Yara detected SharpShooter
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 353889 Sample: BAB#U4e00#U6708#U4efd.#U516... Startdate: 17/02/2021 Architecture: WINDOWS Score: 88 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected SharpShooter 2->48 50 5 other signatures 2->50 6 hh.exe 14 45 2->6         started        10 BAB#U4e00#U6708#U4efd.#U516c-#U53f8#U6570#U636e-#U62a5#U8868.exe 14 15 2->10         started        12 cmd.exe 1 2->12         started        14 2 other processes 2->14 process3 dnsIp4 36 talented.albamon.vip 213.176.57.104, 443, 49727 DDOSING-BGP-NETWORKUS Iran (ISLAMIC Republic Of) 6->36 38 infosender.jobkorea.co.kr 121.189.48.42, 8888 KIXS-AS-KRKoreaTelecomKR Korea Republic of 6->38 40 2 other IPs or domains 6->40 24 C:\Users\Public\Documents\...\hwCodecTest.exe, PE32 6->24 dropped 26 C:\Users\Public\Documents\...\msvcr120.dll, PE32 6->26 dropped 28 C:\Users\Public\Documents\...\msvcp120.dll, PE32 6->28 dropped 30 C:\Users\Public\Documents\TG131\libcurl.dll, PE32 6->30 dropped 16 hwCodecTest.exe 3 6->16         started        32 C:\TAir\7207824351069006\AAAAAAAAAAAAAA.chm, MS 10->32 dropped 20 conhost.exe 12->20         started        22 reg.exe 1 12->22         started        file5 process6 dnsIp7 34 43.250.174.131, 49726, 8006 VPSQUANUS China 16->34 42 Contains functionality to detect virtual machines (IN, VMware) 16->42 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/076060213e85fd0ce5632de3a579668d6ac167700380fe8c200c54d609d2521f/
Threat name:
Win32.PUA.FlyStudio
Create hunting rule
Status:
Malicious
First seen:
2021-02-16 11:50:41 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
1495a59a2300245b0c8cfdfe2e467de7f79a4d287e10e9119a96cdac0a1b7c5b
15de7f8defad6bace8c44bd3bd7725c10c0dc8336a58a7e8d92075a651fd61d0
3bb1bbf49c6e224032025dc7dacb3862e8b16c8b39e5cc19c5aceda4dbc917d9
4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9
56133c0d017af35f49253926e3583cf72c36146ab7faa65b6058971685166652
75b388003cc32b680abc3d9b41bc6c435af723de235eaab36a323fddcb906f62
799b7395c9f279d8cd1cd24657788ecb37db7ae03c0dddeb3344a95a551d1325
82385c5627675bb1a2f760238c766d1b8d3c31e109e067334959c084d62e5d55
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
bd8be738f2dae2cac76f492d4e4b66bebbe3c42dfeee3ef58510a89c571b86e1
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210217-jkys13xqqx/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Unpacked files
SH256 hash:
e9946cb13b1b9c1dbffb8f1ccc2fb4d9c3875562e259c29f4a9f57e82cc24887
MD5 hash:
cdb7df41d8dacd7e0d1a9b4f3792e6f1
SHA1 hash:
a9d9d139772c0005ed9803c504fec11245fc748a
Link:
https://www.unpac.me/results/93e4a680-aa49-4e6a-bae2-feb3befbee9c/
SH256 hash:
d142b0332bdaf8fe240b71d6a75d6b6fb172307b15bc4f957ae737f244001021
MD5 hash:
268004bb10e26eff0dc7e5eb67836d13
SHA1 hash:
3bae1f02c25e0d24e5475e5c77c45971a79931e7
Link:
https://www.unpac.me/results/93e4a680-aa49-4e6a-bae2-feb3befbee9c/
SH256 hash:
95b2d14722a68c610dd096440ff487544f754af43b938f09e97d134df332109f
MD5 hash:
c3f9982550cffefe839110b23fc7f194
SHA1 hash:
fe858488cc639d1ad4cb2efc13d701732bffe389
Link:
https://www.unpac.me/results/93e4a680-aa49-4e6a-bae2-feb3befbee9c/
SH256 hash:
076060213e85fd0ce5632de3a579668d6ac167700380fe8c200c54d609d2521f
MD5 hash:
f8085b291d4112af7796e300f6778269
SHA1 hash:
1c69b00ab944b30bb422706ac5de6a7269946d24
Link:
https://www.unpac.me/results/93e4a680-aa49-4e6a-bae2-feb3befbee9c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.44
Link:
https://yomi.yoroi.company/submissions/076060213e85fd0ce5632de3a579668d6ac167700380fe8c200c54d609d2521f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/117462/

Comments