MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 08124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CoderWare

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	08124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424
SHA3-384 hash:	2c3a73833272a418800aa6bfa6b18ed6cd6a4728bb600f906a5097925c778466c05cc61439ed06c11460725a55838dde
SHA1 hash:	fb4d3e1fe06bab2bb9255f18b1e8e079fbf6de06
MD5 hash:	9bb3e77f3a2b7329ca41979a783996ae
humanhash:	sad-friend-cat-stream
File name:	CyberPunk2077.exe
Download:	download sample
Signature	CoderWare Create hunting rule
File size:	10'422'611 bytes
First seen:	2020-11-27 05:07:15 UTC
Last seen:	2020-11-27 06:47:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c1063b9ff707a38ff65c062d195945a1 (1 x CoderWare, 1 x Emotet)
ssdeep	196608:ogGM6uTRTIMz9n+UkL8gNs2It/otQgZ4+1rX8pHsegYqb4Da7t:ogGJKRTI+n+UK8gZGst1r1eSb4e7t
Threatray	26 similar samples on MalwareBazaar
TLSH	05A63301A9D0C4ABE256B7BA12E5F73C486F7F916E055206C9783DE537B0BCBAC31849
Reporter	JAMESWT_WT
Tags:	CoderWare

Intelligence

File Origin

# of uploads :

# of downloads :

172

Origin country :

n/a

Vendor Threat Intelligence

Detection:

PyInstaller

Link:

https://www.capesandbox.com/analysis/105769/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Modifying an executable file

Changing a file

Moving a file to the Program Files subdirectory

Moving a file to the %temp% subdirectory

Creating a file in the %temp% subdirectories

Sending a UDP request

DNS request

Connection attempt

Creating a file

Encrypting user's files

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/548915

Signature

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Uses dynamic DNS services

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/08124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424/

Threat name:

Win32.Trojan.Alien

Status:

Malicious

First seen:

2020-11-20 07:08:23 UTC

File Type:

PE (Exe)

Extracted files:

1622

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bajey7jms775cchrw7e3xkdkv37vuqornr37z4i3hkgjkbhzgqsa._file

Verdict:

malicious

CoderWare

2c9a56116d34514c98f71a77cd80ab3b32d6523b2d7aa9b89b6e4f5c1cd8a8df

CoderWare

434ea880ad59cffded73a776f3a01a75e6afef21fc6dca45b364fd3f0ba54de3

CoderWare

4970f05913aa3f02abc082a82fbf8cf2fc36995b898786cde396b93dce74b859

CoderWare

52f137c22685d15df043daabdb9c823e07ecec4df42bcc2fa2c5bd45913d32ea

CoderWare

5cd1e21eef3c4ed694dc429b88b403995244060feb4fdea12473aff4d782e1f5

CoderWare

8dc94d486fd546ffbf8f21252aba65efe18432a6cae815e02b8be4ce4449291a

CoderWare

95e35f1614df92a318a749a8f62a35b9c03f2f34f08ad5606b45c9d817ff1d93

CoderWare

e6ff6d164a876c50bfc4a6f7b6397914f9656d0e4aef1ceba65f1e92ed1b6c69

CoderWare

fba8817602cb7dae175d9fec0900fbfd3e097aae4d32befaecd87d6e3fdb7412

CoderWare

+ 16 additional samples on MalwareBazaar

Result

Malware family:

demonware

Score:

10/10

Tags:

family:demonware pyinstaller ransomware spyware

Link:

https://tria.ge/reports/201127-vtsxc8k5nx/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Drops file in Windows directory

Drops file in System32 directory

JavaScript code in executable

Loads dropped DLL

Reads user/profile data of web browsers

Drops file in Drivers directory

Modifies extensions of user files

DemonWare

Unpacked files

SH256 hash:

d2df51a505bd787f1262e117854ca9013202242ffc035df22af9cf0c129b6ad5

MD5 hash:

d06999ec555017da59c39a68febb2f6e

SHA1 hash:

f7f386ab4bd777eb2c8f11dec36779e14f6a8669

Link:

https://www.unpac.me/results/add3bfa5-d3c4-4af1-920e-06f00c0c4f31/

SH256 hash:

22bb62637f67d77b1307b1d1944ee91371d5e5a7388ee661ebd178191201d0d2

MD5 hash:

645ab6528ed61cb1ff7ec72f241b9a1e

SHA1 hash:

b149e17fa160c9789da367011a5ec5a69400abb6

Link:

https://www.unpac.me/results/add3bfa5-d3c4-4af1-920e-06f00c0c4f31/

SH256 hash:

b5063b511e98931da51ea471634f98a1c9de2fef149ea2e3c779b2adff002246

MD5 hash:

0e7466542d8f0c527e77c297b85b17e8

SHA1 hash:

2ce37d74fb26e88054f6ef7d02a24a3a435c4f0d

Link:

https://www.unpac.me/results/add3bfa5-d3c4-4af1-920e-06f00c0c4f31/

SH256 hash:

6aa99d4ff2c73722f67c9ef42c27e3a2c660edf1495d538dad9793a15e7b0b7c

MD5 hash:

9606acb077b6ba32a5869fbf25373134

SHA1 hash:

c4dd60b9d92c894042a9f34500492a088cd642fa

Link:

https://www.unpac.me/results/add3bfa5-d3c4-4af1-920e-06f00c0c4f31/

SH256 hash:

a90c3eb4a33b1edb48828ec0d96b2a430b5e2f1c7c4be0a1abd6e93ba65e06ad

MD5 hash:

a64c00c4d291c165c10dee2324c420cc

SHA1 hash:

2e3c38a53d9e9f826918d3a35495e5525e48684e

Link:

https://www.unpac.me/results/add3bfa5-d3c4-4af1-920e-06f00c0c4f31/

SH256 hash:

bd25d02514826ae4131f636344e1f9954d8b67ffd1ba3345708bc099cc427202

MD5 hash:

42e86c0bb23043845c206fdd3ffcc3ac

SHA1 hash:

20c3aff5fb2f36e5fb1b60d084825535a1ee4cff

Link:

https://www.unpac.me/results/add3bfa5-d3c4-4af1-920e-06f00c0c4f31/

SH256 hash:

cdf8ac13f296fb16fa99196f39b8651ec2b4c08f222fe459fb7d2bbdadd4ebb8

MD5 hash:

f78718f60dc88148cd3a4178ec2260b0

SHA1 hash:

cefffe857931756f76728ceddb0db0f73259165d

Link:

https://www.unpac.me/results/add3bfa5-d3c4-4af1-920e-06f00c0c4f31/

SH256 hash:

6ee75e8282c368ba8f4a55d3957a74e70ba101f4bef4b29316bc0ec80ba570d4

MD5 hash:

946ca14121e496d49ea80a5a2f62cf11

SHA1 hash:

b2ac7c6f962c25777ff8db609da89a6056331fe7

Link:

https://www.unpac.me/results/add3bfa5-d3c4-4af1-920e-06f00c0c4f31/

SH256 hash:

08124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424

MD5 hash:

9bb3e77f3a2b7329ca41979a783996ae

SHA1 hash:

fb4d3e1fe06bab2bb9255f18b1e8e079fbf6de06

Link:

https://www.unpac.me/results/add3bfa5-d3c4-4af1-920e-06f00c0c4f31/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Gafgyt

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/08124c7d2c97ffd108f1b7c9bba86aaeff5a41d16c77fcf11b3a8c9504f93424

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_File_pyinstaller Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)
Description:	Detect PE file produced by pyinstaller
Reference:	https://isc.sans.edu/diary/21057

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/105769/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample