MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 089e8696eff20b84e89e801127624dada3b321b0523d45cb648d437af4271716. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LuminosityLink


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 089e8696eff20b84e89e801127624dada3b321b0523d45cb648d437af4271716
SHA3-384 hash: 28e6c83dd1237ba7771c7f607d049102625561e074c77cc83fd0ddab8fbf844f285a872c94d7c047089b39b6968db412
SHA1 hash: 4c3cb785fd7f3c9eb8e881d7aab7bdabe1dfa918
MD5 hash: c6efcca55f7989b5434effe9bd80cc80
humanhash: berlin-fanta-hydrogen-alanine
File name:c6efcca55f7989b5434effe9bd80cc80.exe
Download: download sample
Signature LuminosityLink
Create hunting rule
File size:2'104'832 bytes
First seen:2020-12-18 16:53:52 UTC
Last seen:2020-12-18 18:33:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bbac62fd99326ea68ec5a33b36925dd1 (46 x AgentTesla, 38 x njrat, 27 x Formbook)
ssdeep 49152:/kwkn9IMHearAkOsno+JtDqS2WEwbb8BN+E4sCyEQaPCS:sdnVT/htl21lD4sCy2PC
Threatray 971 similar samples on MalwareBazaar
TLSH ACA5E00263DD83E4C3B29173BA56BB41AE7B7C2505A4F09B3FD4053DB972161923EA63
Reporter abuse_ch
Tags: LuminosityLink exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c6efcca55f7989b5434effe9bd80cc80.exe
Verdict:
Malicious activity
Analysis date:
2020-12-18 17:02:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5f77bad9-d645-450a-979a-2853d9de3f8a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108458/
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Launching a process
Adding an access-denied ACE
DNS request
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/566509
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 332338 Sample: 51IF8nlnCT.exe Startdate: 18/12/2020 Architecture: WINDOWS Score: 88 37 mahikajol.hopto.org 2->37 39 cdn.onenote.net 2->39 45 Antivirus detection for dropped file 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 Multi AV Scanner detection for submitted file 2->51 7 51IF8nlnCT.exe 1 7 2->7         started        11 svchost3.exe 2->11         started        14 svchost3.exe 4 2->14         started        16 12 other processes 2->16 signatures3 process4 dnsIp5 33 C:\Users\user\AppData\...\svchost3.exe, PE32 7->33 dropped 35 C:\Users\...\svchost3.exe:Zone.Identifier, ASCII 7->35 dropped 53 Contains functionality to inject code into remote processes 7->53 55 Writes to foreign memory regions 7->55 57 Allocates memory in foreign processes 7->57 18 RegAsm.exe 2 152 7->18         started        43 192.168.2.1 unknown unknown 11->43 59 Injects a PE file into a foreign processes 11->59 21 RegAsm.exe 11->21         started        23 RegAsm.exe 14->23         started        25 RegAsm.exe 2 16->25         started        27 RegAsm.exe 3 16->27         started        29 RegAsm.exe 16->29         started        31 8 other processes 16->31 file6 signatures7 process8 dnsIp9 41 mahikajol.hopto.org 18->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/089e8696eff20b84e89e801127624dada3b321b0523d45cb648d437af4271716/
Threat name:
Win32.Trojan.Reconyc
Create hunting rule
Status:
Malicious
First seen:
2017-02-17 22:43:13 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
09bdb0fb2e5689963f8375783abf0d87d2dbccc6a7ed8b03d7a53af29ab2c4d6
LuminosityLink
1f1bc6a65867b976dd8cdc00b6519b60b4da65af780f1636c447e5ebca91da96
LuminosityLink
2f53c96770351e95583b6c3d3bde7c4d44f0fc9e324517fd084a61000ed63dde
LuminosityLink
3aedf2b9413bb9eb0af9daf292e5461a910e182ab9b30debb814f769323a85ff
LuminosityLink
4b5962005864c7cd8c362e37987f7091991f6f3f0a992e02e1b51beb92292a5d
LuminosityLink
95654631036f198ae09278641c978609781eee27cdff60dcfe05ba72b367eee7
LuminosityLink
accfb8da98afdd5a90448bcdead0ce0913e7c1c505a0e4a4fe661fb4dae3da6f
LuminosityLink
afa655613277fa5927ea6e777245abc8812101008ff0d542efd12b9ec4d9e17c
LuminosityLink
c148d7544c90541afc565d03219b8c579ac18a52b1baa3e70eb22bf12cc9a96e
LuminosityLink
d7448da27fa5cbe7df2df781ef5763cdcbb31f6e99d756a03fb1ff577e7043a2
LuminosityLink
+ 961 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/201218-2gwff72xca/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Unpacked files
SH256 hash:
8686e70de75da576fcafb96296cee58f08770b2fae7688f7c38d5f097065a065
MD5 hash:
304fa519ed3f4c903d538f648075a978
SHA1 hash:
29302bda25fbba9334a0ac604d0adc25e5262063
Detections:
win_luminosity_rat_w0
Create hunting rule
Link:
https://www.unpac.me/results/47fb0d49-3759-4d5a-ba91-c40e90234019/
SH256 hash:
089e8696eff20b84e89e801127624dada3b321b0523d45cb648d437af4271716
MD5 hash:
c6efcca55f7989b5434effe9bd80cc80
SHA1 hash:
4c3cb785fd7f3c9eb8e881d7aab7bdabe1dfa918
Link:
https://www.unpac.me/results/47fb0d49-3759-4d5a-ba91-c40e90234019/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dynamer
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/089e8696eff20b84e89e801127624dada3b321b0523d45cb648d437af4271716

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_luminosity_rat_w0
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/108458/

Comments