MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0938352aa544baf8939184b41aa37f1cc09839e77508180654ac6ba5e39e1c5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0938352aa544baf8939184b41aa37f1cc09839e77508180654ac6ba5e39e1c5e
SHA3-384 hash: b0338ea6f524bd6e78b803d552d2d881bac00741aaabccd00158cf926c8b58c2649fe5339786e9ce610307245953169f
SHA1 hash: 8b40dd4d09703697bf1c39c966c32afea0a843aa
MD5 hash: 44a71bfc675386d692f9c999f3829c8c
humanhash: mississippi-uranus-uncle-arkansas
File name:VieFT.exe
Download: download sample
File size:190'984 bytes
First seen:2021-08-17 13:31:05 UTC
Last seen:2021-08-17 14:11:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:DgB/po0q3LGLxHSlPMhRwB2E6ZnG7E8RDJkiA/Ia0MIrJj++yyuzACKzkfb3LHnu:DgB43L2gPXU4A/x0MIrJYZKzkjLHqlmY
Threatray 53 similar samples on MalwareBazaar
TLSH T1B8147E2AD50C524AFA9B6AFDCD187BAFF0E5BF171F019285B6751EC12712BB94D02302
Reporter madjack_red
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
VieFT.dat
Verdict:
Malicious activity
Analysis date:
2021-08-12 17:12:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/243cf731-1662-4cc2-b3a6-470f323ddc08

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179981/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.61398.26293.136.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Transferring files using the Background Intelligent Transfer Service (BITS)
Connection attempt
DNS request
Launching a process
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TA551
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eb0e0ff0-b03b-4925-92bf-9dc1ce68435d
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spre.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834371
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via net view
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Dridex Process Pattern
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 466798 Sample: VieFT.exe Startdate: 17/08/2021 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for submitted file 2->68 70 Detected Bazar Loader 2->70 72 Sigma detected: CobaltStrike Load by Rundll32 2->72 74 2 other signatures 2->74 10 loaddll64.exe 1 2->10         started        12 rundll32.exe 2->12         started        process3 process4 14 cmd.exe 1 10->14         started        16 iexplore.exe 1 73 10->16         started        18 rundll32.exe 10->18         started        20 9 other processes 10->20 process5 22 rundll32.exe 14 14->22         started        26 iexplore.exe 2 152 16->26         started        dnsIp6 54 64.225.65.20, 443, 49765 DIGITALOCEAN-ASNUS United States 22->54 56 192.168.2.1 unknown unknown 22->56 76 System process connects to network (likely due to code injection or exploit) 22->76 78 Contains functionality to inject code into remote processes 22->78 80 Sets debug register (to hijack the execution of another thread) 22->80 82 5 other signatures 22->82 28 svchost.exe 22->28         started        58 dart.l.doubleclick.net 142.250.186.38, 443, 49743, 49744 GOOGLEUS United States 26->58 60 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49753, 49754 FASTLYUS United States 26->60 62 12 other IPs or domains 26->62 signatures7 process8 dnsIp9 64 myexternalip.com 34.117.59.81, 443, 49773 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 28->64 66 188.166.99.175, 443, 49768, 49769 DIGITALOCEAN-ASNUS Netherlands 28->66 84 System process connects to network (likely due to code injection or exploit) 28->84 86 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 28->86 88 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 28->88 90 Performs a network lookup / discovery via net view 28->90 32 net.exe 28->32         started        34 net.exe 28->34         started        36 net.exe 28->36         started        38 2 other processes 28->38 signatures10 process11 process12 40 conhost.exe 32->40         started        42 net1.exe 32->42         started        44 conhost.exe 34->44         started        46 net1.exe 34->46         started        48 conhost.exe 36->48         started        50 conhost.exe 38->50         started        52 conhost.exe 38->52         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0938352aa544baf8939184b41aa37f1cc09839e77508180654ac6ba5e39e1c5e/
Threat name:
Win64.Trojan.Kryplod
Create hunting rule
Status:
Malicious
First seen:
2021-08-13 04:12:56 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
2049636dacf350e2d08a2c977750ccbf4b8cc13732aac3863be940facd7a5989
390145df647bf727bd629c4c4c77a211c0776f6b03eec501c35c377ed520165c
911d3b7d0ad2b9408ca63c381a73f38b15019954d4ff6ffe3fcac8f716c2a200
986d22f03f04424181bc773a42db6283722baffe40b031d97c9562ab0ed8a6ae
a701108be3d3802eba7c79c5c68afc0fee833595cdada8df5ac02ef9b97d2ad1
bc8407aa092b9b316e72b6082699dd1432521f739eacfb57109bb1d759d89802
cbf60d6fa0473f1a0290e278479a1786daea784d7dc2a63198292f7a9ec1a2a1
+ 43 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210817-pz2nffetr6/
Unpacked files
SH256 hash:
0938352aa544baf8939184b41aa37f1cc09839e77508180654ac6ba5e39e1c5e
MD5 hash:
44a71bfc675386d692f9c999f3829c8c
SHA1 hash:
8b40dd4d09703697bf1c39c966c32afea0a843aa
Link:
https://www.unpac.me/results/1df35baa-be71-4d93-a1f1-43513c163546/
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0938352aa544/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/0938352aa544baf8939184b41aa37f1cc09839e77508180654ac6ba5e39e1c5e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/179981/

Comments