MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0acebaf80946be0cb3099233e8807aa775c8304fc3dee48d42241ff68b7ab318. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments

SHA256 hash: 0acebaf80946be0cb3099233e8807aa775c8304fc3dee48d42241ff68b7ab318
SHA3-384 hash: a853357fd246407f00f1ba6dd2f9b77bfd3b17845aa8b2808fce731bffeaa6d314141db7bb1deb773ea3e0dfc765bab6
SHA1 hash: b66535ff43334177a5a167b9f2b07ade75484eec
MD5 hash: 3ca6df4914385efd4ba9cd239b5ed254
humanhash: lithium-pennsylvania-queen-stream
File name:3ca6df4914385efd4ba9cd239b5ed254.exe
Download: download sample
Signature n/a
File size:4'671'378 bytes
First seen:2020-12-05 07:25:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (125 x DanaBot, 23 x CryptBot, 5 x DarkVNC)
ssdeep 98304:ijIHEaC7gS8j+u8ME/F59JdQVDQYxb6FqrnGGs3ycc6dNIdvlDPAQ1q14gaT:ijeEaC7gS6wMEdv4BQYhGPNPgdvlDHoG
Threatray 2 similar samples on MalwareBazaar
TLSH 80263392B7BA8234C6653E7298F6A535E716FC1CCC005B9B7344FEAF113A2414A19F63
Reporter @abuse_ch
Tags:exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
136
Origin country :
US US
Mail intelligence
Gathering data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a window
Searching for the window
Creating a file in the Program Files subdirectories
Creating a file
Deleting a recently created file
Launching a process
Creating a process with a hidden window
DNS request
Connection attempt
Sending an HTTP POST request
Adding a root certificate
Running batch commands
Creating a file in the Windows subdirectories
Reading critical registry keys
Changing a file
Moving a recently created file
Replacing files
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Stealing user critical data
Unauthorized injection to a recently created process by context flags manipulation
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.spyw.evad.troj
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Detected unpacking (creates a PE file in dynamic memory)
Hides threads from debuggers
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Registers a new ROOT certificate
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 327203 Sample: h1GodtbhC8.exe Startdate: 05/12/2020 Architecture: WINDOWS Score: 100 60 dream.pics 2->60 62 www.sodown.xyz 2->62 64 30 other IPs or domains 2->64 80 Multi AV Scanner detection for domain / URL 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Antivirus detection for URL or domain 2->84 86 14 other signatures 2->86 11 h1GodtbhC8.exe 1 26 2->11         started        14 msiexec.exe 2->14         started        signatures3 process4 file5 52 C:\Users\user\AppData\Local\...\Sibuia.dll, PE32 11->52 dropped 54 C:\Users\user\AppData\...\h1GodtbhC8.exe.log, ASCII 11->54 dropped 56 C:\Users\user\AppData\Local\...\SibClr.dll, PE32 11->56 dropped 58 2 other files (none is malicious) 11->58 dropped 16 setup.exe 5 11->16         started        process6 file7 48 C:\Program Files (x86)\...\aliens.exe, PE32 16->48 dropped 19 aliens.exe 1 2 16->19         started        process8 dnsIp9 66 EF6DF4AF06BA6896.xyz 104.28.4.129, 49734, 49738, 49740 CLOUDFLARENETUS United States 19->66 68 ef6df4af06ba6896.xyz 19->68 50 C:\Users\user\...\1E1C360C582DF797.exe, PE32 19->50 dropped 88 Installs new ROOT certificates 19->88 90 Hides threads from debuggers 19->90 24 1E1C360C582DF797.exe 2 29 19->24         started        28 cmd.exe 19->28         started        30 1E1C360C582DF797.exe 1 15 19->30         started        32 msiexec.exe 4 19->32         started        file10 signatures11 process12 dnsIp13 70 1c5491a87d65f1ef.club 172.67.142.39, 443, 49739 CLOUDFLARENETUS United States 24->70 72 192.168.2.1 unknown unknown 24->72 78 2 other IPs or domains 24->78 92 Detected unpacking (creates a PE file in dynamic memory) 24->92 94 Machine Learning detection for dropped file 24->94 96 Tries to harvest and steal browser information (history, passwords, etc) 24->96 98 Contains functionality to detect sleep reduction / modifications 24->98 34 1607186572092.exe 24->34         started        36 1607186588295.exe 24->36         started        38 ThunderFW.exe 24->38         started        74 127.0.0.1 unknown unknown 28->74 100 Uses ping.exe to sleep 28->100 40 conhost.exe 28->40         started        42 PING.EXE 28->42         started        76 ef6df4af06ba6896.xyz 30->76 44 cmd.exe 30->44         started        signatures14 process15 process16 46 conhost.exe 44->46         started       
Threat name:
Win32.Downloader.Upatre
Status:
Malicious
First seen:
2020-12-03 06:57:00 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  3/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
bootkit macro persistence spyware
Behaviour
Kills process with taskkill
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
NSIS installer
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates connected drives
JavaScript code in executable
Writes to the Master Boot Record (MBR)
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Suspicious Office macro
Unpacked files
SH256 hash:
9d15e566d664b95c0a09839a071eee998ac1a8b8f252b76cd0a745d7a16ca691
MD5 hash:
f035ab6fd1ffae98c6cc5b365035c726
SHA1 hash:
49ef877ac2dc956eac124b1fb730aaa1f55a6a01
SH256 hash:
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444
MD5 hash:
84878b1a26f8544bda4e069320ad8e7d
SHA1 hash:
51c6ee244f5f2fa35b563bffb91e37da848a759c
SH256 hash:
e7c02d9f66bbc38625f659ff3fbed32a125b402d8196621d08637f57a8f33b05
MD5 hash:
7f666437306af8caf8ed85facdbace59
SHA1 hash:
86bcd4d34996e8b5f79cb9bb3b04c668b8c37817
SH256 hash:
4d757b78db8ea8db2c70a483cf1edce3ad8568d9b0e0937d3eb5e0b920d8d98e
MD5 hash:
f8e667506a95a0141470c94de47578e0
SHA1 hash:
8a678400fd60d579c55b50e4598cfbc4258ff520
SH256 hash:
15c031cb785e29ac11dadbd92a6a15d73fba1372aa1f4a2c9779388d90452eb6
MD5 hash:
fba47137b68af7de52b1542a710ef84e
SHA1 hash:
c77a8fdf6970c9a27f42106f17a8b97720e78500
SH256 hash:
db071b8f63d56f195e88643b5c1f0309a3cffee76772884ea67d037500856e7f
MD5 hash:
58198ad565bb0b69472be575c38260b9
SHA1 hash:
f53dda888e86ddd2b69db906c957c6d903b06a73
SH256 hash:
0acebaf80946be0cb3099233e8807aa775c8304fc3dee48d42241ff68b7ab318
MD5 hash:
3ca6df4914385efd4ba9cd239b5ed254
SHA1 hash:
b66535ff43334177a5a167b9f2b07ade75484eec

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments