MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c70de48f9178011a4272f7fea015700922f210d1952e149e72f6c1e16e334c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c70de48f9178011a4272f7fea015700922f210d1952e149e72f6c1e16e334c3
SHA3-384 hash: 225bb503b429640132eb49060cf22f98f05e74274370067775131b5ddb5f9eb7c7f562028591c5d31e4e494fe455ad6e
SHA1 hash: 7d839224ab534872ceb50fa61607594ceb99a72c
MD5 hash: 87940f3a61b35e92048da8d745249ad6
humanhash: muppet-kansas-king-red
File name:0c70de48f9178011a4272f7fea015700922f210d1952e149e72f6c1e16e334c3
Download: download sample
File size:1'987'216 bytes
First seen:2021-07-20 06:07:31 UTC
Last seen:2021-07-20 06:44:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 24576:c7PFTunUNh4xRHTy0zW6I3ituESIuwcGHHVZ6Ofx7bm:c7PFnh4f2jgx6OJm
Threatray 41 similar samples on MalwareBazaar
TLSH T17D95AE9D752035DFCC5BC8769EA92C68FA5024BB830F4613A05B62AD9E8CD97CF140F6
Reporter JAMESWT_WT
Tags:exe MS Corporation Sofware Ltd signed

Code Signing Certificate

Organisation:MS Corporation Sofware Ltd
Issuer:COMODO RSA Extended Validation Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-05-10T00:00:00Z
Valid to:2023-05-10T23:59:59Z
Serial number: da49c0bacfd878b4949820e9ac0f168a
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 25c0bf5bb5656c069e324244d52b8c0a4d066a5571ed24609887c6b79a48afdd
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Personal_Data_and_Documents.xll
Verdict:
No threats detected
Analysis date:
2021-06-18 14:50:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/af4be2b4-5ab2-4232-92f1-1001cb67e4a2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172700/
Detection(s):
PUA.Win.Packed.ConfuserEx-6391397-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/fe7d047d-5f18-4fc8-9aca-2e7645f0eee1
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/818700
Signature
PE file contains section with special chars
PE file has nameless sections
Rundll32 performs DNS lookup (likely malicious behavior)
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451111 Sample: qyuTjJYW9s Startdate: 20/07/2021 Architecture: WINDOWS Score: 60 27 PE file contains section with special chars 2->27 29 PE file has nameless sections 2->29 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 1 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 17 other processes 8->17 signatures5 33 System process connects to network (likely due to code injection or exploit) 10->33 35 Rundll32 performs DNS lookup (likely malicious behavior) 10->35 19 rundll32.exe 13->19         started        process6 dnsIp7 24 cdn1.citrix-cloud.co.uk 19->24 22 WerFault.exe 20 9 19->22         started        signatures8 31 Rundll32 performs DNS lookup (likely malicious behavior) 24->31 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c70de48f9178011a4272f7fea015700922f210d1952e149e72f6c1e16e334c3/
Verdict:
unknown
Similar samples:
03be30bf83c48de2fc11174179c6b466cde149f2af7032dbc8bf2036a12b0e1a
3d06df16d5d4d51df9bf6c9cd3269bc7f48ff70b5c0a6902173d389cbf10b03d
5b7418517d962f6a77dedf03d99cf637fd0e202bcab8fa26441461a68b8d7cd2
62609aac613627ef79c08360049cdc59584d71d8e662f890dedbe4318da8beb5
844f891f338bcde305546fb85d97ac01bfd2c4db663ce779e6048307af5085f5
bc06c918fab5afbb61d15611dedadbc9012cf9e4979e9d3f261a9046c306bb87
be41dee9f9b806f5932a9ed56c841d884f4d7f8dafcdd20b4debfe82cc4898d4
c565ce12f63b1cb897156e0234907a49517439247747cc7df5b69952c1e7ce43
ea0ce50f66a640eea126b60be3a15f0c0295f07c227e4ef5d68ac043063ce9c3
f51fc0ab96d1aee49950b8ca91ef67c330b8593340cc3002513100ac9bf163b0
+ 31 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210720-ms4zme5h8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
0c70de48f9178011a4272f7fea015700922f210d1952e149e72f6c1e16e334c3
MD5 hash:
87940f3a61b35e92048da8d745249ad6
SHA1 hash:
7d839224ab534872ceb50fa61607594ceb99a72c
Link:
https://www.unpac.me/results/1e9a564a-63bd-468f-a754-91f7732381c0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0c70de48f9178011a4272f7fea015700922f210d1952e149e72f6c1e16e334c3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/malwrhunterteam/status/1417170754643374087?s=20
Cape
Cape
https://www.capesandbox.com/analysis/172700/

Comments