MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c80fa8807477cff8c9c3ed7b2a857538f022b1e8829020d09f60bd71f1afd9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 0c80fa8807477cff8c9c3ed7b2a857538f022b1e8829020d09f60bd71f1afd9a
SHA3-384 hash: d4b0fa57d9ae3df1677d830de5326b2ca0b555fc9473c841057ab604e19db7934d9a0c2f6b797580feed4295a457a6c9
SHA1 hash: 63a3c16db8254d4e5b0b450e34962612057f21ca
MD5 hash: dfc6739d6c5fddfc0e3a7289b60462d6
humanhash: eleven-uniform-black-failed
File name:skynet_0.3.vir
Download: download sample
Signature n/a
File size:14'987'296 bytes
First seen:2020-07-19 19:39:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d074c429df7264c6fa796dddc7660d23
ssdeep 49152:eWz+8qWoh0aFAgqKDJ7trrbxwF27BIK49Vayu6fypd4tjIntU:zz+/WoCNKVdbxwo76f7u6foXU
TLSH F7E61252F1FBA579F7F74D322678B59B0977B9A33A1580BF0913528BD820A818D24733
Reporter @tildedennis
Tags:skynet


Twitter
@tildedennis
skynet version 0.3

Intelligence


File Origin
# of uploads :
1
# of downloads :
23
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
ZeusVM
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247431 Sample: skynet_0.3.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 4 other signatures 2->55 8 skynet_0.3.exe 2->8         started        process3 signatures4 57 Detected unpacking (changes PE section rights) 8->57 59 Detected unpacking (overwrites its own PE header) 8->59 61 Contain functionality to detect virtual machines 8->61 63 2 other signatures 8->63 11 skynet_0.3.exe 1 8->11         started        process5 signatures6 65 Writes to foreign memory regions 11->65 67 Allocates memory in foreign processes 11->67 69 Injects a PE file into a foreign processes 11->69 14 svchost.exe 21 11->14         started        19 svchost.exe 11->19         started        21 msra.exe 8 11->21         started        23 3 other processes 11->23 process7 dnsIp8 33 checkip.dyndns.com 162.88.193.70, 49716, 80 DYNDNSUS United States 14->33 35 checkip.dyndns.org 14->35 27 C:\Users\user\AppData\...\pthreadGC2.dll, PE32 14->27 dropped 29 C:\Users\user\AppData\...\libpdcurses.dll, PE32 14->29 dropped 31 C:\Users\user\AppData\Local\...\libcurl-4.dll, PE32 14->31 dropped 45 System process connects to network (likely due to code injection or exploit) 14->45 37 127.0.0.1 unknown unknown 19->37 47 Detected ZeusVM e-Banking Trojan 19->47 39 86.59.21.38, 443, 49720 UTA-ASAT Austria 21->39 41 212.112.245.170, 443 QSC-AG-IPXDE Germany 21->41 43 128.31.0.39, 49735, 9101 MIT-GATEWAYSUS United States 21->43 25 conhost.exe 21->25         started        file9 signatures10 process11
Threat name:
Win32.Trojan.Injector
Status:
Malicious
First seen:
2014-11-28 09:48:59 UTC
AV detection:
19 of 24 (79.17%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Looks up external IP address via web service
UPX packed file
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments