MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c9b6f33b918e6fd93807ff3160c65c6c6e4117b1bf0c2ae36beff0a3ddaed31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c9b6f33b918e6fd93807ff3160c65c6c6e4117b1bf0c2ae36beff0a3ddaed31
SHA3-384 hash: f59963934ee776be420bc8be36987a086389d168074317e0bd414f8ccbd2ecafe7eb59a362a710f8b3bf556e86136b05
SHA1 hash: 372aecc5531723314f3e9998f8268c437ef1ed55
MD5 hash: 5c44bbdccdffb3fc06e0ce9b6ff3d7cf
humanhash: kilo-chicken-south-fish
File name:SecuriteInfo.com.Artemis5C44BBDCCDFF.4370.23318
Download: download sample
File size:228'352 bytes
First seen:2021-04-07 11:03:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 384:eppDMb6os4MteBYRITorN79ToKjkaAXK+dIigA+796y1TYAafQ6bn8:XmjNWK0FI0n
Threatray 165 similar samples on MalwareBazaar
TLSH B424D86126FE7518E373FFB215F43ABA1A2ABF35A75FF1BD6002480D56125805A32633
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Artemis5C44BBDCCDFF.4370.23318
Verdict:
Malicious activity
Analysis date:
2021-04-07 11:04:45 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/17d85d03-9e06-4e21-a1ea-26d0868da392

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132819/
Detection(s):
SecuriteInfo.com.Artemis5C44BBDCCDFF.4370.23318.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Moving a recently created file
Sending a UDP request
Launching a process
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching a service
Deleting a recently created file
Running batch commands
Unauthorized injection to a recently created process
Adding an access-denied ACE
Setting a single autorun event
Adding exclusions to Windows Defender
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668531
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383195 Sample: SecuriteInfo.com.Artemis5C4... Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 49 silvercat.top 2->49 57 Antivirus / Scanner detection for submitted sample 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Machine Learning detection for sample 2->61 63 Drops executables to the windows directory (C:\Windows) and starts them 2->63 8 SecuriteInfo.com.Artemis5C44BBDCCDFF.4370.exe 23 14 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 10 other processes 2->17 signatures3 process4 dnsIp5 51 myliverpoolnews.cf 172.67.150.212, 443, 49703, 49705 CLOUDFLARENETUS United States 8->51 53 192.168.2.1 unknown unknown 8->53 43 C:\Windows\Cursors\...\svchost.exe, PE32 8->43 dropped 45 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->45 dropped 47 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->47 dropped 65 Creates an autostart registry key pointing to binary in C:\Windows 8->65 67 Adds a directory exclusion to Windows Defender 8->67 69 Tries to delay execution (extensive OutputDebugStringW loop) 8->69 81 3 other signatures 8->81 19 cmd.exe 8->19         started        21 powershell.exe 21 8->21         started        23 powershell.exe 24 8->23         started        27 5 other processes 8->27 71 Antivirus detection for dropped file 13->71 73 System process connects to network (likely due to code injection or exploit) 13->73 75 Multi AV Scanner detection for dropped file 13->75 77 Machine Learning detection for dropped file 13->77 55 127.0.0.1 unknown unknown 17->55 79 Changes security center settings (notifications, updates, antivirus, firewall) 17->79 25 WerFault.exe 17->25         started        file6 signatures7 process8 process9 29 conhost.exe 19->29         started        31 timeout.exe 19->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 27->37         started        39 AdvancedRun.exe 27->39         started        41 conhost.exe 27->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c9b6f33b918e6fd93807ff3160c65c6c6e4117b1bf0c2ae36beff0a3ddaed31/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 09:48:18 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
1b7afa2a07f65c2cb04454ba72f066bdc4daf640ad3b75cfac5fe82eed6c2c76
3f9d5b3c82e841a570d286b23580f0a039168d5f588042922267a6b1fd279e40
4d21d5b2c9d9f333abb041399970df835604c03ff32b946910079ae2e674fc9d
4fe0cf5ea4078adae2170d820443a1a8d91d1eb6dbf886db70783998ffd65d0e
550d2da381ccc752d75f776bf9371683b39e1e45e0532daf779bbdc2a060fe17
595736e53ca10cf360d6859269d1ac8d2ee2758da03dc15a30d10c539ca4fd0a
66ec4884aa53b768c7125dee603cbdbfd02736caae70080c313cf966698a48f4
90a634ffa9eb1fc2dd8aeaabf1aed592a4cf18a824f5b9160f052ac642eeb79a
9fa1b19303c7d57e47977244701a7355ff40e8c5419efc3e844af247c251bdad
fb9f7f38a88c00172db06d780a7df78a42d437532c554945f1ac227619ff622a
+ 155 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/210407-kvtdgdyyd2/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
Windows security bypass
Unpacked files
SH256 hash:
0c9b6f33b918e6fd93807ff3160c65c6c6e4117b1bf0c2ae36beff0a3ddaed31
MD5 hash:
5c44bbdccdffb3fc06e0ce9b6ff3d7cf
SHA1 hash:
372aecc5531723314f3e9998f8268c437ef1ed55
Link:
https://www.unpac.me/results/b506bacb-3f30-474a-80ba-f7bc483e7db2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0c9b6f33b918e6fd93807ff3160c65c6c6e4117b1bf0c2ae36beff0a3ddaed31

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 0c9b6f33b918e6fd93807ff3160c65c6c6e4117b1bf0c2ae36beff0a3ddaed31

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1103586/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/132819/

Comments