MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cb94dd180548e55a02a5a8c75e601816746105eb6c8e62cb53b7fa2cddfa9c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cb94dd180548e55a02a5a8c75e601816746105eb6c8e62cb53b7fa2cddfa9c6
SHA3-384 hash: 9998328840f2bafc388b4a77c5eb22c9465d7fa45181ba04691a4ebb27c3a9fad0047cbb37dc6f53233611e112ae078b
SHA1 hash: ce3b00ff2034b475309a768da858f93d8769adfc
MD5 hash: e47a733f0baf21c0a59632644091e2c5
humanhash: chicken-freddie-tennessee-cup
File name:0cb94dd180548e55a02a5a8c75e601816746105eb6c8e62cb53b7fa2cddfa9c6
Download: download sample
File size:4'728'536 bytes
First seen:2020-09-03 07:04:05 UTC
Last seen:2020-09-03 07:52:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 286709ff32ba928d827de06c8699dd80 (1 x RemcosRAT)
ssdeep 49152:UlQ2h3amJtYAP9ISDDmJDOvpIF40e0k96bMltpjxKUbrZ7S:UOU5YAx3vp0407bMhdrnZ7S
Threatray 21 similar samples on MalwareBazaar
TLSH 82267C66B684993ED49A1739153FB624993FBF713916CD0B93F4084C8F36980793E28B
Reporter JAMESWT_WT
Tags:KRAFT BOKS OOO signed

Code Signing Certificate

Organisation:KRAFT BOKS OOO
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2020-08-21T00:00:00Z
Valid to:2021-08-21T23:59:59Z
Serial number: 8cff807edaf368a60e4106906d8df319
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: c97d809c73f376cdf8062329b357b16c9da9d14261895cd52400f845a2d6bdb1
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54636/
Detection(s):
PUA.Win.Packer.BorlandCpp-9
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/458057
Signature
Allocates memory in foreign processes
Contains functionality to capture and log keystrokes
Hijacks the control flow in another process
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 281420 Sample: qyRx22S2wn Startdate: 03/09/2020 Architecture: WINDOWS Score: 100 21 parslx98twerrm.info 2->21 23 ipv4.imgur.map.fastly.net 2->23 25 i.imgur.com 2->25 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Uses ipconfig to lookup or modify the Windows network settings 2->45 8 qyRx22S2wn.exe 2->8         started        signatures3 process4 signatures5 47 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->47 49 Hijacks the control flow in another process 8->49 51 Writes to foreign memory regions 8->51 53 2 other signatures 8->53 11 ipconfig.exe 15 8->11         started        process6 dnsIp7 27 ipv4.imgur.map.fastly.net 151.101.112.193, 443, 49733, 49734 FASTLYUS United States 11->27 29 i.imgur.com 11->29 55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->55 57 Hijacks the control flow in another process 11->57 59 Writes to foreign memory regions 11->59 61 Maps a DLL or memory area into another process 11->61 15 rundll32.exe 1 11->15         started        19 conhost.exe 11->19         started        signatures8 process9 dnsIp10 31 parslx98twerrm.info 54.39.221.47, 3990, 49739, 49748 OVHFR Canada 15->31 33 System process connects to network (likely due to code injection or exploit) 15->33 35 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->35 37 Contains functionality to capture and log keystrokes 15->37 39 Tries to detect virtualization through RDTSC time measurements 15->39 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0cb94dd180548e55a02a5a8c75e601816746105eb6c8e62cb53b7fa2cddfa9c6/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-09-01 07:38:34 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
002b81b464fe41cfe17a2a59fdcea647ea5af9e8bfcbfc78ae4fc4c076765629
46720af001912e9313a78e5ecd74325e8c523568dfca01a63cc1dfef380d14b7
5561d008620229638c19ba7e991d22edfd27eef99c5a038510b24950687befd3
9257415575d2a485de9787466a10636a920134f18dd617231373173dc88a6a20
95e512f980e10547b613b0ee9fde0e49716e338cdf16e9b50956e0b3a807ad20
b3550779f1211365321210344de50d32f4e0477c2817919474d0bf49574fcd01
bbe2a604c11442ee74adb7fa17910ca8e5665ab463e4a45b478707faa3a284e4
bc2cea17da33c23edbb0c86ab00b3ec3b4a2f4da84fb075922e41b7bf6b654f0
c62e5304821abc306872ea97c88a8d7dc800f7b63380b2cf89153c639de4704c
f6262c14a5f6c845a95cab29a6e1e2a662d5df47499935c1f050d908ee01db90
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Link:
https://tria.ge/reports/200903-vk5fyfgs9j/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Drops file in Windows directory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0cb94dd180548e55a02a5a8c75e601816746105eb6c8e62cb53b7fa2cddfa9c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_parallax_payload_1
Create hunting rule
Author:@VK_Intel
Description:Detects Parallax Injected Payload v1.01
Reference:https://twitter.com/VK_Intel/status/1227976106227224578

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/54636/

Comments