MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cc079cb6d771feb5394759239a5f44a66a066f76d75d77f70925091839298b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cc079cb6d771feb5394759239a5f44a66a066f76d75d77f70925091839298b2
SHA3-384 hash: 392e745ba2d1a37ffa50e911d679c75a59a90e486a40344b560777cf8b01f67b478842d72e7cb5f9d4cb76edb017501c
SHA1 hash: 6c619da7c96c4280e0fc46bc25059c0840a9ff18
MD5 hash: 25d8cefcd47eafa6fe575b02c3c65bcc
humanhash: mockingbird-alanine-uniform-blue
File name:25d8cefcd47eafa6fe575b02c3c65bcc.exe
Download: download sample
File size:1'262'870 bytes
First seen:2021-06-21 18:04:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 24576:mM/01ZoMRJj7T+/8r3zlH/gsGPlS/RhQifTkxJ0A0tkNr:101Z77TU8rjlYK49ulkr
Threatray 314 similar samples on MalwareBazaar
TLSH F5452341B658E060F1DD077158BA8A631C767C4218A4CB2F6364FF9D3F63A71E62BA07
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e0c4171c0bb82cf52647b0ccbfd6f3e3.exe
Verdict:
Malicious activity
Analysis date:
2021-06-21 18:05:51 UTC
Tags:
stealer trojan loader
Link:
https://app.any.run/tasks/95f066c2-04e3-467a-8357-3cf9eca8e77c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167352/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IntelRapid
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3bdf4dc8-4084-4c18-9064-02331f82fdfc
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805497
Signature
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: WScript or CScript Dropper
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 437908 Sample: e4t3OnQoDj.exe Startdate: 21/06/2021 Architecture: WINDOWS Score: 100 76 Found malware configuration 2->76 78 Multi AV Scanner detection for dropped file 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 7 other signatures 2->82 11 e4t3OnQoDj.exe 25 2->11         started        14 SmartClock.exe 2->14         started        16 SmartClock.exe 2->16         started        process3 file4 54 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 11->54 dropped 56 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 11->56 dropped 58 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 11->58 dropped 60 3 other files (none is malicious) 11->60 dropped 18 vpn.exe 7 11->18         started        20 4.exe 4 11->20         started        process5 file6 23 cmd.exe 1 18->23         started        50 C:\Users\user\AppData\...\SmartClock.exe, PE32 20->50 dropped 26 SmartClock.exe 20->26         started        process7 signatures8 84 Submitted sample is a known malware sample 23->84 86 Obfuscated command line found 23->86 88 Uses ping.exe to sleep 23->88 90 Uses ping.exe to check the status of other devices and networks 23->90 28 cmd.exe 3 23->28         started        31 conhost.exe 23->31         started        process9 signatures10 92 Obfuscated command line found 28->92 94 Uses ping.exe to sleep 28->94 33 Braccio.exe.com 28->33         started        36 PING.EXE 1 28->36         started        39 findstr.exe 1 28->39         started        process11 dnsIp12 74 May check the online IP address of the machine 33->74 42 Braccio.exe.com 3 19 33->42         started        64 127.0.0.1 unknown unknown 36->64 66 192.168.2.1 unknown unknown 36->66 52 C:\Users\user\AppData\...\Braccio.exe.com, Targa 39->52 dropped file13 signatures14 process15 dnsIp16 68 ip-api.com 208.95.112.1, 49729, 80 TUT-ASUS United States 42->68 70 kDoIQjFlLFrVeWWsmaHGNGDXOZWPB.kDoIQjFlLFrVeWWsmaHGNGDXOZWPB 42->70 62 C:\Users\user\AppData\...\oitakprccu.vbs, ASCII 42->62 dropped 46 wscript.exe 12 42->46         started        file17 process18 dnsIp19 72 iplogger.org 88.99.66.31, 443, 49730 HETZNER-ASDE Germany 46->72 96 System process connects to network (likely due to code injection or exploit) 46->96 98 May check the online IP address of the machine 46->98 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0cc079cb6d771feb5394759239a5f44a66a066f76d75d77f70925091839298b2/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 18:04:13 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
1ef744cce1aa8504c6e57067f6d2eb92c1e89707eb1964b7e338fb19684d5617
2051799f92fd036d6e1c8a9c06a4aea85a9509214cd0623c0df2fe62bd99986b
8c085bb6591e5d7b0846eda3d7758a1c882be7f5bfb35210c831dc52848c6fa9
8cec146d7a7b594cf7748b35c63ea1fed2c994ef2cdbb5731f1b15d9c9fa1ee3
a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3
bd7c41dee6aba2b2d13e5ae39169242ed463a43366eec28a438f74db717d15f4
e9da1da3a4fb2050b9b17f5dbb1dd5f334f22637fc8186052d152cc631839f9b
fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172
fc2a8472021c1f37e7ba14fd51259d37d10bd030ecd33134ebf42d3279ab860a
fe68a629898384bb2edf90406da4c9d6764fd04e5337514e7edd9c2c608d2242
+ 304 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210621-rv1h2hr73x/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
80e774243addffe221c0b39c2cccd198519a0edcdf68b742106970a0624a65ab
MD5 hash:
a41f4dc6e2c727601bb5cd5ea4620dbf
SHA1 hash:
48678c57680c392879c81516f1467da73879ebd6
Link:
https://www.unpac.me/results/12bd3b00-ad78-4654-809f-8846e4d106be/
SH256 hash:
cae2af36f866fed9753ecc423bf1cfb3d1b5f2c3179dddc1715d6c896812d669
MD5 hash:
0fcc3d7408dfb7b31d8e36982dab298c
SHA1 hash:
6ebe13e8565ab5cfc7f8eac8973c156531b2a1e2
Link:
https://www.unpac.me/results/12bd3b00-ad78-4654-809f-8846e4d106be/
SH256 hash:
e137f2a998ec2e7686e6a44037ea2340d49fc829cf7d6b0377e170a10bd922db
MD5 hash:
024db9ba4524affee18a9550642a5d75
SHA1 hash:
471e9b3cf2a0c59d5b5e9d830abed2e090175fd1
Link:
https://www.unpac.me/results/12bd3b00-ad78-4654-809f-8846e4d106be/
SH256 hash:
ad6cf141ec32a025271703cc9be84b6bcb59413f8b19eb8f7dd1f02084297815
MD5 hash:
6291550e63a1409a4915c75a28a2713d
SHA1 hash:
a28513c05e9b08f0b6e560609ce4bd0699f36b51
Link:
https://www.unpac.me/results/12bd3b00-ad78-4654-809f-8846e4d106be/
Parent samples :
a9e7826e1404e06fb6b073ff5e025313612b5aec22121aba299c72b86749e9bf
7636d2367079eabd9da2bb40935df3da580affc47473fd93ed3b2e01ee6c46e5
baa3581920b2e641a504d5b7d2f1637d456244adbc66790de991b88650bcbd09
128985f1be0a64f43674e4e287eda262713c5bc3288582d97d1463b15d2d35f7
SH256 hash:
f03fc6e16f9e9278cf7cf969d185db03f209edde92aa14bc8d5e6a382ddb5894
MD5 hash:
fe439a4e434ce3936d955d8f286d1eda
SHA1 hash:
94b51df2a9c2d33ddbb8d48ebe0babce32b96634
Link:
https://www.unpac.me/results/12bd3b00-ad78-4654-809f-8846e4d106be/
SH256 hash:
0cc079cb6d771feb5394759239a5f44a66a066f76d75d77f70925091839298b2
MD5 hash:
25d8cefcd47eafa6fe575b02c3c65bcc
SHA1 hash:
6c619da7c96c4280e0fc46bc25059c0840a9ff18
Link:
https://www.unpac.me/results/12bd3b00-ad78-4654-809f-8846e4d106be/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0cc079cb6d771feb5394759239a5f44a66a066f76d75d77f70925091839298b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 0cc079cb6d771feb5394759239a5f44a66a066f76d75d77f70925091839298b2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1384420/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/167352/

Comments