MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0dc03de0ec34caca989f22de1ad61e7bd6bc1eabc6f993dbed2983f4cc33923d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0dc03de0ec34caca989f22de1ad61e7bd6bc1eabc6f993dbed2983f4cc33923d
SHA3-384 hash: 05985345be546a597565640880e964446287d9dea888ed699782f8d6b28c3d1fda14cbf0a17a964138d6d61d13496938
SHA1 hash: 6dc95fc874fcadac1fc135fd521eddbdcb63b1c6
MD5 hash: d4e3a11d9468375f793c4c5c2504a374
humanhash: six-gee-oscar-twenty
File name:SecuriteInfo.com.Trojan.Siggen29.64132.8972.20040
Download: download sample
File size:1'694'720 bytes
First seen:2024-11-05 09:44:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c5f00a6fe8c8d189216e47cc0bff8748
ssdeep 49152:yic0Ug34MNv4Kwu3zuSTQP76Nuudqx7eY1wn8mZ:0FcbTQP76Nuudqxkn
TLSH T134759D56B3E401F8E1A7C138C9574A1BE7B2B855036097DF03A486662F23BE16F3E761
TrID 70.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.9% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.ICL) Windows Icons Library (generic) (2059/9)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
369
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Siggen29.64132.8972.20040
Verdict:
Malicious activity
Analysis date:
2024-11-05 09:48:05 UTC
Tags:
github telegram exfiltration stealer
Link:
https://app.any.run/tasks/b2747f89-e745-4eac-9bc4-d20ded14a69f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen29.64132.8972.20040.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6729e9248d23d9049133a5eb
Tags:
powershell beebone
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Connection attempt
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Moving a recently created file
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd fingerprint lolbin microsoft_visual_cc obfuscated remote rijndael
Link:
https://www.filescan.io/uploads/6729e924c504082537dc352c/reports/ca6c0264-6638-4aa6-942d-9c99f149efc9/overview
Verdict:
Malicious
Labled as:
Generik.HGAPTOJ potentially unwanted application
Link:
https://www.hybrid-analysis.com/sample/0dc03de0ec34caca989f22de1ad61e7bd6bc1eabc6f993dbed2983f4cc33923d
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/88739697-3273-49cc-b11b-e051b1e949dd
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1549107
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Creates a Windows Service pointing to an executable in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Found stalling execution ending in API Sleep call
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell launch regsvr32
Sigma detected: Suspicious New Service Creation
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: TrustedPath UAC Bypass Pattern
Suspicious command line found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1549107 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 05/11/2024 Architecture: WINDOWS Score: 100 174 api.telegram.org 2->174 176 rootunvdwl.com 2->176 178 6 other IPs or domains 2->178 212 Malicious sample detected (through community Yara rule) 2->212 214 Multi AV Scanner detection for dropped file 2->214 216 Multi AV Scanner detection for submitted file 2->216 220 14 other signatures 2->220 14 SecuriteInfo.com.Trojan.Siggen29.64132.8972.20040.exe 3 2->14         started        18 svchost.exe 2->18         started        21 curlapp64.exe 3 2->21         started        23 console_zero.exe 2->23         started        signatures3 218 Uses the Telegram API (likely for C&C communication) 174->218 process4 dnsIp5 168 C:\Users\user\Desktop\zlib1.dll, PE32+ 14->168 dropped 170 C:\Users\user\Desktop\libcurl.dll, PE32+ 14->170 dropped 172 C:\Users\user\Desktop\curlapp64.exe, PE32+ 14->172 dropped 244 Self deletion via cmd or bat file 14->244 25 cmd.exe 1 14->25         started        28 cmd.exe 1 14->28         started        180 rootunvbot.com 188.116.21.204 NEPHAX-ASPL Poland 18->180 182 unvdwl.com 194.26.192.52 HEANETIE Netherlands 18->182 184 3 other IPs or domains 18->184 246 Adds a directory exclusion to Windows Defender 18->246 30 cmd.exe 18->30         started        32 cmd.exe 18->32         started        34 cmd.exe 18->34         started        36 cmd.exe 18->36         started        38 cmd.exe 21->38         started        42 2 other processes 21->42 40 cmd.exe 23->40         started        file6 signatures7 process8 signatures9 230 Suspicious powershell command line found 25->230 232 Uses schtasks.exe or at.exe to add and modify task schedules 25->232 234 Adds a directory exclusion to Windows Defender 25->234 44 2 other processes 25->44 49 2 other processes 28->49 51 2 other processes 30->51 53 2 other processes 32->53 55 2 other processes 34->55 57 2 other processes 36->57 59 2 other processes 38->59 61 2 other processes 40->61 63 2 other processes 42->63 process10 dnsIp11 188 github.com 140.82.121.4, 443, 49706, 49712 GITHUBUS United States 44->188 190 raw.githubusercontent.com 185.199.110.133, 443, 49715, 49717 FASTLYUS Netherlands 44->190 192 127.0.0.1 unknown unknown 44->192 162 C:\Windows \System32\printui.dll (copy), PE32+ 44->162 dropped 164 C:\Users\user\Desktop\prnttemp.dll, PE32+ 44->164 dropped 166 C:\Windows \System32\printui.exe, PE32+ 44->166 dropped 240 Multi AV Scanner detection for dropped file 44->240 65 cmd.exe 1 44->65         started        68 cmd.exe 1 44->68         started        70 cmd.exe 4 44->70         started        72 powershell.exe 51->72         started        74 conhost.exe 51->74         started        242 Loading BitLocker PowerShell Module 57->242 file12 signatures13 process14 signatures15 194 Drops executables to the windows directory (C:\Windows) and starts them 65->194 76 printui.exe 1 16 65->76         started        80 conhost.exe 65->80         started        82 conhost.exe 68->82         started        84 timeout.exe 1 68->84         started        86 conhost.exe 70->86         started        196 Loading BitLocker PowerShell Module 72->196 process16 file17 154 C:\Windows\System32\zlib1.dll, PE32+ 76->154 dropped 156 C:\Windows\System32\x882081.dat, PE32+ 76->156 dropped 158 C:\Windows\System32\usvcldr64.dat, PE32+ 76->158 dropped 160 11 other files (9 malicious) 76->160 dropped 236 Adds a directory exclusion to Windows Defender 76->236 238 Suspicious command line found 76->238 88 cmd.exe 76->88         started        91 cmd.exe 76->91         started        93 cmd.exe 1 76->93         started        95 6 other processes 76->95 signatures18 process19 signatures20 224 Drops executables to the windows directory (C:\Windows) and starts them 88->224 97 bav64.exe 88->97         started        100 conhost.exe 88->100         started        102 console_zero.exe 91->102         started        104 conhost.exe 91->104         started        226 Suspicious powershell command line found 93->226 106 powershell.exe 23 93->106         started        108 conhost.exe 93->108         started        228 Adds a directory exclusion to Windows Defender 95->228 110 powershell.exe 23 95->110         started        112 reg.exe 95->112         started        114 13 other processes 95->114 process21 dnsIp22 198 Adds a directory exclusion to Windows Defender 97->198 117 cmd.exe 97->117         started        119 cmd.exe 97->119         started        121 cmd.exe 97->121         started        133 15 other processes 97->133 200 Multi AV Scanner detection for dropped file 102->200 202 Found stalling execution ending in API Sleep call 102->202 204 Found API chain indicative of debugger detection 102->204 123 cmd.exe 102->123         started        206 Found suspicious powershell code related to unpacking or dynamic code loading 106->206 208 Loading BitLocker PowerShell Module 106->208 210 Creates a Windows Service pointing to an executable in C:\Windows 112->210 186 api.telegram.org 149.154.167.220 TELEGRAMRU United Kingdom 114->186 125 conhost.exe 114->125         started        127 conhost.exe 114->127         started        129 conhost.exe 114->129         started        131 timeout.exe 1 114->131         started        signatures23 process24 process25 135 powershell.exe 117->135         started        138 conhost.exe 117->138         started        140 powershell.exe 119->140         started        142 conhost.exe 119->142         started        144 powershell.exe 121->144         started        146 conhost.exe 121->146         started        150 2 other processes 123->150 148 powershell.exe 133->148         started        152 27 other processes 133->152 signatures26 222 Loading BitLocker PowerShell Module 135->222
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0dc03de0ec34caca989f22de1ad61e7bd6bc1eabc6f993dbed2983f4cc33923d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0dc03de0ec34caca989f22de1ad61e7bd6bc1eabc6f993dbed2983f4cc33923d/
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-11-04 05:12:21 UTC
File Type:
PE+ (Exe)
Extracted files:
7
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bxad3yhmgtfmvge7elpbvvq6ppllyhvly34zhw7nfgb7jtbtsi6q._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence
Link:
https://tria.ge/reports/241105-lq3gjsyekh/
Behaviour
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Embeds OpenSSL
Launches sc.exe
Drops file in System32 directory
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Deletes itself
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Server Software Component: Terminal Services DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/606790c2-f596-48db-a05d-1efb13031149
Unpacked files
SH256 hash:
9c40291f6a315e70b45ad05f9671d7eea89ab14aecebf42ce9ba4c167509c9e5
MD5 hash:
f9830df1dfdb31cec5e3bd9f892edc9a
SHA1 hash:
073e56d2fbef94dd6fdfc1ff1fe12ecc71736029
Link:
https://www.unpac.me/results/6c35b40d-7938-4f2c-9ff4-8b74d7571a40/
SH256 hash:
7e9f43688189578042d791e3e5301165316edc7c1ed739e0669c033a3ca08037
MD5 hash:
f53d1efea4855da42da07de49d80ba68
SHA1 hash:
920349f4bd5a5b8e77195c81e261dfa2177eb1ee
Link:
https://www.unpac.me/results/6c35b40d-7938-4f2c-9ff4-8b74d7571a40/
SH256 hash:
0dc03de0ec34caca989f22de1ad61e7bd6bc1eabc6f993dbed2983f4cc33923d
MD5 hash:
d4e3a11d9468375f793c4c5c2504a374
SHA1 hash:
6dc95fc874fcadac1fc135fd521eddbdcb63b1c6
Link:
https://www.unpac.me/results/6c35b40d-7938-4f2c-9ff4-8b74d7571a40/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0dc03de0ec34/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0dc03de0ec34caca989f22de1ad61e7bd6bc1eabc6f993dbed2983f4cc33923d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:skip20_sqllang_hook
Create hunting rule
Author:Mathieu Tartare <mathieu.tartare@eset.com>
Description:YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.
Reference:https://www.welivesecurity.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 0dc03de0ec34caca989f22de1ad61e7bd6bc1eabc6f993dbed2983f4cc33923d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3276705/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3276706/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments