MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e4651625abda88df56952b7e97d7fb64a3e1ea97bfe01e931d47381c0952e98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


StrongPity


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e4651625abda88df56952b7e97d7fb64a3e1ea97bfe01e931d47381c0952e98
SHA3-384 hash: 2e9345b7dc9b8da3df6a5d0c522c49495419a9b74dc22539d5891cc3272aa91878fd2b4a843e19c0a20f18f7b26b25b9
SHA1 hash: 71b54d8219ab3a44ac434c41495c8d0db62a7d3f
MD5 hash: 6d0fd5f76fbe861695b140828aac6443
humanhash: river-ceiling-pennsylvania-white
File name:0e4651625abda88df56952b7e97d7fb64a3e1ea97bfe01e931d47381c0952e98
Download: download sample
Signature StrongPity
Create hunting rule
File size:2'542'080 bytes
First seen:2021-03-14 12:02:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2615839934fefd2d342149f561ecc715 (1 x StrongPity)
ssdeep 49152:SFZvQ2hj5O98dmZUprMCLFJVAbNudznHvT+xcSvywAW:SfI2hjQdyM8X5PaIw
Threatray 12 similar samples on MalwareBazaar
TLSH 2CC522D9E4C580D8C83BBEF44A9C1CA8E235ED216854F5762FCDFC451E9319239A98B3
Reporter JAMESWT_WT
Tags:apt APT-C-41 StrongPity

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'365
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0e4651625abda88df56952b7e97d7fb64a3e1ea97bfe01e931d47381c0952e98
Verdict:
Malicious activity
Analysis date:
2021-03-14 12:02:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3da796b4-041f-4d0b-9d44-7a00cb69b7e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
StrongPity
Create hunting rule
Link:
https://www.capesandbox.com/analysis/124187/
Detection(s):
Win.Trojan.StrongPity3-8208368-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Creating a window
Reading critical registry keys
Enabling the 'hidden' option for files in the %temp% directory
Delayed writing of the file
Sending a UDP request
DNS request
Sending a custom TCP request
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
StrongPity
Create hunting rule
Detection:
suspicious
Classification:
troj.evad
Score:
36 / 100
Link:
https://www.joesandbox.com/analysis/638832
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected StrongPity
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 368393 Sample: G97eP8SSTF Startdate: 14/03/2021 Architecture: WINDOWS Score: 36 66 Multi AV Scanner detection for domain / URL 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected StrongPity 2->70 72 Machine Learning detection for sample 2->72 8 G97eP8SSTF.exe 1 4 2->8         started        11 svchost.exe 2->11         started        14 nvwmisrv.exe 1 2->14         started        16 9 other processes 2->16 process3 dnsIp4 46 C:\Users\user\AppData\Local\...\winmsism.exe, PE32 8->46 dropped 48 C:\Users\user\AppData\Local\...\nvwmisrv.exe, PE32 8->48 dropped 50 C:\Users\user\AppData\Local\...\fnmsetup.exe, PE32 8->50 dropped 19 fnmsetup.exe 2 8->19         started        22 nvwmisrv.exe 1 8->22         started        74 Changes security center settings (notifications, updates, antivirus, firewall) 11->74 25 MpCmdRun.exe 11->25         started        27 conhost.exe 14->27         started        60 127.0.0.1 unknown unknown 16->60 62 192.168.2.1 unknown unknown 16->62 29 conhost.exe 16->29         started        file5 signatures6 process7 dnsIp8 44 C:\Users\user\AppData\Local\...\fnmsetup.tmp, PE32 19->44 dropped 31 fnmsetup.tmp 23 158 19->31         started        64 resolutionplatform.com 103.253.40.229, 443, 49728, 49737 TELE-ASTeleAsiaLimitedHK Hong Kong 22->64 34 winmsism.exe 5 22->34         started        36 conhost.exe 22->36         started        38 conhost.exe 25->38         started        file9 process10 file11 52 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 31->52 dropped 54 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 31->54 dropped 56 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 31->56 dropped 58 112 other files (none is malicious) 31->58 dropped 40 FindAndMount.exe 6 31->40         started        42 WerFault.exe 23 9 34->42         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e4651625abda88df56952b7e97d7fb64a3e1ea97bfe01e931d47381c0952e98/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2021-03-11 11:10:13 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bzdfcys2xwui35ljkk36s7l7wzfd4hvjpp7ad2jr2rzydqevf2ma._file
Verdict:
suspicious
Similar samples:
04c6b2e93ee33d4b12f61c565ef164931ce8bb8225d0a80cae32782c1c30a802
StrongPity
0824ce63c361616ff51da5dec25763aa14cf57b579416617e3b3390fe11c9ae1
StrongPity
1185998fd595936708c1fc5a3ddeadbdd46b88e216419597da0b461e136ddfa7
StrongPity
2ea1ff8dc4a5ea276f8ae4137cbce0fd80b27d662dc0969127b454f5c0aa34e1
StrongPity
3da5ad345fa5dc65c5313a0846897ba696630e1b4c6b9388e7a479edce27745e
StrongPity
a9ec6aa98e4855c955d1d2f8be710c2de52ab574fe1a3748b43bea75ea37a881
StrongPity
d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78
StrongPity
ddca8f9d05aa07e903b71aa9823252962f91d0a192b79e346f8a51f39fb9212d
StrongPity
dfd0f4b821438d8a9277728e42ab58bdc2667aa7173892ffd6ede75a5d5645f5
StrongPity
f81d16d98d7c5423e8f231fe47778b0824360fb41525fd545097bb8e700e1a8d
StrongPity
+ 2 additional samples on MalwareBazaar
Result
Malware family:
strongpity
Create hunting rule
Score:
  10/10
Tags:
family:strongpity persistence spyware stealer
Link:
https://tria.ge/reports/210314-cpwwfsf7da/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
StrongPity
StrongPity Spyware
Unpacked files
SH256 hash:
b43b899f195e9002a384c4d3e0c6c07012a0bd167b018ef0cf224b6b57c02dfe
MD5 hash:
0892ce7f20c8447bf8f79f1bf1309cd8
SHA1 hash:
8498879ba6ba00575764ae2e32838bd922533ab1
Link:
https://www.unpac.me/results/1d18c3e4-bf0b-49cf-96ae-c7b2247e242d/
SH256 hash:
d9402b75daf385ed652cc1d8c3bf7f3ea306fbc16996dead5a8741eff4f54b2f
MD5 hash:
f050cfe9ded513f1b8e9a4846a0fa3a7
SHA1 hash:
64cb47c16c5636bdc5046107480aa3c7c97a2bf3
Link:
https://www.unpac.me/results/1d18c3e4-bf0b-49cf-96ae-c7b2247e242d/
SH256 hash:
32f45afe803e6eeb58028c0c03299a9aba89102146bbe4bf43f7e166cd3cdf69
MD5 hash:
e581b15bc5a7e28d7d5ffcb6c66333e4
SHA1 hash:
a39090da0daf3c66e809d82cc532aa5506ce0c6f
Link:
https://www.unpac.me/results/1d18c3e4-bf0b-49cf-96ae-c7b2247e242d/
SH256 hash:
db691dd9c0cecf92cb38cce85a523fe693b3aca209bf641aa5992e2414047082
MD5 hash:
ab9aafa76a645153185eb2d093a138cc
SHA1 hash:
7b5fa06ec284fcb2d89e309d1bcff782ab08a178
Link:
https://www.unpac.me/results/1d18c3e4-bf0b-49cf-96ae-c7b2247e242d/
SH256 hash:
a18729278f7b9f395628e429da306941d946992447dcaeb7acdeb81425292680
MD5 hash:
eaf33883e81817888b13f2e57da6eb1d
SHA1 hash:
5616a687118cc29d3f814143d68ae6893b8aef44
Link:
https://www.unpac.me/results/1d18c3e4-bf0b-49cf-96ae-c7b2247e242d/
SH256 hash:
d6e0ffd05c5cdb43cbdea5056dc8e74fba891a660f48ae9d16399d907c22e7bf
MD5 hash:
794e2d3f52bd11fc9de214456c9d9be6
SHA1 hash:
52d179042aedd6f9cf79c32d58b7543fb63a6cc4
Link:
https://www.unpac.me/results/1d18c3e4-bf0b-49cf-96ae-c7b2247e242d/
SH256 hash:
0e4651625abda88df56952b7e97d7fb64a3e1ea97bfe01e931d47381c0952e98
MD5 hash:
6d0fd5f76fbe861695b140828aac6443
SHA1 hash:
71b54d8219ab3a44ac434c41495c8d0db62a7d3f
Link:
https://www.unpac.me/results/1d18c3e4-bf0b-49cf-96ae-c7b2247e242d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e4651625abda88df56952b7e97d7fb64a3e1ea97bfe01e931d47381c0952e98

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/124187/

Comments