MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fdd6fa6cbb3d3591195dc74bbef904b0f56313cc2d76b0b72194b327fe75b5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0fdd6fa6cbb3d3591195dc74bbef904b0f56313cc2d76b0b72194b327fe75b5e
SHA3-384 hash: abdb554f2a28fd87cce7598bddab178caff22ec8ff3d58e1e0e8e99bb8cac40a701ac90c98659448ab3b52e2ffa87a06
SHA1 hash: 298b921f76e9d09f1644852b4f341662af312074
MD5 hash: dc4345604d49bf50ea1271cba5522097
humanhash: utah-oklahoma-carolina-mobile
File name:setup_660813137.exe
Download: download sample
File size:9'826'884 bytes
First seen:2021-01-19 08:06:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'463 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 196608:JSWOSvQv4pgd6fmwkoMYNVYwYe1Lr0WViepAlkSIg3rQZV0blb1O9yuWdO:QPSYv4pmxPoMYNVmklieGlkXsUZ2a9y6
TLSH B9A63362EEC7CC30D42BA7722E478110AECBD508D5F5421ABC06B9B05FFB835A655B93
Reporter struppigel
Tags:InnoSetup Mobatek RAT


Avatar
struppigel
Unknown malware, found via Virustotal and Yara on packer signature. There are also hits in telemetry for similar samples.
InnoSetup. Installs files to C:\Program Files (x86)\ReenCapture\
Connects to hxxp://clunikol(.)club
Intezer finds Mobatek Admin tool but no malware family.

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_660813137.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-19 08:26:25 UTC
Tags:
installer
Link:
https://app.any.run/tasks/e1d63fbb-664b-46cf-b370-2ebcdef7f1eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112833/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Searching for the window
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Creating a file
DNS request
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/584629
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0fdd6fa6cbb3d3591195dc74bbef904b0f56313cc2d76b0b72194b327fe75b5e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-18 16:31:19 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Verdict:
unknown
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/210119-czx6tjebde/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Program crash
Drops file in Program Files directory
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
246b6074a44c606f2f198a112521d65b237209dc7d22004d313e1bc09144faf1
MD5 hash:
57a0573adda784889846d233dc465254
SHA1 hash:
1cb3f7b37095198ed553f32a65c58cadcae0a3ab
Link:
https://www.unpac.me/results/858167b2-58c8-43b5-ad83-fd2291795760/
SH256 hash:
77be65d8868d51ae0abbebbad69ad9cb2415d97eb571a9562f40af611f3d531c
MD5 hash:
d916d7b895b0edc2e32f6beed47d0398
SHA1 hash:
d5478ea1dba0f586ad59ce2efb5f0ba8b2924c86
Link:
https://www.unpac.me/results/858167b2-58c8-43b5-ad83-fd2291795760/
SH256 hash:
8c6cd31600648af16177a45c773592435d4415fdcdf02daf0a37c2c98814428b
MD5 hash:
9314eaef2d811d424a99e8cea2030813
SHA1 hash:
8a1ab86114ee4d132f714a07a09ef407e380e25c
Link:
https://www.unpac.me/results/858167b2-58c8-43b5-ad83-fd2291795760/
SH256 hash:
0fdd6fa6cbb3d3591195dc74bbef904b0f56313cc2d76b0b72194b327fe75b5e
MD5 hash:
dc4345604d49bf50ea1271cba5522097
SHA1 hash:
298b921f76e9d09f1644852b4f341662af312074
Link:
https://www.unpac.me/results/858167b2-58c8-43b5-ad83-fd2291795760/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tnega
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0fdd6fa6cbb3d3591195dc74bbef904b0f56313cc2d76b0b72194b327fe75b5e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.virustotal.com/gui/file/0fdd6fa6cbb3d3591195dc74bbef904b0f56313cc2d76b0b72194b327fe75b5e/detection
Cape
Cape
https://www.capesandbox.com/analysis/112833/

Comments


Avatar
Karsten Hahn commented on 2021-01-19 08:12:59 UTC

Discussion on Twitter: https://twitter.com/struppigel/status/1351441343395065859