MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ff90e51f04083e8bb34bb7a414a9b28a5e0264e152ac086e64b548e5a771956. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mimic


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ff90e51f04083e8bb34bb7a414a9b28a5e0264e152ac086e64b548e5a771956
SHA3-384 hash: ff1f7cec434bc4ab9d1e7b25ec6f3e0e6ccd2940729eb994f8ca7036dfcc51fce24423a26444c4a2ed7d12c7a8751f8d
SHA1 hash: ea7d40a460086e6cb9b8ae57a95c8ccceb10862f
MD5 hash: 079d2307e9caaed44c5bc62adb7b6db5
humanhash: king-winner-glucose-beryllium
File name:old.exe
Download: download sample
Signature Mimic
Create hunting rule
File size:15'587'142 bytes
First seen:2025-05-31 18:59:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (36 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 393216:wg5R1FS3XZieQHj5vcz210KmcK3JC1lx1qzjeO2ZN7/K:zRcXZilFf10VcK30zEnw7K
TLSH T162F6330670A1CA72C4D646B38A7858CA08B5D3180BB5CC2FEB84F5757FF4AE35934AD6
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter juroots
Tags:88-80-150-179 exe Mimic Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
485
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
old.exe
Verdict:
Malicious activity
Analysis date:
2025-05-31 19:28:57 UTC
Tags:
everything tool auto-reg mimic ransomware confuser
Link:
https://app.any.run/tasks/f15b467c-92ed-4e57-9d50-ba9ecf9841ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6575/
Detection(s):
Win.Ransomware.Mimic-10014123-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683b53e8acf88f5815e9cb48
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Searching for the window
Searching for synchronization primitives
Running batch commands
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun with the shell\open\command registry branches
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer keylogger microsoft_visual_cc mimic overlay overlay packed packer_detected
Link:
https://www.filescan.io/uploads/683b51d5985349514e5f0b98/reports/cfdd9509-9c61-4891-b4da-404cf46588de/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/0ff90e51f04083e8bb34bb7a414a9b28a5e0264e152ac086e64b548e5a771956
Malware family:
Mimic Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ae4b115c-bd8c-4ec0-b0d3-d0b2156ad9ca
Result
Threat name:
Mimic
Create hunting rule
Detection:
malicious
Classification:
rans.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1703056
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Contains functionality to detect sleep reduction / modifications
Contains functionality to register a low level keyboard hook
Creates a Image File Execution Options (IFEO) Debugger entry
Creates an undocumented autostart registry key
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Uses powercfg.exe to modify the power settings
Yara detected Mimic Ransomware
Yara detected RansomwareGeneric18
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1703056 Sample: old.exe Startdate: 31/05/2025 Architecture: WINDOWS Score: 100 102 Malicious sample detected (through community Yara rule) 2->102 104 Antivirus detection for dropped file 2->104 106 Antivirus / Scanner detection for submitted sample 2->106 108 8 other signatures 2->108 14 old.exe 8 2->14         started        18 svcrhost.exe 2->18         started        20 svcrhost.exe 2->20         started        22 2 other processes 2->22 process3 file4 96 C:\Users\user\AppData\...verything32.dll, PE32 14->96 dropped 98 C:\Users\user\AppData\...verything.exe, PE32 14->98 dropped 100 C:\Users\user\AppData\Local\Temp\...\7za.exe, PE32 14->100 dropped 128 Contains functionality to register a low level keyboard hook 14->128 24 Old.exe 2 30 14->24         started        28 7za.exe 25 14->28         started        30 cmd.exe 1 14->30         started        32 7za.exe 1 14->32         started        130 Connects to many different private IPs via SMB (likely to spread or exploit) 18->130 132 Connects to many different private IPs (likely to spread or exploit) 18->132 134 Creates an undocumented autostart registry key 18->134 136 3 other signatures 18->136 34 cmd.exe 18->34         started        36 powercfg.exe 18->36         started        38 svcrhost.exe 18->38         started        40 4 other processes 18->40 signatures5 process6 file7 80 C:\Users\user\AppData\Local\...\xdel.exe, PE32 24->80 dropped 82 C:\Users\user\AppData\Local\...\svcrhost.exe, PE32 24->82 dropped 84 C:\Users\user\AppData\Local\...\gui40.exe, PE32 24->84 dropped 92 21 other malicious files 24->92 dropped 110 Creates an undocumented autostart registry key 24->110 112 Potentially malicious time measurement code found 24->112 42 svcrhost.exe 24->42         started        45 gui40.exe 24->45         started        47 Everything.exe 24->47         started        86 C:\Users\user\AppData\Local\Temp\...\xdel.exe, PE32 28->86 dropped 88 C:\Users\user\AppData\Local\...\gui40.exe, PE32 28->88 dropped 90 C:\Users\user\AppData\Local\...\gui35.exe, PE32 28->90 dropped 94 18 other malicious files 28->94 dropped 49 conhost.exe 28->49         started        51 conhost.exe 30->51         started        53 conhost.exe 32->53         started        55 DC.exe 34->55         started        58 conhost.exe 34->58         started        60 conhost.exe 36->60         started        signatures8 process9 file10 114 Uses powercfg.exe to modify the power settings 42->114 116 Potentially malicious time measurement code found 42->116 62 svcrhost.exe 42->62         started        118 Antivirus detection for dropped file 45->118 78 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 55->78 dropped 120 Multi AV Scanner detection for dropped file 55->120 122 Allocates memory in foreign processes 55->122 124 Modifies Group Policy settings 55->124 126 Contains functionality to detect sleep reduction / modifications 55->126 64 DC.exe 55->64         started        signatures11 process12 process13 66 svcrhost.exe 62->66         started        process14 68 svcrhost.exe 66->68         started        process15 70 svcrhost.exe 68->70         started        process16 72 svcrhost.exe 70->72         started        process17 74 svcrhost.exe 72->74         started        process18 76 svcrhost.exe 74->76         started       
Score:
76%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0ff90e51f04083e8bb34bb7a414a9b28a5e0264e152ac086e64b548e5a771956
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ff90e51f04083e8bb34bb7a414a9b28a5e0264e152ac086e64b548e5a771956/
Threat name:
Win32.Ransomware.Mimic
Create hunting rule
Status:
Malicious
First seen:
2025-05-10 11:55:44 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b74q4upqicb6rozuxn5ecsu3fcs6ajsocuvmbbxgjnki4wtxdfla._file
Verdict:
malicious
Label(s):
elpaco-team
Create hunting rule
Similar samples:
error
Mimic
Result
Malware family:
mimic
Create hunting rule
Score:
  10/10
Tags:
family:mimic defense_evasion discovery persistence ransomware
Link:
https://tria.ge/reports/250531-xnyw5agj9z/
Behaviour
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Adds Run key to start application
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Clears Windows event logs
Detects Mimic ransomware
Mimic
Mimic family
Verdict:
Malicious
Tags:
Win.Ransomware.Mimic-10014123-0
YARA:
n/a
Link:
https://app.threat.zone/submission/9304ea32-9d11-4e58-b8f7-660b761a61e0
Unpacked files
SH256 hash:
0ff90e51f04083e8bb34bb7a414a9b28a5e0264e152ac086e64b548e5a771956
MD5 hash:
079d2307e9caaed44c5bc62adb7b6db5
SHA1 hash:
ea7d40a460086e6cb9b8ae57a95c8ccceb10862f
Link:
https://www.unpac.me/results/22211287-1b24-49a6-a894-114683ddd104/
SH256 hash:
9dc17242f1db11e98abe583a838e5f33b078038f1b3ed745a30d18c8017f1c0c
MD5 hash:
cd66aef6a4f52cb6132a74866f59fa37
SHA1 hash:
683820145480834294b7b63f3b153b954751ee37
Link:
https://www.unpac.me/results/22211287-1b24-49a6-a894-114683ddd104/
SH256 hash:
b99077cb2c279294c27271032e689a417727ce00b0ab6552459a4d5242f95d31
MD5 hash:
ff847c84d74c75524005ced1329cc8a2
SHA1 hash:
cad5bf0589d4ec717b3732fb7fe488dbd308756d
Link:
https://www.unpac.me/results/22211287-1b24-49a6-a894-114683ddd104/
SH256 hash:
6b5f213f1f0dad3ee4d46111621c005811aec82a8a882a974d010c7f87938a3e
MD5 hash:
5a1504674a0a2356283e7c64967da088
SHA1 hash:
1a9fed5b2cc55f3e70185d3af4dd4e4609b4ea1f
Link:
https://www.unpac.me/results/22211287-1b24-49a6-a894-114683ddd104/
SH256 hash:
124e7a5b74b4c213fcf7115b98b382c98ad9a46c4f04b4a273b2a58c644dffd8
MD5 hash:
6d1eaaef5e00b3151d1d757093a22201
SHA1 hash:
5af79717807a0542ae53d0e2924524a84c8f743d
Link:
https://www.unpac.me/results/22211287-1b24-49a6-a894-114683ddd104/
SH256 hash:
36ab501b549cb010620e97475c27eec49235a38939effec31f263dc16961b0d1
MD5 hash:
e21d3b95365a8dacb418b3ac12623e31
SHA1 hash:
cce5cff99609f4c7bacee8ef1deb302f09393cbf
Link:
https://www.unpac.me/results/22211287-1b24-49a6-a894-114683ddd104/
SH256 hash:
91059b88b1ef536836dd70853c7de88639f5220fe0438416a72cee7d86ecd871
MD5 hash:
a7d38b39dc40fd2f545c49e8f02bcc31
SHA1 hash:
dab67f863986a2532a296d7a2649612121b371a3
Link:
https://www.unpac.me/results/22211287-1b24-49a6-a894-114683ddd104/
SH256 hash:
62ac5ac4bc5cbb4f9d6fa83f3199a4a542534946400d98097b06a3c1272c2705
MD5 hash:
3766f5156d2f39f94260cf720cb6186b
SHA1 hash:
050751e5c69defa70946df9d8ce9571bfc058a71
Detections:
Detect_Mimic_Ransomware
Create hunting rule
INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
INDICATOR_SUSPICIOUS_ClearWinLogs
Create hunting rule
INDICATOR_SUSPICIOUS_USNDeleteJournal
Create hunting rule
Link:
https://www.unpac.me/results/22211287-1b24-49a6-a894-114683ddd104/
SH256 hash:
26a5a6174d0f173b5d1e4bcfe4407698c88e1c87f7e6163ac09504a571b55119
MD5 hash:
c80a9c08833c280e42b6a5fb74dc63c1
SHA1 hash:
3c9426c20b12c95d9e3ca0376982c87f9a508669
Link:
https://www.unpac.me/results/22211287-1b24-49a6-a894-114683ddd104/
SH256 hash:
842020a9434fc38544210e8d611fd348c374bc5751d17835524c56d946fa5143
MD5 hash:
bfae9c4cbd91a42e3e85e9c193552446
SHA1 hash:
3d33a004dfb508aa0a20bbdb23d2c08b59173ccc
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/22211287-1b24-49a6-a894-114683ddd104/
Parent samples :
9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f
0ff90e51f04083e8bb34bb7a414a9b28a5e0264e152ac086e64b548e5a771956
SH256 hash:
f0d91873f4433ab2076d2584dff51c3710046508874a26f9104d079c7b72a9f5
MD5 hash:
5ae7fb7ce1571ec10862d9ea19ded810
SHA1 hash:
77c7bc9d43cce5a70c03ee48980ef5e20f66046b
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/22211287-1b24-49a6-a894-114683ddd104/
Parent samples :
9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f
0ff90e51f04083e8bb34bb7a414a9b28a5e0264e152ac086e64b548e5a771956
SH256 hash:
418270d9ce6a05b1c0dae937bb1f52ec64f2fa722cda9585ea4675a51899db6e
MD5 hash:
f83c89b30438ba0bbc8211dd877237c5
SHA1 hash:
8fbb0a4435a58089d62aca5802f00650df0c5ab9
Detections:
AutoIT_Compiled
Create hunting rule
INDICATOR_TOOL_PET_DefenderControl
Create hunting rule
Link:
https://www.unpac.me/results/22211287-1b24-49a6-a894-114683ddd104/
SH256 hash:
46b3298ceb70753f12dfd0f659e4c80b1354a91272eb7da57b4a11e417253a98
MD5 hash:
5b22dae6bb7f1ff93c8418eac4163311
SHA1 hash:
96dc943dbc7cf56a325abef2937018b60e708b41
Detections:
Detect_Mimic_Ransomware
Create hunting rule
INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
INDICATOR_SUSPICIOUS_ClearWinLogs
Create hunting rule
INDICATOR_SUSPICIOUS_USNDeleteJournal
Create hunting rule
Link:
https://www.unpac.me/results/22211287-1b24-49a6-a894-114683ddd104/
SH256 hash:
36ea4fb3f5f6d7887402b3886bd1b34dbf27fcdf8a40ba33572ad5bd0a11b0a2
MD5 hash:
50f4d37192ca64e4fa902fb0c0917e82
SHA1 hash:
6ff3047fbc36221d96307bf800ed2abf8e845834
Link:
https://www.unpac.me/results/22211287-1b24-49a6-a894-114683ddd104/
SH256 hash:
9028b077bf6ec87ecc614259eff13a3d59d11a8e5f99839787f5afbad07c7d98
MD5 hash:
d8ec0b4f9cd228da7d321c654bac586c
SHA1 hash:
807c1ab067f6b9c414e4e831c2ceed525f651f09
Detections:
INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Link:
https://www.unpac.me/results/22211287-1b24-49a6-a894-114683ddd104/
Parent samples :
9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f
31feff32d23728b39ed813c1e7dc5fe6a87dcd4d10aa995446a8c5eb5da58615
0ff90e51f04083e8bb34bb7a414a9b28a5e0264e152ac086e64b548e5a771956
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mimic

Executable exe 0ff90e51f04083e8bb34bb7a414a9b28a5e0264e152ac086e64b548e5a771956

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/6575/
  
URLhaus
https://urlhaus.abuse.ch/url/3556094/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (uiAccess:None)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteExW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AssignProcessToJobObject
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExA
USER32.dll::CreateWindowExW

Comments