MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1041962780029fab7ba54ab21c49185c8f105f774f3e75286dd6f83f27a6a587. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1041962780029fab7ba54ab21c49185c8f105f774f3e75286dd6f83f27a6a587
SHA3-384 hash: b1f1bf5d63df06c03155667a5f324bb544e3d6b9ab0272da5fd399166994b4e43dd8df79d16b0e42a11d7576959b0bb2
SHA1 hash: 3e4a5082ee71202453c4c465fd32a1737763ddb5
MD5 hash: 912005f12dd46262bfbac355d30c873c
humanhash: green-earth-nine-three
File name:dingtalk_downloader.exe
Download: download sample
File size:5'217'184 bytes
First seen:2022-12-16 13:18:50 UTC
Last seen:2022-12-16 14:33:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 28f2bef84068d573cea644fd9fa48e40
ssdeep 98304:Bgf5K0MkHwjBzOdgPDmKneJCqgpk585NqFJKTKK4KKDyK5FZ1EEEEmEEE1EEEEEh:uf80viq4aKneJ0u6Ug
Threatray 17'481 similar samples on MalwareBazaar
TLSH T18A368D107E41C176FBC202F69ABD7BFA466D9E20472C94DBC2D83D594D702C32B366A6
TrID 88.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
0.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon c488b8f0e2b692cc (2 x CobaltStrike, 1 x ValleyRAT)
Reporter iamdeadlyz
Tags:exe FakeGaliXCity signed SpaceCity

Code Signing Certificate

Organisation:ALIBABA (CHINA) NETWORK TECHNOLOGY CO.,LTD.
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2021-11-29T00:00:00Z
Valid to:2024-08-21T23:59:59Z
Serial number: 0e57ecd1bbfa85ddcaca78bf7a23683d
Thumbprint Algorithm:SHA256
Thumbprint: 6645408cb2472a49645a7b51c6df54a92353efafda39f98c4212a815f858e2d8
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
Iamdeadlyz
From spacecity.games (impersonation of galixcity.io)

Intelligence

File Origin
# of uploads :
2
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Launcher.exe
Verdict:
Malicious activity
Analysis date:
2022-12-16 13:11:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c4b47538-de44-42a1-a1bd-0efa71ffcd8e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Vawtrak
Create hunting rule
Link:
https://www.capesandbox.com/analysis/346994/
Detection(s):
SecuriteInfo.com.OpCloudHopper_Malware_3.172.6304.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a window
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Searching for synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug cloud explorer.exe greyware keylogger operation overlay packed rat shell32.dll shylock
Link:
https://www.filescan.io/uploads/639c704731633f2a3dab16dd/reports/61a36f26-3a1c-4652-a741-eb40e244577c/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ad469d23-6b20-4495-9ae6-0ff60f309afd
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
evad
Score:
26 / 100
Link:
https://www.joesandbox.com/analysis/1135702
Signature
Detected VMProtect packer
DLL side loading technique detected
Sample is protected by VMProtect
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1041962780029fab7ba54ab21c49185c8f105f774f3e75286dd6f83f27a6a587/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cbazmj4aakp2w65fjkzbysiylshrax3xj47hkkdn234d6j5guwdq._file
Verdict:
unknown
Similar samples:
1bdbc0c9494df38a4ed2fcc05ae5a70daa8a48f2407383d77359d4b5638fde19
3e3da330b390bad9cc777bff2b641c9bdd1654470485cab4d166c8928851645d
4c6db804a366a11a3321f87543f03c45e1785fed75a1c5e21ce39b658f6bb5bd
63a8a847683b777e6d6143a1c886a2d38bd68ab632826115763db3b214d1e127
71542a9dd0da516b5599228ace4fc9028ce2d389ec0fc1e68e9089ba174afe80
af74b80210c8fd9f512427ff46e8ccbdf063a9eed4fa3ffe15f791880c5b8d1e
b2b465aad0a254c202bee124ff4beb540ac09ce04655f61478b5824509a1f6a2
+ 17'471 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221216-qkhmeahe81/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/123dc641-e2c8-4cab-b13d-4857a8232613
Unpacked files
SH256 hash:
1041962780029fab7ba54ab21c49185c8f105f774f3e75286dd6f83f27a6a587
MD5 hash:
912005f12dd46262bfbac355d30c873c
SHA1 hash:
3e4a5082ee71202453c4c465fd32a1737763ddb5
Link:
https://www.unpac.me/results/2a57b705-30a3-4f09-83c3-f390b25ff801/
Malware family:
APT10
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/104196278002/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1041962780029fab7ba54ab21c49185c8f105f774f3e75286dd6f83f27a6a587

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:OpCloudHopper_Malware_3
Create hunting rule
Author:Florian Roth
Description:Detects malware from Operation Cloud Hopper
Reference:https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html
Rule name:OpCloudHopper_Malware_3_RID2FEF
Create hunting rule
Author:Florian Roth
Description:Detects Operation CloudHopper malware samples
Reference:https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gh0stRAT

Executable exe 94585f5b52e2d093240ccbd3ce8273784d5aa22302c04f56fd43b132fe30ea98

Executable exe 1041962780029fab7ba54ab21c49185c8f105f774f3e75286dd6f83f27a6a587

(this sample)

  
Dropped by
SHA256 94585f5b52e2d093240ccbd3ce8273784d5aa22302c04f56fd43b132fe30ea98
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/346994/
  
URLhaus
https://urlhaus.abuse.ch/url/2466673/
  
Dropped by
MD5 5d32587e7d8a3e5079216e6e26796f62
  
Dropped by
SHA256 a803b45c52fc4db19e364eddfad59a4b131e7552053217d547916bcbfdf8589b
  
Dropped by
MD5 51a049b0392d813227d3093db8d71c0b

Comments