MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


N3ww4v3


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca
SHA3-384 hash: ab9b4081e61b78a88d404c13065f8a04259a84e57baf950eecd9a16cebf2228ef01747056a6d8a197a64319f17f80026
SHA1 hash: d8c5d3ab8e11aa9dd5236625b610837b5cbbfd27
MD5 hash: 88d00427a014f1fdb88383a6a8ab97a5
humanhash: don-cat-lemon-purple
File name:1.exe
Download: download sample
Signature N3ww4v3
Create hunting rule
File size:2'770'322 bytes
First seen:2024-05-22 10:08:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (61 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 49152:wgwR0ifu1DBgutBPNw6m+sqFrDCcTeL7dzXVeH0Bl1nzBJ6GDaJP:wgwR0vguPPK6GkDC7hv1zeP
Threatray 8 similar samples on MalwareBazaar
TLSH T188D533162BA388F9D48A05FA510637B658BCB2091F2204C3D7F06F0E5B796D77B7A391
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10523/12/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter petrovic
Tags:exe N3ww4v3

Intelligence

File Origin
# of uploads :
1
# of downloads :
323
Origin country :
FI FI
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
kon.txt
Verdict:
Malicious activity
Analysis date:
2024-05-21 21:31:38 UTC
Tags:
mimic ransomware stealer
Link:
https://app.any.run/tasks/70f1c46b-dbca-43f6-840e-03202107ce05

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Ransomware.Mimic-10014123-0
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=664dc430e9e4e4d009e888b1win7simulatehigh_evasion
Tags:
Banker Encryption Execution Generic Network Other Stealth Heur Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Adding an access-denied ACE
Running batch commands
Using the Windows Management Instrumentation requests
Modifying a system file
Replacing files
Launching a service
Launching a process
Creating a file in the Windows subdirectories
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun with the shell\open\command registry branches
Blocking the Windows Defender launch
Enabling autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint installer keylogger lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/664dc447c19b369e29fc08c4/reports/e1202493-3fd1-4dc0-a4fb-97c8a1a50d9e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
N3ww4v3 Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82b15f5d-781d-499e-9d89-eb6d820fa5e7
Result
Threat name:
Mimic
Create hunting rule
Detection:
malicious
Classification:
rans.phis.spyw.expl.evad.troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1445650
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Contains functionality to detect sleep reduction / modifications
Contains functionality to register a low level keyboard hook
Creates a Image File Execution Options (IFEO) Debugger entry
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Found API chain indicative of sandbox detection
Found stalling execution ending in API Sleep call
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Modifies Group Policy settings
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
Potentially malicious time measurement code found
Sigma detected: Potential Ransomware Activity Using LegalNotice Message
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Yara detected Mimic Ransomware
Yara detected RansomwareGeneric18
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1445650 Sample: 1.exe Startdate: 22/05/2024 Architecture: WINDOWS Score: 100 118 Malicious sample detected (through community Yara rule) 2->118 120 Antivirus / Scanner detection for submitted sample 2->120 122 Multi AV Scanner detection for submitted file 2->122 124 4 other signatures 2->124 14 YOURDATA.exe 2->14         started        19 1.exe 8 2->19         started        21 YOURDATA.exe 2->21         started        23 gpscript.exe 2->23         started        process3 dnsIp4 100 192.168.2.100 unknown unknown 14->100 102 192.168.2.101 unknown unknown 14->102 104 98 other IPs or domains 14->104 84 ffd5710fd5bff1cd63...utamail.com.5000USD, COM 14->84 dropped 86 7c0e2aa88f7413bc_0...utamail.com.5000USD, COM 14->86 dropped 88 sql2000.xsl.getmyd...utamail.com.5000USD, DOS 14->88 dropped 98 364 other files (359 malicious) 14->98 dropped 106 Connects to many different private IPs via SMB (likely to spread or exploit) 14->106 108 Connects to many different private IPs (likely to spread or exploit) 14->108 110 Creates multiple autostart registry keys 14->110 116 3 other signatures 14->116 25 cmd.exe 14->25         started        27 YOURDATA.exe 14->27         started        29 YOURDATA.exe 14->29         started        31 YOURDATA.exe 14->31         started        90 C:\Users\user\AppData\...verything64.dll, 7-zip 19->90 dropped 92 C:\Users\user\AppData\...verything32.dll, PE32 19->92 dropped 94 C:\Users\user\AppData\...verything.exe, PE32 19->94 dropped 96 C:\Users\user\AppData\Local\Temp\...\7za.exe, PE32 19->96 dropped 112 Contains functionality to register a low level keyboard hook 19->112 114 Writes many files with high entropy 19->114 33 5koto.exe 2 13 19->33         started        37 7za.exe 6 19->37         started        39 cmd.exe 1 19->39         started        41 7za.exe 1 19->41         started        file5 signatures6 process7 file8 43 DC.exe 25->43         started        46 conhost.exe 25->46         started        70 C:\Users\user\AppData\Local\...\YOURDATA.exe, PE32 33->70 dropped 72 C:\Users\user\AppData\Local\...\DC.exe, PE32 33->72 dropped 74 C:\Users\user\AppData\...verything64.dll, 7-zip 33->74 dropped 82 4 other files (none is malicious) 33->82 dropped 126 Creates an undocumented autostart registry key 33->126 128 Creates multiple autostart registry keys 33->128 130 Writes many files with high entropy 33->130 132 Potentially malicious time measurement code found 33->132 48 YOURDATA.exe 2 33->48         started        76 C:\Users\user\AppData\Local\...\5koto.exe, PE32 37->76 dropped 78 C:\Users\user\AppData\Local\Temp\...\xdel.exe, PE32 37->78 dropped 80 C:\Users\user\AppData\Local\Temp\...\DC.exe, PE32 37->80 dropped 50 conhost.exe 37->50         started        52 conhost.exe 39->52         started        54 conhost.exe 41->54         started        signatures9 process10 signatures11 134 Allocates memory in foreign processes 43->134 136 Writes many files with high entropy 48->136 138 Potentially malicious time measurement code found 48->138 56 YOURDATA.exe 2 48->56         started        process12 process13 58 YOURDATA.exe 2 56->58         started        process14 60 YOURDATA.exe 2 58->60         started        process15 62 YOURDATA.exe 2 60->62         started        process16 64 YOURDATA.exe 2 62->64         started        process17 66 YOURDATA.exe 2 64->66         started        process18 68 YOURDATA.exe 2 66->68         started       
Score:
61%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca/
Threat name:
Win32.Ransomware.Mimic
Create hunting rule
Status:
Malicious
First seen:
2024-05-22 10:09:06 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ckao52elygegek6ovxmkij6f6xrefxp5c5odpcz5qkhf46qnm3fa._file
Verdict:
malicious
Similar samples:
1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274
N3ww4v3
8ca51ea9c184a9158e890bdefc538f7c49cfbbd33c19f3fadca0c03490a5b707
N3ww4v3
a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd
N3ww4v3
ad9fcfa1fd3f2dfbf14aab9de3d95608bbb03ec07c52a40f55f9b9380d054fbc
N3ww4v3
e1612e3d774b3ebd2559eb3ec8b59890d64712386563bee84da82e7b7dfbebe7
N3ww4v3
Result
Malware family:
mimic
Create hunting rule
Score:
  10/10
Tags:
family:mimic evasion execution persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/240522-l6smaabd47/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Reads user/profile data of web browsers
Windows security modification
Deletes System State backups
Sets file execution options in registry
Modifies boot configuration data using bcdedit
Renames multiple (6323) files with added filename extension
Detects Mimic ransomware
Mimic
Modifies security service
UAC bypass
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/06a0fbc9-5180-47bf-8478-1ac3024d06af
Unpacked files
SH256 hash:
dea66da92613279b65514d95f3c8e9aac3083feaf02cc66ee9a5d289460a11d1
MD5 hash:
fa783bc6300c78d95d18a5c6934473ec
SHA1 hash:
c1742354e02d8b96cd76331ba148776ab1007201
Detections:
Detect_Mimic_Ransomware
Create hunting rule
INDICATOR_SUSPICIOUS_ClearWinLogs
Create hunting rule
INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
INDICATOR_SUSPICIOUS_USNDeleteJournal
Create hunting rule
Link:
https://www.unpac.me/results/2b4207f1-c8e8-4e13-9e72-77e42242e50b/
SH256 hash:
8d43f38e4960a25f3bff15e1d720706a78d92e70ab3d376d69ef48d52f3d19d2
MD5 hash:
89b8ea47dfa63c0dc7c2a7e811d034a5
SHA1 hash:
9a3895f83ff9c051069858ce6daa8663d481b822
Detections:
AutoIT_Compiled
Create hunting rule
INDICATOR_TOOL_PET_DefenderControl
Create hunting rule
Link:
https://www.unpac.me/results/2b4207f1-c8e8-4e13-9e72-77e42242e50b/
Parent samples :
1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca
1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9
279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9
SH256 hash:
7416b3c8981f631b66733761ca0582dd42b9a87265dd8fc65bdde8caf1092a8d
MD5 hash:
01b6799d0bb000bd489539f55258bbaf
SHA1 hash:
ebfeb449368d30eeb7d6b270d2956b474f989d25
Link:
https://www.unpac.me/results/2b4207f1-c8e8-4e13-9e72-77e42242e50b/
SH256 hash:
91059b88b1ef536836dd70853c7de88639f5220fe0438416a72cee7d86ecd871
MD5 hash:
a7d38b39dc40fd2f545c49e8f02bcc31
SHA1 hash:
dab67f863986a2532a296d7a2649612121b371a3
Link:
https://www.unpac.me/results/2b4207f1-c8e8-4e13-9e72-77e42242e50b/
SH256 hash:
124e7a5b74b4c213fcf7115b98b382c98ad9a46c4f04b4a273b2a58c644dffd8
MD5 hash:
6d1eaaef5e00b3151d1d757093a22201
SHA1 hash:
5af79717807a0542ae53d0e2924524a84c8f743d
Link:
https://www.unpac.me/results/2b4207f1-c8e8-4e13-9e72-77e42242e50b/
SH256 hash:
cfbcf827900a5dc36d1d2ba4b4879ce703a429b1952e6e9616f498a9bde68c91
MD5 hash:
68d90c681c9748e8489f3f9fc622301d
SHA1 hash:
931ebcaec96692ba2054379a489a4af0451bf630
Detections:
Detect_Mimic_Ransomware
Create hunting rule
INDICATOR_SUSPICIOUS_ClearWinLogs
Create hunting rule
INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
INDICATOR_SUSPICIOUS_USNDeleteJournal
Create hunting rule
Link:
https://www.unpac.me/results/2b4207f1-c8e8-4e13-9e72-77e42242e50b/
Parent samples :
cfbcf827900a5dc36d1d2ba4b4879ce703a429b1952e6e9616f498a9bde68c91
1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca
SH256 hash:
4c83e46a29106afbaf5279029d102b489d958781764289b61ab5b618a4307405
MD5 hash:
c44487ce1827ce26ac4699432d15b42a
SHA1 hash:
8434080fad778057a50607364fee8b481f0feef8
Link:
https://www.unpac.me/results/2b4207f1-c8e8-4e13-9e72-77e42242e50b/
SH256 hash:
3a0f9265f2790f29ba3c87068c80a8cbf861676a4dfd9199812f75f2841c68f7
MD5 hash:
14da8c6ea9e44204a3675b7b1ad9b287
SHA1 hash:
decba5ecbb9139f9866bd25db72b6aa83971246e
Detections:
AutoIT_Compiled
Create hunting rule
INDICATOR_TOOL_PET_DefenderControl
Create hunting rule
Link:
https://www.unpac.me/results/2b4207f1-c8e8-4e13-9e72-77e42242e50b/
SH256 hash:
735b6968327499600f7166d7dbfa8e3547ef196b6a7604e49f8c278d72f8f74a
MD5 hash:
32df65077a46aceeae20e0c1e62140fb
SHA1 hash:
6254728983f06183fa0033ccb524912e8d42522a
Link:
https://www.unpac.me/results/2b4207f1-c8e8-4e13-9e72-77e42242e50b/
SH256 hash:
c913daf6489a3f88a57b9948e1a6fb9a2dd17be56dd5f3dd7c50273b4d583f7b
MD5 hash:
3e501f7f47a77e76becf15b1b9fbcb78
SHA1 hash:
eb01e1f0094dbe10e109c7e0b643172a41f03e78
Link:
https://www.unpac.me/results/2b4207f1-c8e8-4e13-9e72-77e42242e50b/
SH256 hash:
1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca
MD5 hash:
88d00427a014f1fdb88383a6a8ab97a5
SHA1 hash:
d8c5d3ab8e11aa9dd5236625b610837b5cbbfd27
Link:
https://www.unpac.me/results/2b4207f1-c8e8-4e13-9e72-77e42242e50b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (uiAccess:None)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteExW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AssignProcessToJobObject
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExA
USER32.dll::CreateWindowExW

Comments