MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12db6f77d235f0af6461a490040f23e1dc902385de317cd19b5478df425f2ec0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12db6f77d235f0af6461a490040f23e1dc902385de317cd19b5478df425f2ec0
SHA3-384 hash: c2f5cbf67a9bdeb5de2c7c4bc63a28024aa12c2b9a554773b8a8cec715718807c6b0dc2c6cc694616bc2d5953a38ca94
SHA1 hash: 609f491429520427dd4b8034ea0f313481e19b43
MD5 hash: b6ccb153be2baeb540e487cf5d52ee0b
humanhash: jersey-wisconsin-oscar-nine
File name:SuperEnjoy.exe
Download: download sample
File size:1'051'648 bytes
First seen:2021-02-06 20:34:16 UTC
Last seen:2021-02-06 20:34:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5877688b4859ffd051f6be3b8e0cd533 (119 x Babadeda, 2 x DCRat, 2 x RedLineStealer)
ssdeep 24576:KTTsFdCYHmXIz2MYLjtAuiy6vNr7r688ZQ:cTuHPz2MYYyu1SQ
Threatray 242 similar samples on MalwareBazaar
TLSH 6D25E1FA77AA0295F8619833D855C1FA1603CF9443B1E69607CDFC1BB40A6738B5B22D
Reporter Anonymous
Tags:filecoder Ransomware


Avatar
Anonymous
Batch Filecoder, sends the password through a Webhook and "create" a fake bitcoin account, copy itself in startup menu, haves random version info like please openme or new realistic software.

Intelligence

File Origin
# of uploads :
2
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
12db6f77d235f0af6461a490040f23e1dc902385de317cd19b5478df425f2ec0.zip
Verdict:
Malicious activity
Analysis date:
2021-02-07 07:06:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d2ca1c63-9ada-46b9-adfc-a4aec9b6d675

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/115937/
Detection(s):
PUA.Win.Packer.Purebasic-2
Create hunting rule

SecuriteInfo.com.BAT.KillWin.dropper.1184.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Enabling the 'hidden' option for analyzed file
Creating a process from a recently created file
Creating a window
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Searching for the window
Creating a file
Launching cmd.exe command interpreter
Enabling the 'hidden' option for recently created files
Sending a UDP request
Launching a tool to kill processes
Forced shutdown of a system process
Forced shutdown of a browser
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/601152
Signature
Binary is likely a compiled AutoIt script file
Creates files in the system32 config directory
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 349595 Sample: SuperEnjoy.exe Startdate: 06/02/2021 Architecture: WINDOWS Score: 80 57 Multi AV Scanner detection for dropped file 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Obfuscated command line found 2->61 63 2 other signatures 2->63 8 SuperEnjoy.exe 10 2->8         started        12 SuperEnjoy.exe 2->12         started        process3 dnsIp4 45 C:\Users\user\AppData\Local\...\aescrypt.exe, PE32 8->45 dropped 47 C:\Users\user\...\DiscordSendWebhook.exe, PE32 8->47 dropped 69 Detected unpacking (overwrites its own PE header) 8->69 15 cmd.exe 3 3 8->15         started        55 192.168.2.1 unknown unknown 12->55 49 C:\Windows\Temp\1810.tmp\aescrypt.exe, PE32 12->49 dropped 51 C:\Windows\Temp\...\DiscordSendWebhook.exe, PE32 12->51 dropped 18 cmd.exe 12->18         started        file5 signatures6 process7 file8 71 Obfuscated command line found 15->71 21 DiscordSendWebhook.exe 1 15->21         started        25 cmd.exe 15->25         started        27 DiscordSendWebhook.exe 1 15->27         started        35 9 other processes 15->35 43 C:\Windows\System32\config\...\cryptormsg.hta, HTML 18->43 dropped 73 Creates files in the system32 config directory 18->73 29 DiscordSendWebhook.exe 18->29         started        31 conhost.exe 18->31         started        33 attrib.exe 18->33         started        37 7 other processes 18->37 signatures9 process10 dnsIp11 53 discord.com 162.159.128.233, 443, 49727, 49729 CLOUDFLARENETUS United States 21->53 65 Binary is likely a compiled AutoIt script file 21->65 67 Obfuscated command line found 25->67 39 cmd.exe 25->39         started        41 findstr.exe 25->41         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12db6f77d235f0af6461a490040f23e1dc902385de317cd19b5478df425f2ec0/
Threat name:
Win32.Ransomware.FileCoder
Create hunting rule
Status:
Malicious
First seen:
2021-02-06 20:35:07 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
385d985b4b30f4e6abe301be1d8d91582a6f8bb9d73f8753721c8f48a1250abb
3ae3550b6baf30136ce9b846725c3322f23ee8428c2984750a2cfe02843993e9
3eb825e55857afc9c56dd4357f4223632fb5f5bb96d3acff8e444278e373eefb
6b9866969b0dcd61b84d7251526d527c48226564d6681db44bacc9c538538d35
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
83946c44e144416c6c321a02db9482c7de37073f1a1814a5525504794af402bc
90929f4e6bd28d6a197fef323930502ac1a3dcc9de8d4dba02dc6702fd570e14
bf8e538a1d561cdae7c44e0e722e114c9f9e71bf30a6aa1ddbfca6d4998796ba
de7e679cc16da78f63136976deda7c04ca9fc86f31f16989c5e2385011546034
ef98f9fd8e48c339bbb625437f4a19966c58c47f0e79e99ac320027debb9c9c3
+ 232 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion ransomware spyware
Link:
https://tria.ge/reports/210206-q3rsxwt1ba/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Reads user/profile data of web browsers
Executes dropped EXE
Sets file to hidden
Unpacked files
SH256 hash:
b116ff00546620a598119d6704e9849393d2f9948fc8888d6ddf6211aa5b80b9
MD5 hash:
fb7a78f485ec2586c54d60d293dd5352
SHA1 hash:
d4e1f1061f7a872f9843e44c7d27d13ba7ef71bb
Link:
https://www.unpac.me/results/6d644a3b-2a18-400a-863f-a8962a07a0f2/
SH256 hash:
993c755e43045f98e4975a8ae1e11996af3717507dc21d88a2a81b79fd121fe2
MD5 hash:
9920cf73e80fbf318b357ddbacfe2484
SHA1 hash:
ff94269e0ae8a7099f2b65dd7b1d3279a9b0a514
Link:
https://www.unpac.me/results/6d644a3b-2a18-400a-863f-a8962a07a0f2/
SH256 hash:
64fd57fa497a3fd43de4f84b4bba41e423823c8db7ca57d9ef2cdd0617c7bf1b
MD5 hash:
606f03eb43edd0ae7f75538c27fa907a
SHA1 hash:
92d75e20809c73a9e69c5ced88e76084eebcffb0
Link:
https://www.unpac.me/results/6d644a3b-2a18-400a-863f-a8962a07a0f2/
SH256 hash:
266949ac2768ba4e7da0f94077d286a08475d2a332b9b777d570b6c3d6c83bf8
MD5 hash:
4d2ee4f942536f411b5ddc9d0b8171f5
SHA1 hash:
6945096f72094b315e6be0a999850939448ee021
Link:
https://www.unpac.me/results/6d644a3b-2a18-400a-863f-a8962a07a0f2/
SH256 hash:
2eadd6c8ed9fb4ac46c493f98b1b46d12338301230e2880125cec645dc514cd2
MD5 hash:
909c3f37a0d1740b9ab3f61e89d0b12b
SHA1 hash:
468cdb39977dc9da5bcb76b9f749b5b83c8fcb62
Link:
https://www.unpac.me/results/6d644a3b-2a18-400a-863f-a8962a07a0f2/
SH256 hash:
ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0
MD5 hash:
a35ee23aaab26afc575ac83df9572b57
SHA1 hash:
81ea38c694ce9702faddfb961f17c1bbf628a76d
Link:
https://www.unpac.me/results/6d644a3b-2a18-400a-863f-a8962a07a0f2/
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
Link:
https://www.unpac.me/results/6d644a3b-2a18-400a-863f-a8962a07a0f2/
SH256 hash:
12db6f77d235f0af6461a490040f23e1dc902385de317cd19b5478df425f2ec0
MD5 hash:
b6ccb153be2baeb540e487cf5d52ee0b
SHA1 hash:
609f491429520427dd4b8034ea0f313481e19b43
Link:
https://www.unpac.me/results/6d644a3b-2a18-400a-863f-a8962a07a0f2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
CoinMiner
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/12db6f77d235f0af6461a490040f23e1dc902385de317cd19b5478df425f2ec0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 12db6f77d235f0af6461a490040f23e1dc902385de317cd19b5478df425f2ec0

(this sample)

anyrun
any.run
https://app.any.run/tasks/ced4f2f4-0a49-4e23-b274-bf4302141317
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/115937/

Comments