MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14c9d0fb3da03dbd8095865240e1b3456a78ab740b1b46526573992b48eed0cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14c9d0fb3da03dbd8095865240e1b3456a78ab740b1b46526573992b48eed0cf
SHA3-384 hash: bdee2baade793c59e795e336dd0df32b79f6d5c85f8704d1df37b2512dfd4eb955d9eedc584ee25403f93564853d16a9
SHA1 hash: 5bcb121b332e585a3ba5eddb0f597983a38b7eea
MD5 hash: 64ac0a421038d1a91c0f640a048f8a4c
humanhash: venus-music-sixteen-butter
File name:64ac0a421038d1a91c0f640a048f8a4c
Download: download sample
File size:4'950'528 bytes
First seen:2021-06-23 23:42:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3a8508231435dfd6183ee32ac4b6e12a
ssdeep 98304:pk8O2GhZut/+mMI1Wc+aKuD5oOroEk2VdG+VzqNsMMhWqwu:Ah0m4bKM53osKm4sIu
Threatray 2'006 similar samples on MalwareBazaar
TLSH ED362363222421C9D5E6CC358D3BFDD0B1F65ABBCA81587966DEB9C53832AF0D203953
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Minecraft Cheat.rar
Verdict:
Malicious activity
Analysis date:
2021-06-23 20:00:28 UTC
Tags:
trojan rat redline stealer evasion loader miner
Link:
https://app.any.run/tasks/3a0a247e-fa68-4f38-bce7-0ff8c53c047b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37131739.10629.32164.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/95e496e4-0252-4562-8144-65029e3b5730
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/806944
Signature
Connects to many ports of the same IP (likely port scanning)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439355 Sample: I8OPuvPgT6 Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 44 Multi AV Scanner detection for dropped file 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 May check the online IP address of the machine 2->48 50 6 other signatures 2->50 7 I8OPuvPgT6.exe 32 2->7         started        12 System.exe 28 2->12         started        process3 dnsIp4 40 start.mil.ug 91.208.127.63, 21, 49737, 49738 AVTOSOYUZ-PLUS-ASRU Ukraine 7->40 42 iplogger.org 88.99.66.31, 443, 49734, 49735 HETZNER-ASDE Germany 7->42 34 C:\ProgramData\Microsoft Network\System.exe, PE32 7->34 dropped 36 C:\ProgramData\...\System.exe:Zone.Identifier, ASCII 7->36 dropped 52 Query firmware table information (likely to detect VMs) 7->52 54 May check the online IP address of the machine 7->54 56 Tries to detect virtualization through RDTSC time measurements 7->56 14 WerFault.exe 23 9 7->14         started        18 conhost.exe 7->18         started        58 Hides threads from debuggers 12->58 60 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->60 20 cmd.exe 1 12->20         started        22 cmd.exe 1 12->22         started        24 WerFault.exe 19 9 12->24         started        26 conhost.exe 1 12->26         started        file5 signatures6 process7 file8 38 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 14->38 dropped 62 Tries to evade analysis by execution special instruction which cause usermode exception 14->62 28 conhost.exe 20->28         started        30 taskkill.exe 1 20->30         started        32 conhost.exe 22->32         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/14c9d0fb3da03dbd8095865240e1b3456a78ab740b1b46526573992b48eed0cf/
Threat name:
Win32.Dropper.Scrop
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 12:14:25 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  3/5
Verdict:
unknown
Similar samples:
0f0eb4a8a538f339214f86a8b084d685a4fb51d54f258f5718393003ab1ff35b
34b09f16fa6e9789bda97d9bd512ac7f49e235982db9d65109a4078ab3567bcf
593f9422a79559ab792b98a272ebd5db883b8a85f34de6a6f05f1c900b221dc5
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
7499c45e246fe759ff4180bd864252689b1cbadc7825d007c7e25aa39c6a4450
7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1
7fb4f8f5f89b3fb2a4e9a6605763436ebb679198ee5ebbcde8972bb1e20a8da5
c120fd3e62a0ecd299625f3fbf622fb8a56b534828b6788fe766f1bc36ac7a68
f1aae79787fff8edd5f6769ebecf43eb5a94d392cb3723810a66dd9868ec2925
fb8a2b78f0d3139d8192dbeb925e8e8d13bf370540f2c7853107a8e4b3beac38
+ 1'996 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/210623-y6n7r5gem6/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
5302b0a66138fd30f2e33497bb8fe0dbe578107e320c3fd39dc2814f95b20263
MD5 hash:
2561bc1d541bf8396187bd46acc0ccc4
SHA1 hash:
abe270f5f152e85bbec8c0978d6ad2a2092c5c63
Link:
https://www.unpac.me/results/23e35111-e28b-4829-9985-90d3da315620/
SH256 hash:
14c9d0fb3da03dbd8095865240e1b3456a78ab740b1b46526573992b48eed0cf
MD5 hash:
64ac0a421038d1a91c0f640a048f8a4c
SHA1 hash:
5bcb121b332e585a3ba5eddb0f597983a38b7eea
Link:
https://www.unpac.me/results/23e35111-e28b-4829-9985-90d3da315620/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/14c9d0fb3da03dbd8095865240e1b3456a78ab740b1b46526573992b48eed0cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 14c9d0fb3da03dbd8095865240e1b3456a78ab740b1b46526573992b48eed0cf

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1392919/

Comments