MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15d06d1741cc8b5495da9c79c6f630e33060e80c73da9666500f6f0bdf5ff259. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Hive


Vendor detections: 7


Intelligence 7 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15d06d1741cc8b5495da9c79c6f630e33060e80c73da9666500f6f0bdf5ff259
SHA3-384 hash: 21b562d8fa59e5253fc2e80c36c0f9af668991f232672591ef17267f7b0fee71d2fb82581afae4b422897553fcb20d57
SHA1 hash: aa090944875fb9bd5b1e8b3775592eea5ceeb186
MD5 hash: 095715a96975ef7b9e17d0a39739e0cc
humanhash: victor-floor-victor-bacon
File name:SecuriteInfo.com.Trojan.GenericKD.38892578.15975.7472
Download: download sample
Signature Hive
Create hunting rule
File size:4'040'368 bytes
First seen:2022-02-09 01:51:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 33c89a460d0a7a26f62cecfd5bf3ebb1 (1 x CobaltStrike, 1 x Hive)
ssdeep 98304:E4qF9pTQkaj59ejBOWzjTCgeH6i9rDKUkd:LqF9pknj59SjPe5Zkd
Threatray 761 similar samples on MalwareBazaar
TLSH T1AF16121B22D4AA9BD17617B23D2639120B717C770DA18269F10F7352887294ECF3BBA5
File icon (PE):PE icon
dhash icon d8e2339ee6dadae2 (1 x Hive)
Reporter SecuriteInfoCom
Tags:exe Hive signed

Code Signing Certificate

Organisation:Logitech Z-906
Issuer:Logitech Z-906
Algorithm:sha1WithRSAEncryption
Valid from:2021-12-02T17:49:44Z
Valid to:2031-12-03T17:49:44Z
Serial number: 454f68c4614e039041e5af851cb9dc28
Intelligence: 6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: d66eaf03204931fd078dcbd330cdbe4098d68284ecd7bc5009d3a21b37641b3f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.GenericKD.38892578.15975.7472
Verdict:
No threats detected
Analysis date:
2022-02-09 01:58:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/57bdcbcd-a04d-4ccf-9cae-7035110568ee

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/239082/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38892578.15975.7472.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Running batch commands
Creating a process with a hidden window
Launching a process
Launching the process to change the firewall settings
Сreating synchronization primitives
Moving a system file
Creating a file
Enabling the 'hidden' option for analyzed file
Using the Windows Management Instrumentation requests
DNS request
Moving of the original file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Sending an HTTP POST request to an infection source
Replacing the hosts file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/62031e3b845a69d7734f9824/reports/7b4d7aae-89a5-4b59-a55a-b527962c8436/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f9d6265-5be5-4816-bcfc-1d64767b3c81
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/936528
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Modifies the hosts file
Modifies the windows firewall
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sigma detected: Accessing WinAPI in PowerShell. Code Injection.
Sigma detected: CobaltStrike Process Patterns
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Remote Thread Created
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses whoami command line tool to query computer and username
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 569002 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 09/02/2022 Architecture: WINDOWS Score: 100 95 api.ip.sb 2->95 99 Antivirus detection for URL or domain 2->99 101 Multi AV Scanner detection for submitted file 2->101 103 Yara detected RedLine Stealer 2->103 105 11 other signatures 2->105 11 SecuriteInfo.com.Trojan.GenericKD.38892578.15975.exe 7 1 2->11         started        16 RTHDCPL.exe 2->16         started        18 RTHDCPL.exe 7 2->18         started        20 3 other processes 2->20 signatures3 process4 dnsIp5 97 185.112.83.96, 20001, 49713, 49714 SUPERSERVERSDATACENTERRU Russian Federation 11->97 91 C:\Windows\1644404839.exe, PE32 11->91 dropped 93 C:\Windows\System32\drivers\etc\hosts, ASCII 11->93 dropped 125 Query firmware table information (likely to detect VMs) 11->125 127 Creates multiple autostart registry keys 11->127 129 Creates an autostart registry key pointing to binary in C:\Windows 11->129 145 3 other signatures 11->145 22 cmd.exe 1 11->22         started        25 cmd.exe 1 11->25         started        27 cmd.exe 1 11->27         started        35 11 other processes 11->35 131 Uses cmd line tools excessively to alter registry or file data 16->131 133 Tries to harvest and steal browser information (history, passwords, etc) 16->133 135 Adds a directory exclusion to Windows Defender 16->135 29 cmd.exe 16->29         started        31 cmd.exe 16->31         started        33 cmd.exe 16->33         started        37 10 other processes 16->37 137 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->137 139 Hides threads from debuggers 18->139 141 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->141 143 Uses whoami command line tool to query computer and username 18->143 file6 signatures7 process8 signatures9 107 Uses cmd line tools excessively to alter registry or file data 22->107 109 Uses netsh to modify the Windows network and firewall settings 22->109 111 Uses ipconfig to lookup or modify the Windows network settings 22->111 39 conhost.exe 22->39         started        113 Uses whoami command line tool to query computer and username 25->113 46 4 other processes 25->46 115 Adds a directory exclusion to Windows Defender 27->115 42 conhost.exe 27->42         started        44 powershell.exe 23 27->44         started        48 2 other processes 29->48 50 2 other processes 31->50 52 2 other processes 33->52 54 16 other processes 35->54 56 12 other processes 37->56 process10 signatures11 117 Adds a directory exclusion to Windows Defender 39->117 58 cmd.exe 39->58         started        61 cmd.exe 39->61         started        63 cmd.exe 39->63         started        67 15 other processes 39->67 65 conhost.exe 42->65         started        process12 signatures13 119 Uses whoami command line tool to query computer and username 58->119 69 conhost.exe 58->69         started        71 whoami.exe 58->71         started        121 Uses cmd line tools excessively to alter registry or file data 61->121 73 conhost.exe 61->73         started        75 reg.exe 61->75         started        83 2 other processes 61->83 123 Adds a directory exclusion to Windows Defender 63->123 77 conhost.exe 63->77         started        79 powershell.exe 63->79         started        81 conhost.exe 67->81         started        85 22 other processes 67->85 process14 process15 87 conhost.exe 69->87         started        89 WMIC.exe 69->89         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15d06d1741cc8b5495da9c79c6f630e33060e80c73da9666500f6f0bdf5ff259/
Threat name:
Win64.Trojan.Mamson
Create hunting rule
Status:
Malicious
First seen:
2022-02-04 20:35:00 UTC
File Type:
PE+ (Exe)
Extracted files:
26
AV detection:
23 of 43 (53.49%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
0f9b30402f73d225631915acc66cfd6fa860e4050aa7db8e24b111dcb407dc35
Hive
2c7e8a9b546f7c133469fabcfc200e5ab79da84ffa180fda9e088bc5476af860
Hive
3d6425cf292c5a78f2014754d8a3368a934110587077584bc54b54642609b1f0
Hive
3f654cc740b18a83fdb840f27cf46f7c8299f51a9a2a6b97b9583ca9e9d9ca5f
Hive
4883c8f935d8c8397ffb003f72e4e515501820ebd37ca079c478ba5b7ed7b3d4
Hive
517836d1bd7e3ad8653520e36336e541d1a3d696f80554c00d43848a66cba9db
Hive
79b453329e50b1536decaaacae246fb5f1725c66e228852bf8ae16b2ae722a04
Hive
acb1d8fdde1f261d7c8c625ae0aab48232bea861532bb66657dda02e1a209d0e
Hive
+ 751 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/220209-cae7msgha3/
Behaviour
Gathers network information
GoLang User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall
Sets file to hidden
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
15d06d1741cc8b5495da9c79c6f630e33060e80c73da9666500f6f0bdf5ff259
MD5 hash:
095715a96975ef7b9e17d0a39739e0cc
SHA1 hash:
aa090944875fb9bd5b1e8b3775592eea5ceeb186
Link:
https://www.unpac.me/results/365a209c-2d6f-4a18-a897-091e3377a936/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Hive

Executable exe 15d06d1741cc8b5495da9c79c6f630e33060e80c73da9666500f6f0bdf5ff259

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2037738/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/239082/

Comments