MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18f4123ee42f5a29f8df7bd1cf95ab73441f082584f390aa218c2dd1134f4055. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18f4123ee42f5a29f8df7bd1cf95ab73441f082584f390aa218c2dd1134f4055
SHA3-384 hash: 3d4e117185187a6b2ce02f71f33a4588b86c9bd5cfd28f7e8b8736b313d9714af649e42a8873a91ee48c77bca74cc8c7
SHA1 hash: 2a937328f5b99eccb9b8c13ed71d6ffb9dff4521
MD5 hash: d5f9fa1a8dca5319432f51a5891f7794
humanhash: leopard-avocado-eight-blue
File name:d5f9fa1a8dca5319432f51a5891f7794.exe
Download: download sample
File size:7'454'208 bytes
First seen:2020-09-20 03:46:55 UTC
Last seen:2020-09-20 04:43:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3243b13e562279ab7fbe2f31e45d3a95 (1 x PoisonIvy, 1 x Worm.Ramnit)
ssdeep 196608:TfavVYaolX+aFFLlPKQ8hY/RkQWslX4ge+:TiYaolrFFEHYu3sSge
Threatray 1'893 similar samples on MalwareBazaar
TLSH 49763366992D4DCBDA320C72CDF3D0745779EE174F0204A7A40ABBCB057AB882E1D6D8
Reporter abuse_ch
Tags:exe Ransomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/63814/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Malware.Generic-6651521-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a service
Launching a process
Searching for the window
Changing a file
Creating a file in the Program Files subdirectories
Delayed writing of the file
Launching a tool to kill processes
Forced shutdown of a browser
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/470706
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes many files with high entropy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 287786 Sample: o5KUBSvNmh.exe Startdate: 20/09/2020 Architecture: WINDOWS Score: 84 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 Multi AV Scanner detection for submitted file 2->52 8 o5KUBSvNmh.exe 3 2->8         started        process3 file4 38 C:\ProgramData\o5KUBSvNmh.exe, PE32 8->38 dropped 54 Detected unpacking (changes PE section rights) 8->54 12 o5KUBSvNmh.exe 503 8->12         started        signatures5 process6 file7 40 C:\Program Files (x86)\AutoIt3\...\autoit.xml, COM 12->40 dropped 42 C:\...\Built-In Building Blocks.dotx.zhen, data 12->42 dropped 44 C:\Users\...\Built-In Building Blocks.dotx, data 12->44 dropped 46 171 other files (165 malicious) 12->46 dropped 56 Multi AV Scanner detection for dropped file 12->56 58 Detected unpacking (changes PE section rights) 12->58 60 Writes many files with high entropy 12->60 16 taskkill.exe 1 12->16         started        18 taskkill.exe 1 12->18         started        20 taskkill.exe 1 12->20         started        22 4 other processes 12->22 signatures8 process9 process10 24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 22->32         started        34 conhost.exe 22->34         started        36 conhost.exe 22->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18f4123ee42f5a29f8df7bd1cf95ab73441f082584f390aa218c2dd1134f4055/
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2020-09-19 01:42:20 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
23 of 29 (79.31%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
04fb4d7876dc1e4c31448a62dbc77223b453fb6abd187c92f51658807c21eaa5
284f5d7c77eab431e6dd8bdd9e508bbd1e2e3dc467b40f68b834b1a437061061
737539c5bc7f7aebd3a226f4342a23435bfe14a41dfa0a603698804157c28270
9a44822008b9184aa988783e60654bf9d9311cb43fe96711e7cfe7aaf4e7756b
a9892834c6f030fd7a292b213a39270e2fc991b6c9287fff73b540dd2b36e290
cf02bb3aa058cc571d6c3368f98a96fefa3db05a813ea479d002edc1c3cbdb95
dedad3d7a97da9f0103dd87d86a422e38f581879c41ab07594d141eb303d2de9
e2784c7f18addfe3cf107b35eae017eb8d02025fec8bc9d235a7ba598fcd9b62
f0b010d2806270e9a60da3658f2d033deed57a55ad883e7ab179c243bd5371be
fd2f15ef992f18f206d53d8d162ae4385f283e433bc038e1e61fb81686f2b4de
+ 1'883 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/200920-7h42b8j7sj/
Behaviour
Kills process with taskkill
Modifies Control Panel
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in Program Files directory
Modifies service
Sets desktop wallpaper using registry
Drops file in System32 directory
Modifies service
Adds Run key to start application
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Executes dropped EXE
Modifies extensions of user files
Possible privilege escalation attempt
Executes dropped EXE
Deletes Windows Defender Definitions
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ransomware
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/18f4123ee42f5a29f8df7bd1cf95ab73441f082584f390aa218c2dd1134f4055

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Impacket
Create hunting rule
Author:@bartblaze
Description:Identifies Impacket, a collection of Python classes for working with network protocols.
Reference:https://github.com/SecureAuthCorp/impacket
Rule name:Impacket_Keyword
Create hunting rule
Author:Florian Roth
Description:Detects Impacket Keyword in Executable
Reference:Internal Research
Rule name:Impacket_Lateral_Movement
Create hunting rule
Author:Markus Neis
Description:Detects Impacket Network Aktivity for Lateral Movement
Reference:https://github.com/CoreSecurity/impacket
Rule name:Impacket_Tools_Generic_1
Create hunting rule
Author:Florian Roth
Description:Compiled Impacket Tools
Reference:https://github.com/maaaaz/impacket-examples-windows
Rule name:Impacket_Tools_psexec
Create hunting rule
Author:Florian Roth
Description:Compiled Impacket Tools
Reference:https://github.com/maaaaz/impacket-examples-windows
Rule name:PE_File_pyinstaller
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Description:Detect PE file produced by pyinstaller
Reference:https://isc.sans.edu/diary/21057
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 18f4123ee42f5a29f8df7bd1cf95ab73441f082584f390aa218c2dd1134f4055

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/63814/
  
URLhaus
https://urlhaus.abuse.ch/url/568468/
  
Delivery method
Distributed via web download

Comments