MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c958bc2a268ce3f104a35882f694f8bead71015937bfb99b0986400ab29d703. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c958bc2a268ce3f104a35882f694f8bead71015937bfb99b0986400ab29d703
SHA3-384 hash: e48c3dc5eaf2abd779267a92400bbd0541a40be5a1cf47b31b99283aa8b255d41da3ed66ea0c9b9d02f930a8ef10523c
SHA1 hash: 7d6b0dd72dd6dd3261b0f30525c6860f86de012f
MD5 hash: c9915631dd271219bf51fe0a46a1d8ff
humanhash: xray-ink-potato-bravo
File name:c9915631_by_Libranalysis
Download: download sample
File size:126'976 bytes
First seen:2021-05-05 11:06:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6bfb12c0ac9e50aa509f27c55c68a1e2
ssdeep 3072:kx6AHjYzaFXg+w17jsgS/jHagQg12xiaV:kxzYzaFXi17j9
Threatray 5'080 similar samples on MalwareBazaar
TLSH 9FC31A0F6FC5A3E2E76912F167874CD909272B8C6D5A25E3636846D72D20B1128FB31F
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/150480/
Detection(s):
Win.Malware.KazekageGaara-7111282-1
Create hunting rule

Win.Malware.Ulise-9806846-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the Windows subdirectories
Creating a file in the Windows directory
Creating a process from a recently created file
Creating a process with a hidden window
Searching for the window
Searching for analyzing tools
Changing critical settings of the Internet Explorer browser
Blocking the User Account Control
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Changing the Windows explorer settings to hide files extension
Blocking the System Restore
Changing the Windows explorer settings
Blocking a possibility to launch for the Windows registry editor (regedit.exe)
Enabling autorun with the shell\open\command registry branches
Enabling autorun
Enabling a "Do not show hidden files" option
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/880169ee-a830-4d56-b3d5-db0a2ceddc5b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c958bc2a268ce3f104a35882f694f8bead71015937bfb99b0986400ab29d703/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2020-05-03 08:13:25 UTC
AV detection:
42 of 48 (87.50%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
08e12f6b9796ad1f47062ea86ec73c496028660f61a9917008cce9004fb1d48b
1db568f6ff72a35878d8772fa11e25a64d2b38447580fba8bdbee9c1b946a621
57aa81416cfdbd76df2a15cb14810f8529ecab0eea978210a4ef3047f35a225e
5eb158bf47ebe6172da19eff3f5924634a91a4e10186b352ada8b027e1c3c527
60fe4a1f0ed577bfa8d10195a3d1123b0a7ab551d3579686ee6ac6bc18282fe5
6812d44b05455b4503ffa118b62d3810304f3867b528042985dc6ebc834ebdfc
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
afc0c4fac5a07e2fedcb05e47c0f45572fe4689b403290c8db833cad34fb1a36
d3aa9fd1ed4af3cc3a49e612b93a03f799ada340c1c086f7403448fe77115bb1
d4dadc7dc5e003905cdd8f287bec1c4d751d8d9913689cb0894feb999917d791
+ 5'070 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware trojan
Link:
https://tria.ge/reports/210505-sxlg92vkhj/
Behaviour
Modifies Control Panel
Modifies Internet Explorer settings
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Drops file in Windows directory
Drops autorun.inf file
Drops file in System32 directory
Sets desktop wallpaper using registry
Adds Run key to start application
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Loads dropped DLL
Disables RegEdit via registry modification
Disables use of System Restore points
Drops file in Drivers directory
Executes dropped EXE
Sets file execution options in registry
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
Modifies visiblity of hidden/system files in Explorer
UAC bypass
Unpacked files
SH256 hash:
5a5a0f8ebf54713d953023317161aa4c832400271adc2da956885d43a26973d1
MD5 hash:
caa5ed7198f73283a1b64bb1feb80a1a
SHA1 hash:
7d388c56329f833bd832de2b62260eba962209e9
Link:
https://www.unpac.me/results/073c2126-a616-4bc0-9f8e-5bba0143fb69/
SH256 hash:
1c958bc2a268ce3f104a35882f694f8bead71015937bfb99b0986400ab29d703
MD5 hash:
c9915631dd271219bf51fe0a46a1d8ff
SHA1 hash:
7d6b0dd72dd6dd3261b0f30525c6860f86de012f
Link:
https://www.unpac.me/results/073c2126-a616-4bc0-9f8e-5bba0143fb69/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/150480/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-05 13:31:12 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing