MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mimic


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9
SHA3-384 hash: e2205506f15f82ce0728cfed6245c99610b40f60bdd734c2bb116566867045cefcef6d890d0b5727b43380c059f4871d
SHA1 hash: d466e9fb8302c07973e9835b252359fe63e0c999
MD5 hash: cf50063a3105d27ba3063575bdf494d6
humanhash: potato-happy-oxygen-neptune
File name:1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9
Download: download sample
Signature Mimic
Create hunting rule
File size:2'675'520 bytes
First seen:2024-10-17 18:06:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (61 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 49152:wgwRXifu1DBgutBPNv4gYlMiokURXK02xaRQBBKhPyla3Crg1Qew1v4Chp/:wgwRXvguPPl4gYlrokhpxxKhPybrQQPh
Threatray 12 similar samples on MalwareBazaar
TLSH T106C5330137E38779D0C409FFA75461522EB9A62B0F3144D78BC40E165AB5ADAFA3E3E4
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter JAMESWT_WT
Tags:cyberfear-com exe Mimic Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
522
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
datastore@cyberfear.com_no gui.exe
Verdict:
Malicious activity
Analysis date:
2024-09-04 19:30:52 UTC
Tags:
xor-url generic mimic ransomware
Link:
https://app.any.run/tasks/91178843-159b-4ca8-8e22-5b9dd82206bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Ransomware.Mimic-10014123-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6711524b34f884d15c8c6cd5
Tags:
Powershell Gumen
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint installer keylogger lolbin microsoft_visual_cc mimic overlay packed ransomware rijndael shell32
Link:
https://www.filescan.io/uploads/6711524b7f0507a8d2418ffd/reports/dc410c86-4fbd-45d4-bba9-03998ddebb1d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mimic Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42eb5caa-df58-415f-af03-5135633dfa5a
Result
Threat name:
Mimic, TrojanRansom
Create hunting rule
Detection:
malicious
Classification:
rans.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1536336
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Contains functionality to register a low level keyboard hook
Creates an undocumented autostart registry key
Found potential ransomware demand text
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Yara detected Mimic Ransomware
Yara detected TrojanRansom
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1536336 Sample: b2fQYhRMtJ.exe Startdate: 17/10/2024 Architecture: WINDOWS Score: 100 82 Malicious sample detected (through community Yara rule) 2->82 84 Antivirus / Scanner detection for submitted sample 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 6 other signatures 2->88 14 b2fQYhRMtJ.exe 8 2->14         started        18 PIDAR.exe 2->18         started        process3 file4 74 C:\Users\user\AppData\...verything32.dll, PE32 14->74 dropped 76 C:\Users\user\AppData\...verything.exe, PE32 14->76 dropped 78 C:\Users\user\AppData\Local\Temp\...\7za.exe, PE32 14->78 dropped 112 Contains functionality to register a low level keyboard hook 14->112 20 datastore@cyberfear.com_no gui.exe 2 11 14->20         started        24 7za.exe 6 14->24         started        26 cmd.exe 1 14->26         started        28 7za.exe 1 14->28         started        signatures5 process6 file7 60 C:\Users\user\AppData\Local\...\PIDAR.exe, PE32 20->60 dropped 62 C:\Users\user\AppData\...verything32.dll, PE32 20->62 dropped 64 C:\Users\user\AppData\...verything.exe, PE32 20->64 dropped 72 3 other files (1 malicious) 20->72 dropped 92 Creates an undocumented autostart registry key 20->92 94 Found potential ransomware demand text 20->94 30 PIDAR.exe 20->30         started        66 C:\...\datastore@cyberfear.com_no gui.exe, PE32 24->66 dropped 68 C:\Users\user\AppData\Local\Temp\...\DC.exe, PE32 24->68 dropped 70 C:\Users\user\AppData\Local\Temp\...\xdel.exe, PE32 24->70 dropped 33 conhost.exe 24->33         started        35 conhost.exe 26->35         started        37 conhost.exe 28->37         started        signatures8 process9 signatures10 106 Multi AV Scanner detection for dropped file 30->106 108 Found potential ransomware demand text 30->108 110 Potentially malicious time measurement code found 30->110 39 PIDAR.exe 30->39         started        process11 signatures12 98 Found potential ransomware demand text 39->98 42 PIDAR.exe 39->42         started        process13 signatures14 102 Found potential ransomware demand text 42->102 45 PIDAR.exe 42->45         started        process15 signatures16 104 Found potential ransomware demand text 45->104 48 PIDAR.exe 45->48         started        process17 signatures18 80 Found potential ransomware demand text 48->80 51 PIDAR.exe 48->51         started        process19 signatures20 90 Found potential ransomware demand text 51->90 54 PIDAR.exe 51->54         started        process21 signatures22 96 Found potential ransomware demand text 54->96 57 PIDAR.exe 54->57         started        process23 signatures24 100 Found potential ransomware demand text 57->100
Score:
89%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9/
Threat name:
Win32.Ransomware.Mimic
Create hunting rule
Status:
Malicious
First seen:
2024-09-06 16:18:10 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d6ulgbvjrm5kryztrzht5agag37lc2yycy3xrt4ugmivzpmovduq._file
Verdict:
malicious
Label(s):
mimicransomware
Create hunting rule
admintool_powerrun
Create hunting rule
Similar samples:
1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca
Mimic
1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274
Mimic
8ca51ea9c184a9158e890bdefc538f7c49cfbbd33c19f3fadca0c03490a5b707
Mimic
a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd
Mimic
ad9fcfa1fd3f2dfbf14aab9de3d95608bbb03ec07c52a40f55f9b9380d054fbc
Mimic
+ 2 additional samples on MalwareBazaar
Result
Malware family:
mimic
Create hunting rule
Score:
  10/10
Tags:
family:mimic discovery evasion execution persistence ransomware trojan
Link:
https://tria.ge/reports/241017-wqbc6s1cpq/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
Power Settings
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Windows security modification
Deletes System State backups
Event Triggered Execution: Image File Execution Options Injection
Modifies boot configuration data using bcdedit
Renames multiple (9182) files with added filename extension
Detects Mimic ransomware
Mimic
Modifies security service
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3678df4c-6149-4aca-8730-073316b2b6fb
Unpacked files
SH256 hash:
d7c3d9e42084f4319428f4624d8f1f9e707d758c1d95f0a6c1b39bc913fd5f8b
MD5 hash:
7e0ed5c2eda1b54c016f6ff95737fd59
SHA1 hash:
e322ba47cd719e1f05f50e6df709a707378519b0
Detections:
Detect_Mimic_Ransomware
Create hunting rule
INDICATOR_SUSPICIOUS_ClearWinLogs
Create hunting rule
INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
INDICATOR_SUSPICIOUS_USNDeleteJournal
Create hunting rule
Link:
https://www.unpac.me/results/19e3cbca-8af5-4358-a3bb-ca9ba151cff7/
SH256 hash:
8d43f38e4960a25f3bff15e1d720706a78d92e70ab3d376d69ef48d52f3d19d2
MD5 hash:
89b8ea47dfa63c0dc7c2a7e811d034a5
SHA1 hash:
9a3895f83ff9c051069858ce6daa8663d481b822
Detections:
AutoIT_Compiled
Create hunting rule
INDICATOR_TOOL_PET_DefenderControl
Create hunting rule
Link:
https://www.unpac.me/results/19e3cbca-8af5-4358-a3bb-ca9ba151cff7/
Parent samples :
1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca
1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9
279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9
SH256 hash:
fc3b89a4db0e53d3c2a740a8bdc52d8b77420996a973d7ae702792eac51ad909
MD5 hash:
e5f8c44a04a917cf9b203a975f98ff7b
SHA1 hash:
6ccc2f0c15e2899eb16859d3665f0a46a854d8b8
Detections:
Detect_Mimic_Ransomware
Create hunting rule
INDICATOR_SUSPICIOUS_ClearWinLogs
Create hunting rule
INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
INDICATOR_SUSPICIOUS_USNDeleteJournal
Create hunting rule
Link:
https://www.unpac.me/results/19e3cbca-8af5-4358-a3bb-ca9ba151cff7/
SH256 hash:
91059b88b1ef536836dd70853c7de88639f5220fe0438416a72cee7d86ecd871
MD5 hash:
a7d38b39dc40fd2f545c49e8f02bcc31
SHA1 hash:
dab67f863986a2532a296d7a2649612121b371a3
Link:
https://www.unpac.me/results/19e3cbca-8af5-4358-a3bb-ca9ba151cff7/
SH256 hash:
32092b0374f613e8933893979993d820edda2974a501ca5fed47d9718833ec10
MD5 hash:
4bbff5a8b45e5f79c47d682173beca9f
SHA1 hash:
d5c4bd9f37951853eb8dbbabc921bff8be9f89d0
Link:
https://www.unpac.me/results/19e3cbca-8af5-4358-a3bb-ca9ba151cff7/
SH256 hash:
124e7a5b74b4c213fcf7115b98b382c98ad9a46c4f04b4a273b2a58c644dffd8
MD5 hash:
6d1eaaef5e00b3151d1d757093a22201
SHA1 hash:
5af79717807a0542ae53d0e2924524a84c8f743d
Link:
https://www.unpac.me/results/19e3cbca-8af5-4358-a3bb-ca9ba151cff7/
SH256 hash:
14cd6e6bfc0f16547123dbe512311a14719dd572d1ff1e70714767769d96309d
MD5 hash:
01e89e41a74554f2b19d57cbc4d572db
SHA1 hash:
9812e40334f7f016022802e16875f007d85f1ac5
Detections:
AutoIT_Compiled
Create hunting rule
INDICATOR_TOOL_PET_DefenderControl
Create hunting rule
Link:
https://www.unpac.me/results/19e3cbca-8af5-4358-a3bb-ca9ba151cff7/
SH256 hash:
8c9b41f9190a6d9ccf66881f5b78787d484918b3f064f0c509e1450939dd56dd
MD5 hash:
91a0babd29d140b404d9458591769a61
SHA1 hash:
47b1e9810198379d53535d673b8fbb31735450bc
Link:
https://www.unpac.me/results/19e3cbca-8af5-4358-a3bb-ca9ba151cff7/
SH256 hash:
d6215be42e7c44e926fec9d61a4f9fd892c57f9f6f60d99cfb182d9162764b2d
MD5 hash:
f4a8b54c5da90225a113e70e62254fde
SHA1 hash:
8837691169c23b195c02a79ce09060e2f2428221
Link:
https://www.unpac.me/results/19e3cbca-8af5-4358-a3bb-ca9ba151cff7/
SH256 hash:
9dc17242f1db11e98abe583a838e5f33b078038f1b3ed745a30d18c8017f1c0c
MD5 hash:
cd66aef6a4f52cb6132a74866f59fa37
SHA1 hash:
683820145480834294b7b63f3b153b954751ee37
Link:
https://www.unpac.me/results/19e3cbca-8af5-4358-a3bb-ca9ba151cff7/
SH256 hash:
1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9
MD5 hash:
cf50063a3105d27ba3063575bdf494d6
SHA1 hash:
d466e9fb8302c07973e9835b252359fe63e0c999
Link:
https://www.unpac.me/results/19e3cbca-8af5-4358-a3bb-ca9ba151cff7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (uiAccess:None)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteExW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AssignProcessToJobObject
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExA
USER32.dll::CreateWindowExW

Comments