MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mimic


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9
SHA3-384 hash: 8fdaf08d16b0c2af2faac302e3e62367bb656726c2486289068bc580e0b18279d3b2ec897d3fe50594ddeaedccb72925
SHA1 hash: 0bb791b555684804334bcf75a5013d9625b9edb6
MD5 hash: 6e5c33671c42d3c85f7b629a50ae7d9b
humanhash: yankee-triple-sodium-juliet
File name:mimic
Download: download sample
Signature Mimic
Create hunting rule
File size:2'592'996 bytes
First seen:2024-11-13 13:25:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (66 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 49152:wgwRVifu1DBgutBPNkByRxgX6kzTbcPIMpD+fTVR8u:wgwRVvguPPm0RDuXfTVRl
Threatray 15 similar samples on MalwareBazaar
TLSH T136C5331B3B6285F6E4D81DB31395BA624E74F7791B06D4C3D3E0066819E63C0AF7B21A
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter JAMESWT_WT
Tags:exe Mimic Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
4'800
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
mimic
Verdict:
Malicious activity
Analysis date:
2024-11-13 13:39:08 UTC
Tags:
mimic ransomware
Link:
https://app.any.run/tasks/d52b1530-ecc3-4c3c-80f7-dd2f6030f66e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Ransomware.Mimic-10014123-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67351a6334b6906b348294c6
Tags:
filecrypt gumen
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Adding an access-denied ACE
Running batch commands
Searching for the window
Using the Windows Management Instrumentation requests
Modifying a system file
Replacing files
Launching a service
Launching a process
Creating a file in the Windows subdirectories
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun with the shell\open\command registry branches
Blocking the Windows Defender launch
Enabling autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint installer keylogger microsoft_visual_cc mimic overlay packed packed packer_detected ransomware
Link:
https://www.filescan.io/uploads/6734a8eef4d2188486499a5d/reports/fe0ed7b2-e752-49cd-a41c-18d9711d0c09/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9
Malware family:
Mimic Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2af2183d-8e24-45e4-b39f-0a424d29bccf
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.spre.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1555147
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Contains functionality to detect sleep reduction / modifications
Contains functionality to register a low level keyboard hook
Creates a Image File Execution Options (IFEO) Debugger entry
Creates an undocumented autostart registry key
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May encrypt documents and pictures (Ransomware)
Modifies existing user documents (likely ransomware behavior)
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Spreads via windows shares (copies files to share folders)
Writes many files with high entropy
Yara detected RansomwareGeneric18
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1555147 Sample: mimic.exe Startdate: 13/11/2024 Architecture: WINDOWS Score: 100 95 Malicious sample detected (through community Yara rule) 2->95 97 Antivirus / Scanner detection for submitted sample 2->97 99 Multi AV Scanner detection for dropped file 2->99 101 4 other signatures 2->101 14 mimic.exe 8 2->14         started        18 soyezpruden.exe 2->18         started        20 soyezpruden.exe 2->20         started        22 gpscript.exe 2->22         started        process3 file4 79 C:\Users\user\AppData\...verything32.dll, PE32 14->79 dropped 81 C:\Users\user\AppData\...verything.exe, PE32 14->81 dropped 83 C:\Users\user\AppData\Local\Temp\...\7za.exe, PE32 14->83 dropped 85 C:\Users\user\AppData\...verything64.dll, 7-zip 14->85 dropped 121 Contains functionality to register a low level keyboard hook 14->121 123 Writes many files with high entropy 14->123 24 2024x100.exe 2 14 14->24         started        28 7za.exe 7 14->28         started        30 cmd.exe 1 14->30         started        32 7za.exe 1 14->32         started        87 C:\Users\...S_session_storei.EncryptedDATA, data 18->87 dropped 89 C:\Users\...\ActivitiesCache.db.EncryptedDATA, data 18->89 dropped 91 C:\...\ActivitiesCache.db-wal.EncryptedDATA, data 18->91 dropped 93 6 other malicious files 18->93 dropped 125 Connects to many different private IPs via SMB (likely to spread or exploit) 18->125 127 Connects to many different private IPs (likely to spread or exploit) 18->127 129 Spreads via windows shares (copies files to share folders) 18->129 34 cmd.exe 18->34         started        signatures5 process6 file7 63 C:\Users\user\AppData\...\soyezpruden.exe, PE32 24->63 dropped 65 C:\Users\user\AppData\...verything32.dll, PE32 24->65 dropped 67 C:\Users\user\AppData\...verything.exe, PE32 24->67 dropped 77 5 other files (3 malicious) 24->77 dropped 113 Multi AV Scanner detection for dropped file 24->113 115 Creates an undocumented autostart registry key 24->115 117 Machine Learning detection for dropped file 24->117 119 2 other signatures 24->119 36 soyezpruden.exe 24->36         started        69 C:\Users\user\AppData\Local\Temp\...\DC.exe, PE32 28->69 dropped 71 C:\Users\user\AppData\Local\...\2024x100.exe, PE32 28->71 dropped 73 C:\Users\user\AppData\Local\...\sdel64.exe, PE32+ 28->73 dropped 75 C:\Users\user\AppData\Local\Temp\...\sdel.exe, PE32 28->75 dropped 39 conhost.exe 28->39         started        41 conhost.exe 30->41         started        43 conhost.exe 32->43         started        45 DC.exe 34->45         started        47 conhost.exe 34->47         started        signatures8 process9 signatures10 103 Multi AV Scanner detection for dropped file 36->103 105 Machine Learning detection for dropped file 36->105 107 Writes many files with high entropy 36->107 109 Potentially malicious time measurement code found 36->109 49 soyezpruden.exe 36->49         started        111 Allocates memory in foreign processes 45->111 process11 process12 51 soyezpruden.exe 49->51         started        process13 53 soyezpruden.exe 51->53         started        process14 55 soyezpruden.exe 53->55         started        process15 57 soyezpruden.exe 55->57         started        process16 59 soyezpruden.exe 57->59         started        process17 61 soyezpruden.exe 59->61         started       
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9/
Threat name:
Win32.Ransomware.Mimic
Create hunting rule
Status:
Malicious
First seen:
2024-03-27 15:26:22 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e6o3wgme2mvjtsxuuc4cufiz4g5mvpwuhl3sgommmmnh2fzvf7uq._file
Verdict:
malicious
Label(s):
admintool_powerrun
Create hunting rule
mimicransomware
Create hunting rule
Similar samples:
1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca
Mimic
2423f6e4b6f015042c4de4a4ad457629b7c4737ec19352abac9dd6136ba46d68
Mimic
8ca51ea9c184a9158e890bdefc538f7c49cfbbd33c19f3fadca0c03490a5b707
Mimic
9f6a696876fee8b811db8889bf4933262f4472ad41daea215d2e39bd537cf32f
Mimic
a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd
Mimic
error
Mimic
+ 5 additional samples on MalwareBazaar
Result
Malware family:
mimic
Create hunting rule
Score:
  10/10
Tags:
family:mimic discovery evasion execution persistence ransomware trojan
Link:
https://tria.ge/reports/241113-qph4qsskbs/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Power Settings
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Windows security modification
Deletes System State backups
Event Triggered Execution: Image File Execution Options Injection
Modifies boot configuration data using bcdedit
Renames multiple (170) files with added filename extension
Detects Mimic ransomware
Mimic
Mimic family
Modifies security service
UAC bypass
Verdict:
Malicious
Tags:
Win.Ransomware.Mimic-10014123-0
YARA:
n/a
Link:
https://app.threat.zone/submission/1bbe82ee-0770-4e05-8ed1-fa0daaa0cc87
Unpacked files
SH256 hash:
7916c7ad1a33531f941d9ada771ade2f5825ef4fc9f8473f8a988ecb16525dd8
MD5 hash:
2da8ab1192187d1f9cf02aed04b0d0b7
SHA1 hash:
326db513af5a9f898c4870ebbc62e7cd5fd71690
Link:
https://www.unpac.me/results/4d4be55d-3bc8-4a71-9834-00872f6a0cf9/
SH256 hash:
2d83ba09f6dece1dc85dc9ae1814cc3b882fada56003a87f1489ba2e8d98bc67
MD5 hash:
e0a75c86c260c6a44ff23aaabeb0a20c
SHA1 hash:
d300997572da16caa73c0c9248ba68d9aaf2a5aa
Link:
https://www.unpac.me/results/4d4be55d-3bc8-4a71-9834-00872f6a0cf9/
SH256 hash:
38f803929f3400537abce3adb27fb360a562bb58ef6fef5670d8eda1af042cb9
MD5 hash:
901ae11d5e7648350343469a92fad606
SHA1 hash:
29ba6d7d33c1b73033258f5c353e6f3077c45109
Link:
https://www.unpac.me/results/4d4be55d-3bc8-4a71-9834-00872f6a0cf9/
SH256 hash:
751c0839451e4735ef599f647f96ff0fd9527f66c00a92c1c2ba9fa9f567bff3
MD5 hash:
5389d9468843a0bbe12ade66c8a08375
SHA1 hash:
03f5425bf6a59cb6aaef3a5091a11f6ab8c7dc6e
Detections:
win_mimic_auto
Create hunting rule
Detect_Mimic_Ransomware
Create hunting rule
INDICATOR_SUSPICIOUS_ClearWinLogs
Create hunting rule
INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
INDICATOR_SUSPICIOUS_USNDeleteJournal
Create hunting rule
Link:
https://www.unpac.me/results/4d4be55d-3bc8-4a71-9834-00872f6a0cf9/
SH256 hash:
c617839ae8670ee04b9f8829a49b880fe5d46c2aaa83cdedb29b651dc5a30dcf
MD5 hash:
e104d1e76c416c96c471e4b1a4b2b6c2
SHA1 hash:
d53a94c064c7c2c5ded4dba3046034a4c6f3c979
Link:
https://www.unpac.me/results/4d4be55d-3bc8-4a71-9834-00872f6a0cf9/
SH256 hash:
8d43f38e4960a25f3bff15e1d720706a78d92e70ab3d376d69ef48d52f3d19d2
MD5 hash:
89b8ea47dfa63c0dc7c2a7e811d034a5
SHA1 hash:
9a3895f83ff9c051069858ce6daa8663d481b822
Detections:
AutoIT_Compiled
Create hunting rule
INDICATOR_TOOL_PET_DefenderControl
Create hunting rule
Link:
https://www.unpac.me/results/4d4be55d-3bc8-4a71-9834-00872f6a0cf9/
Parent samples :
1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca
1fa8b306a98b3aa8e3338e4f3e80c036feb16b18163778cf9433115cbd8ea8e9
279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9
SH256 hash:
edccf1b272f595316d9c02bd5e75f4735a1e8510a88e9cfad77bdf4d49b300c9
MD5 hash:
82815219a684eb7bb73543dfdd478ea4
SHA1 hash:
3e00045add02b22dd9742167a9a7db9e72adb116
Detections:
Detect_Mimic_Ransomware
Create hunting rule
INDICATOR_SUSPICIOUS_ClearWinLogs
Create hunting rule
INDICATOR_SUSPICIOUS_GENRansomware
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
INDICATOR_SUSPICIOUS_USNDeleteJournal
Create hunting rule
Link:
https://www.unpac.me/results/4d4be55d-3bc8-4a71-9834-00872f6a0cf9/
SH256 hash:
91059b88b1ef536836dd70853c7de88639f5220fe0438416a72cee7d86ecd871
MD5 hash:
a7d38b39dc40fd2f545c49e8f02bcc31
SHA1 hash:
dab67f863986a2532a296d7a2649612121b371a3
Link:
https://www.unpac.me/results/4d4be55d-3bc8-4a71-9834-00872f6a0cf9/
SH256 hash:
53b0c0b7dc1699766e0655d1035eea7fbae5cb1f6ebab1eb3cbcd0bec7ca5584
MD5 hash:
2d83754f7d07d71df87d5da5cdbb4944
SHA1 hash:
5b65f258aad59723b6fb19ddc18f493725de8a22
Link:
https://www.unpac.me/results/4d4be55d-3bc8-4a71-9834-00872f6a0cf9/
SH256 hash:
124e7a5b74b4c213fcf7115b98b382c98ad9a46c4f04b4a273b2a58c644dffd8
MD5 hash:
6d1eaaef5e00b3151d1d757093a22201
SHA1 hash:
5af79717807a0542ae53d0e2924524a84c8f743d
Link:
https://www.unpac.me/results/4d4be55d-3bc8-4a71-9834-00872f6a0cf9/
SH256 hash:
afc20899c40fd23e3db66574a4328f6a0beb4d0d11c2d37aa843a8ab41ea05b2
MD5 hash:
66d6788a1bdf78c60a3b01732db4f1a9
SHA1 hash:
2dc17d626886244388cfe5704cec7e80cc0e561b
Detections:
AutoIT_Compiled
Create hunting rule
INDICATOR_TOOL_PET_DefenderControl
Create hunting rule
Link:
https://www.unpac.me/results/4d4be55d-3bc8-4a71-9834-00872f6a0cf9/
SH256 hash:
57db3c8d5f25749cb379be1a908c046d3a5943c4fabaa810a0fbdec0db01475f
MD5 hash:
def25b1f7cf74b40e91ba36efe4a5601
SHA1 hash:
dfa7e6cf606c84b8463133a36514f768c03a4991
Link:
https://www.unpac.me/results/4d4be55d-3bc8-4a71-9834-00872f6a0cf9/
SH256 hash:
9dc17242f1db11e98abe583a838e5f33b078038f1b3ed745a30d18c8017f1c0c
MD5 hash:
cd66aef6a4f52cb6132a74866f59fa37
SHA1 hash:
683820145480834294b7b63f3b153b954751ee37
Link:
https://www.unpac.me/results/4d4be55d-3bc8-4a71-9834-00872f6a0cf9/
SH256 hash:
5860e70443ccb72fd579a4132bb94c8267eb2393494748a7554df8accb93c108
MD5 hash:
d5ee2eb6e843a12dbf89790049cda582
SHA1 hash:
3e4ff0e1cb7fbf5861f3dc78eed01bf7fc75fdf5
Link:
https://www.unpac.me/results/4d4be55d-3bc8-4a71-9834-00872f6a0cf9/
SH256 hash:
47d53716d999c35c4a3e2d0dcab9c252066a87b4aa30fd10bb5e785057198be8
MD5 hash:
198eba7ff7b7f781f0d30b37db5fa01d
SHA1 hash:
ee82b51571daaec53222e78222fd726b85f544fa
Link:
https://www.unpac.me/results/4d4be55d-3bc8-4a71-9834-00872f6a0cf9/
SH256 hash:
0377585ec50ed2e1b3d8519be272599f31024accd20b484ddae8240e09cc83b4
MD5 hash:
13d3997b43c3d5cbafb0ff10b6f0dee1
SHA1 hash:
e650a76f3fa8d28e2ff3751ccf44d124ef2b82bd
Link:
https://www.unpac.me/results/4d4be55d-3bc8-4a71-9834-00872f6a0cf9/
SH256 hash:
00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb
MD5 hash:
bd1f243ee2140f2f6118a7754ea02a63
SHA1 hash:
cdf7dd7dd1771edcc473037af80afd7e449e30d9
Link:
https://www.unpac.me/results/4d4be55d-3bc8-4a71-9834-00872f6a0cf9/
SH256 hash:
ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0
MD5 hash:
a35ee23aaab26afc575ac83df9572b57
SHA1 hash:
81ea38c694ce9702faddfb961f17c1bbf628a76d
Link:
https://www.unpac.me/results/4d4be55d-3bc8-4a71-9834-00872f6a0cf9/
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
Link:
https://www.unpac.me/results/4d4be55d-3bc8-4a71-9834-00872f6a0cf9/
SH256 hash:
279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9
MD5 hash:
6e5c33671c42d3c85f7b629a50ae7d9b
SHA1 hash:
0bb791b555684804334bcf75a5013d9625b9edb6
Link:
https://www.unpac.me/results/4d4be55d-3bc8-4a71-9834-00872f6a0cf9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/279dbb1984d32a99caf4a0b82a1519e1bacabed43af723398c631a7d17352fe9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (uiAccess:None)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteExW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AssignProcessToJobObject
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExA
USER32.dll::CreateWindowExW

Comments