MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 298fcf39cde2191fbc65a448cf80de3fa26e74fbcd7e2c2f0af669c5df975963. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 298fcf39cde2191fbc65a448cf80de3fa26e74fbcd7e2c2f0af669c5df975963
SHA3-384 hash: aa9c337e7c59acd23baeb8edef77ed50177fa9a06434cdd8ae694a85987d2cd36f6cb8b625b37a8680a014b0f8e578ff
SHA1 hash: cf2fd7caca48692aab8fbaf9cfed7e2dcea654da
MD5 hash: 5c542bb595ddf1a9f8cf27c633642b4f
humanhash: lima-nine-whiskey-carpet
File name:5c542bb5_by_Libranalysis
Download: download sample
File size:10'527'583 bytes
First seen:2021-05-03 14:01:23 UTC
Last seen:2021-05-03 15:01:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash eb5bc6ff6263b364dfbfb78bdb48ed59 (54 x Adware.Generic, 18 x RaccoonStealer, 8 x Adware.ExtenBro)
ssdeep 196608:w5dAiknZL3WdYV5uB6jvoDMOQYiZfrQ8B+WiikaC/V:NLqYV5BjgXviZfM80Pikas
Threatray 2 similar samples on MalwareBazaar
TLSH 13B623277258A03FC49A77354673B27044FB6EBDE817AE1626E0F18CCF721811E3A665
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/148524/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Searching for the window
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Sending a UDP request
Creating a file
DNS request
Launching the default Windows debugger (dwwin.exe)
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/708135
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402987 Sample: 5c542bb5_by_Libranalysis Startdate: 03/05/2021 Architecture: WINDOWS Score: 96 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Antivirus detection for URL or domain 2->43 45 4 other signatures 2->45 8 5c542bb5_by_Libranalysis.exe 2 2->8         started        process3 file4 27 C:\Users\...\5c542bb5_by_Libranalysis.tmp, PE32 8->27 dropped 11 5c542bb5_by_Libranalysis.tmp 25 33 8->11         started        process5 file6 29 C:\Program Files (x86)\DynaPDF\is-6LQAC.tmp, PE32 11->29 dropped 31 C:\Program Files (x86)\DynaPDF\is-637S9.tmp, PE32 11->31 dropped 33 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 11->33 dropped 35 7 other files (none is malicious) 11->35 dropped 14 FilesInspector.exe 11->14         started        17 wmfdist.exe 11->17         started        process7 dnsIp8 37 grigblog.club 104.21.84.93, 49711, 80 CLOUDFLARENETUS United States 14->37 19 WerFault.exe 3 9 14->19         started        21 WerFault.exe 20 9 14->21         started        23 WerFault.exe 9 14->23         started        25 3 other processes 14->25 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/298fcf39cde2191fbc65a448cf80de3fa26e74fbcd7e2c2f0af669c5df975963/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-05-01 01:19:00 UTC
AV detection:
8 of 29 (27.59%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
50e25133fb38cd007ff5095978f8426734e7e2680c95cf34ff710291decc8eaa
ff5d04582ebc24f95416e178c35178b30db559438b66848afe8038e4028c07ab
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery upx
Link:
https://tria.ge/reports/210503-ffas3l8qpx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Checks installed software on the system
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
MD5 hash:
a69559718ab506675e907fe49deb71e9
SHA1 hash:
bc8f404ffdb1960b50c12ff9413c893b56f2e36f
Link:
https://www.unpac.me/results/c696bb9d-cbd8-4e99-bfff-afb1f128c190/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/c696bb9d-cbd8-4e99-bfff-afb1f128c190/
SH256 hash:
1ba277b3cc7f7609eb6d45faa436fa4737b0011123a409412cc452d2b3117b16
MD5 hash:
1246e8ed2df8c55d7f9b829551ad5244
SHA1 hash:
06eec97c29f69b44d4a65a2e9e7f01995dafbb5c
Link:
https://www.unpac.me/results/c696bb9d-cbd8-4e99-bfff-afb1f128c190/
SH256 hash:
298fcf39cde2191fbc65a448cf80de3fa26e74fbcd7e2c2f0af669c5df975963
MD5 hash:
5c542bb595ddf1a9f8cf27c633642b4f
SHA1 hash:
cf2fd7caca48692aab8fbaf9cfed7e2dcea654da
Link:
https://www.unpac.me/results/c696bb9d-cbd8-4e99-bfff-afb1f128c190/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/298fcf39cde2191fbc65a448cf80de3fa26e74fbcd7e2c2f0af669c5df975963

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/148524/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-03 15:15:28 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
2) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
3) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
4) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
5) [C0021] Cryptography Micro-objective::Generate Pseudo-random Sequence
6) [C0032.001] Data Micro-objective::CRC32::Checksum
7) [C0026.002] Data Micro-objective::XOR::Encode Data
9) [C0046] File System Micro-objective::Create Directory
10) [C0048] File System Micro-objective::Delete Directory
11) [C0047] File System Micro-objective::Delete File
12) [C0049] File System Micro-objective::Get File Attributes
13) [C0052] File System Micro-objective::Writes File
14) [C0007] Memory Micro-objective::Allocate Memory
15) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
16) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
17) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
18) [C0017.003] Process Micro-objective::Create Suspended Process::Create Process
19) [C0017] Process Micro-objective::Create Process
20) [C0038] Process Micro-objective::Create Thread
21) [C0041] Process Micro-objective::Set Thread Local Storage Value
22) [C0055] Process Micro-objective::Suspend Thread
23) [C0018] Process Micro-objective::Terminate Process