MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ca6095540ff0d50021a7191653b2d002cf1a4122330ecbd4e1891c67849e1b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	2ca6095540ff0d50021a7191653b2d002cf1a4122330ecbd4e1891c67849e1b0
SHA3-384 hash:	5872e5ae78f1016289a7326a595038111f53d8569982741aac2862c0124b312e05733d72528a21bcfde436fdef603b97
SHA1 hash:	1dc9ab9c0ae9e13998abbafea4ee8ee1cf756624
MD5 hash:	490bf41a0a17b9ba420fb0318d1da377
humanhash:	don-minnesota-cold-idaho
File name:	synaptics.exe
Download:	download sample
File size:	766'976 bytes
First seen:	2022-02-10 21:56:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep	12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V92G:6nsJ39LyjbJkQFMhmC+6GD9
Threatray	41 similar samples on MalwareBazaar
TLSH	T140F47D32F2D19437D1721A3D9C5BA3A5982ABE512E38794E3BF81E4C5F3D68138252D3
Reporter	___
Tags:	exe synaptics

Intelligence

File Origin

# of uploads :

# of downloads :

298

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/240768/

Detection(s):

PUA.Win.Packer.D1s1g-5

PUA.Win.Packer.D1s1g-2

PUA.Win.Packer.D1s1g-1

Win.Trojan.Emotet-9850453-0

Win.Trojan.Generic-9936029-0

Win.Malware.Delf-6899401-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Creating a file

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Creating a file in the %temp% directory

Moving a file to the %temp% directory

Modifying an executable file

DNS request

Sending an HTTP GET request

Sending a UDP request

Sending a custom TCP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Infecting executable files

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmd.exe control.exe emotet evasive greyware hacktool keylogger macros macros-on-close macros-on-open remote.exe shell32.dll

Link:

https://www.filescan.io/uploads/62058a39289e2f3e4fbe655b/reports/c21daa52-8b0f-4a59-be67-3068d575526a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bf61a1e6-53bf-4a90-b651-5959cf416f83

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/938014

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to detect sleep reduction / modifications

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Drops PE files to the document folder of the user

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Uses dynamic DNS services

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2ca6095540ff0d50021a7191653b2d002cf1a4122330ecbd4e1891c67849e1b0/

Threat name:

Win32.Backdoor.DarkComet

Status:

Malicious

First seen:

2022-02-10 21:57:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

35 of 42 (83.33%)

Threat level:

5/5

Verdict:

malicious

3ecb471f2c1a3d3f33dbe47bc9457adfb09206948ec16c2d3f9c9a29f5b44508

5fa54622d0d5f5abbeec7e634d6c2d868984e8cfb20b8502757c2df8fe94f7c7

95272a070df2cf2988d238138d1eadcfeffe68e311d904f83969b2fd71b62f60

a3c743f00e4cf6e8a71132c43ecda56aa86a773df375c62bc7b347bdd05ea4c4

bd0d884649509aece899372e0bea6f6dbe833b463e35206753dae69a0bc60632

f1943befafa73351b7dad586f7ff686f2c099a5ebbbdb63bc4f16d67024fb17f

fa9e3e8282175677e1bf926361df6aa60510a6ba8d3d8857d9c9cd850d971d60

ff97bd0b382bcd07b0e71fd6249426a1d1246c52b07edd238eaa64136db737df

+ 31 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/220210-1txg2ahch9/

Behaviour

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Adds Run key to start application

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

2ca6095540ff0d50021a7191653b2d002cf1a4122330ecbd4e1891c67849e1b0

MD5 hash:

490bf41a0a17b9ba420fb0318d1da377

SHA1 hash:

1dc9ab9c0ae9e13998abbafea4ee8ee1cf756624

Link:

https://www.unpac.me/results/bceaf73c-7891-47de-a36e-8344bc69533e/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	downloader_macros Create hunting rule
Author:	ddvvmmzz
Description:	downloader macros

Rule name:	exec_macros Create hunting rule
Author:	ddvvmmzz
Description:	exec macros

Rule name:	obfuscate_macros Create hunting rule
Author:	ddvvmmzz
Description:	obfuscate macros

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/240768/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample