MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d7099e54db4d0617fcd725de09e05cdd23479b87540b98c4fb90f517efb012e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d7099e54db4d0617fcd725de09e05cdd23479b87540b98c4fb90f517efb012e
SHA3-384 hash: 3a5328494628cf3010b66c9c4f8fb185f23ee4cefa5a62f80d336d3e234585e6cc2ef6d44f4fe4ecaa5ab7a09a923a46
SHA1 hash: f6a623b4df32c716704fa30b6281916c5e744cac
MD5 hash: 782c2087dc0ba32c9debbaa7a06b47d3
humanhash: jersey-comet-coffee-alanine
File name:vpn_ico.exe
Download: download sample
File size:1'801'728 bytes
First seen:2021-02-26 22:22:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 49152:nbtwdj0ia4BceLXYqodTWjOZh0wOpdFiM1fy8matAU:nbia4BceTYqodTeOwV51fGatAU
Threatray 210 similar samples on MalwareBazaar
TLSH 9A8523B9CBF5FDBAF4280076B819E53CABD54E14C9E41526E62FE04560A39C320F6D1B
Reporter JasonMilletary

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
lv.bin
Verdict:
Malicious activity
Analysis date:
2021-02-26 19:51:54 UTC
Tags:
evasion opendir loader
Link:
https://app.any.run/tasks/e54e94c6-88cd-48dd-928f-370b5f504725

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119548/
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a window
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Sending a custom TCP request
Creating a file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/620243
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d7099e54db4d0617fcd725de09e05cdd23479b87540b98c4fb90f517efb012e/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 17:45:58 UTC
AV detection:
21 of 48 (43.75%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
00723545fff6ce259e729f8f1f9c7129e0d667502f94ef137bbbd9642ced4cc0
01c5ac824171a164473d92187f8031f2bc7103397fe534f56771d8e9589445e0
1a859f18a203b53f7c893f9e3d3cbfeb6bd9c0d479f1ddd5626ba4c9eb34e670
5a2f819b56fc962aa6f4e34d59eea86956299b3ff809ca166e404440b9af7ca6
8086d2b05316a9b44f55971a6c90da8ecb069d075973654f5f914229dc3070f6
9237e5cae5f698d5ad9f6c61af8bd866e599abb05f5bc49474d98e269a29a588
a8fe6d7fa624e8e96f71d3ff6375a012b44b51f06179feb7cef8c33fd6d38570
ccf0e52e21388ebfab406f10061864daf9bca0232a7eb09f1cd5b2a036853dbe
e68f17cfe87742103150ca9abd6cc16581caa6e0e0243d03fae2c89c2609c974
f05d76c071555f48ff240556f6d0d3d895493c3c411e182648d256f83ad657e5
+ 200 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/210226-d1mcdeceka/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Identifies Wine through registry keys
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
2d7099e54db4d0617fcd725de09e05cdd23479b87540b98c4fb90f517efb012e
MD5 hash:
782c2087dc0ba32c9debbaa7a06b47d3
SHA1 hash:
f6a623b4df32c716704fa30b6281916c5e744cac
Link:
https://www.unpac.me/results/6419e87b-6486-419a-8be6-b84c9c31b97e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d7099e54db4d0617fcd725de09e05cdd23479b87540b98c4fb90f517efb012e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Executable exe 5a2f819b56fc962aa6f4e34d59eea86956299b3ff809ca166e404440b9af7ca6

Executable exe 2d7099e54db4d0617fcd725de09e05cdd23479b87540b98c4fb90f517efb012e

(this sample)

  
Dropped by
SHA256 5a2f819b56fc962aa6f4e34d59eea86956299b3ff809ca166e404440b9af7ca6
Cape
Cape
https://www.capesandbox.com/analysis/119548/

Comments