MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d80eb1f45fbbfa834211cb26597c463d3033217afa53cd9727f4030cf25e122. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d80eb1f45fbbfa834211cb26597c463d3033217afa53cd9727f4030cf25e122
SHA3-384 hash: 9eeba3cb40a28a2b12413dd83b90c8e6de081971bf48c52f8ba69c9ff3def8501a5f0ba30d11959dee2fb56b5a8c8f28
SHA1 hash: 3e0d3be59c87628cedb99efb43b0d85ab1451b83
MD5 hash: 5a240bb6dcd0af07ba295025c2624d1a
humanhash: virginia-video-bravo-glucose
File name:SecuriteInfo.com.Trojan.Siggen12.58144.411.8319
Download: download sample
File size:8'704 bytes
First seen:2021-03-27 19:31:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 192:gkhyFOoFY47Dd+h4+OrAZm88It9DWQL3MWj:gk1347Dd+hrOcl9VL3MW
Threatray 19 similar samples on MalwareBazaar
TLSH 1E02E905B3A48736D6FF0BB95DA382510334EB65BC16DBAE1CCD60966D23F8019E2335
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://45.133.1.139/Manager/Temp/I7y5Xx4SOVBHpsIkBidDkDcw/YGMvbPHbCTUSnXdjYdjW2qyZ.exe
Verdict:
Malicious activity
Analysis date:
2021-03-26 14:46:32 UTC
Tags:
loader evasion trojan stealer
Link:
https://app.any.run/tasks/23fc1981-bb0f-4faf-81f8-1c165c2f5961

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127282/
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.58144.411.8319.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Connecting to a non-recommended domain
Creating a file
Creating a process from a recently created file
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/050871d8-fc82-4ad2-8cea-9c60b45dd10c
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/655916
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops PE files to the document folder of the user
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Renames NTDLL to bypass HIPS
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 376893 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 27/03/2021 Architecture: WINDOWS Score: 100 151 pastebin.com 2->151 153 www.wws23dfwe.com 2->153 155 19 other IPs or domains 2->155 219 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->219 221 Found malware configuration 2->221 223 Antivirus detection for URL or domain 2->223 229 7 other signatures 2->229 11 SecuriteInfo.com.Trojan.Siggen12.58144.411.exe 15 422 2->11         started        16 qwpSrYjrDwPj7V5B0T8ig9cM.exe 2->16         started        signatures3 225 Connects to a pastebin service (likely for C&C) 151->225 227 System process connects to network (likely due to code injection or exploit) 153->227 process4 dnsIp5 171 hacking101.net 11->171 173 10022020newfolder1002-0133251002202035.site 195.123.214.146, 49709, 49721, 49733 ITL-LV Bulgaria 11->173 179 13 other IPs or domains 11->179 99 C:\Users\...\zqmeJmw1Y05M5kYEu96t0irv.exe, PE32 11->99 dropped 101 C:\Users\...\zjTGpuolA5tQiZyZEm3zF898.exe, PE32 11->101 dropped 103 C:\Users\...\ycJqpwlbtaXaprqxyRL1o7pR.exe, PE32 11->103 dropped 111 207 other malicious files 11->111 dropped 251 Drops PE files to the document folder of the user 11->251 253 Creates HTML files with .exe extension (expired dropper behavior) 11->253 255 Creates multiple autostart registry keys 11->255 18 qwpSrYjrDwPj7V5B0T8ig9cM.exe 15 186 11->18         started        23 uQrWUCjB8NvED6DoETQWzUhT.exe 11->23         started        25 ofiWED64Ilwbb4uLZRRiGnx2.exe 11->25         started        27 2 other processes 11->27 175 www.investinae.com 16->175 177 privacytoolsforyou.site 16->177 105 C:\Users\...\fqzrXUXcwvWMPFmbkMYf46Ti.exe, PE32 16->105 dropped 107 C:\Users\...\bQ4fMLvPuCY8V1vsO6QcjkW1.exe, PE32 16->107 dropped 109 C:\Users\...\Z2ZZIMnivIsDcjMHxs6bQ6Nu.exe, PE32 16->109 dropped 113 4 other malicious files 16->113 dropped file6 257 Connects to a pastebin service (likely for C&C) 171->257 signatures7 process8 dnsIp9 157 hacking101.net 18->157 159 www.investinae.com 18->159 163 13 other IPs or domains 18->163 81 C:\Users\...\iiYYr4TjyJjTOGrD4EWOBwni.exe, PE32 18->81 dropped 83 C:\Users\...\iQKugUKRF9iGQut8mvEej7In.exe, PE32 18->83 dropped 85 C:\Users\...\YF23UfuWvsaRFVQd17vjH1g8.exe, PE32 18->85 dropped 89 4 other malicious files 18->89 dropped 231 Drops PE files to the document folder of the user 18->231 233 Creates HTML files with .exe extension (expired dropper behavior) 18->233 235 Creates multiple autostart registry keys 18->235 29 YF23UfuWvsaRFVQd17vjH1g8.exe 18->29         started        34 iQKugUKRF9iGQut8mvEej7In.exe 18->34         started        36 UYmPrJ9kHgCsL2YguvMa3SPD.exe 18->36         started        42 4 other processes 18->42 87 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 23->87 dropped 237 Renames NTDLL to bypass HIPS 23->237 239 Checks if the current machine is a virtual machine (disk enumeration) 23->239 38 explorer.exe 23->38 injected 40 WerFault.exe 25->40         started        161 www.wws23dfwe.com 45.76.53.14, 49753, 49754, 49766 AS-CHOOPAUS United States 27->161 file10 241 Connects to a pastebin service (likely for C&C) 157->241 signatures11 process12 dnsIp13 205 hacking101.net 29->205 207 www.investinae.com 29->207 213 11 other IPs or domains 29->213 137 C:\Users\...\jFoA80bmxP1HfmBLFLUXe8Ta.exe, PE32 29->137 dropped 139 C:\Users\...\h3Et7r8aJIOKUlFK7JJd92tO.exe, PE32 29->139 dropped 141 C:\Users\...\duOeD1mWeUZtW9CimniDHcyq.exe, PE32 29->141 dropped 149 4 other malicious files 29->149 dropped 285 Drops PE files to the document folder of the user 29->285 287 Creates HTML files with .exe extension (expired dropper behavior) 29->287 289 Creates multiple autostart registry keys 29->289 44 P50wSS1tMN2s90Ngk7481hhp.exe 29->44         started        49 4UhGY72B5h6Kw2ZxW8jNv1NA.exe 29->49         started        51 h3Et7r8aJIOKUlFK7JJd92tO.exe 29->51         started        57 4 other processes 29->57 291 Detected unpacking (changes PE section rights) 34->291 53 iQKugUKRF9iGQut8mvEej7In.exe 34->53         started        293 Renames NTDLL to bypass HIPS 36->293 209 10022020test136831-service1002012510022020.space 89.108.88.140, 49838, 80 AGAVA3RU Russian Federation 38->209 211 10022020test125831-service1002012510022020.space 38->211 215 7 other IPs or domains 38->215 143 C:\Users\user\AppData\Roaming\jhversi, PE32 38->143 dropped 145 C:\Users\user\AppData\Local\...\C3D4.tmp.exe, PE32 38->145 dropped 147 C:\Users\user\AppData\Local\...\77F5.tmp.exe, PE32 38->147 dropped 295 System process connects to network (likely due to code injection or exploit) 38->295 297 Benign windows process drops PE files 38->297 299 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->299 55 YF23UfuWvsaRFVQd17vjH1g8.exe 38->55         started        217 2 other IPs or domains 42->217 301 Machine Learning detection for dropped file 42->301 303 Sample uses process hollowing technique 42->303 file14 305 Connects to a pastebin service (likely for C&C) 205->305 signatures15 process16 dnsIp17 191 www.investinae.com 44->191 193 91.139.196.113, 49749, 49751, 49810 BULSATCOM-BG-ASSofiaBG Bulgaria 44->193 201 10 other IPs or domains 44->201 125 C:\Users\...\c3334cWZMB5E4YpjYlrNwCKG.exe, PE32 44->125 dropped 127 C:\Users\...\S1eRQL2odJLVNe05UK2YsywL.exe, PE32 44->127 dropped 129 C:\Users\...\JXMo7pMShhzj6kkYb6jI4Ynx.exe, PE32 44->129 dropped 135 3 other malicious files 44->135 dropped 269 Drops PE files to the document folder of the user 44->269 271 Creates multiple autostart registry keys 44->271 59 S1eRQL2odJLVNe05UK2YsywL.exe 44->59         started        64 7OCAfverjHkf3862VIMfRoqe.exe 44->64         started        66 c3334cWZMB5E4YpjYlrNwCKG.exe 44->66         started        68 4 other processes 44->68 273 Detected unpacking (changes PE section rights) 49->273 275 Sample uses process hollowing technique 51->275 131 C:\Users\user\AppData\Local\Temp\4DD3.tmp, PE32 53->131 dropped 277 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 53->277 279 Renames NTDLL to bypass HIPS 53->279 281 Maps a DLL or memory area into another process 53->281 283 2 other signatures 53->283 195 www.investinae.com 55->195 203 9 other IPs or domains 55->203 133 C:\Users\...\Uwq1DUsQLwZ32hJGCNGH3WEi.exe, PE32 55->133 dropped 197 www.wws23dfwe.com 57->197 199 www.wws23dfwe.com 57->199 file18 signatures19 process20 dnsIp21 181 www.investinae.com 59->181 183 ukresonig.com 59->183 189 9 other IPs or domains 59->189 115 C:\Users\...\ounDGiAd7CsC5DJnNsGqZkJJ.exe, PE32 59->115 dropped 117 C:\Users\...\cCbmPv3PgNZaeIFx9J6uOfZ5.exe, PE32 59->117 dropped 119 C:\Users\...\bsvztfi7nfP1haE6wktFX8ut.exe, PE32 59->119 dropped 123 4 other malicious files 59->123 dropped 259 Drops PE files to the document folder of the user 59->259 261 Creates multiple autostart registry keys 59->261 70 1LALZP4HEi65FR8ox3wymapD.exe 59->70         started        75 cCbmPv3PgNZaeIFx9J6uOfZ5.exe 59->75         started        77 WYOcLjbzrYvHDPCQJtran0nX.exe 59->77         started        79 2 other processes 59->79 263 Sample uses process hollowing technique 64->263 265 Injects a PE file into a foreign processes 64->265 185 www.wws23dfwe.com 68->185 187 www.wws23dfwe.com 68->187 121 C:\Users\user\AppData\Local\...\Login Data1, SQLite 68->121 dropped 267 Tries to harvest and steal browser information (history, passwords, etc) 68->267 file22 signatures23 process24 dnsIp25 165 www.investinae.com 70->165 167 195.228.41.2, 49844, 80 MAGYAR-TELEKOM-MAIN-ASMagyarTelekomNyrtHU Hungary 70->167 169 10 other IPs or domains 70->169 91 C:\Users\...\yvfxJMsxpL25TOQM1CD4nTzr.exe, PE32 70->91 dropped 93 C:\Users\...\rO6zF0LZImVMG6691L6cWxiz.exe, PE32 70->93 dropped 95 C:\Users\...\dHd4B2701qMuEMIidLQJ7ijG.exe, PE32 70->95 dropped 97 4 other malicious files 70->97 dropped 243 Multi AV Scanner detection for dropped file 70->243 245 Drops PE files to the document folder of the user 70->245 247 Machine Learning detection for dropped file 70->247 249 Creates multiple autostart registry keys 70->249 file26 signatures27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d80eb1f45fbbfa834211cb26597c463d3033217afa53cd9727f4030cf25e122/
Threat name:
Win32.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-03-26 21:54:33 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
12bbe24de7cb5efda944526935ce54a013d93d99b366b9f74a19828ddc987ebc
170ddb2583efd2402e84a7eb2c48754d978c8862e5c033fef9b7df34eadceb52
187e00f0ccff956d9c382ea3f888769ad5109f23a75ec51077c8b366ef45f1a9
1ac6d1275df2a3c1c7331666e29259aaecc303f6be32f9248c3c6bc5d2638e55
3419cd3aa1836577742af73aefa4d0fd5a198cbc4474af670408e6752f0dd89e
4310e070b8ac0bb31d103b0b41c6e46a8b44b98dfcaabf8420aae23b73ac07c8
5971f27578f7a5d0f309a77148c431f78e6971cb0f1506c319432307471d3c80
6b4d4a61ef4fbabcb304b9c5665cc3e6c2ea866fba7d848094fe93ee6580411f
e5d7ddfeb660b0108c2cf04f5a878130afb7d5b6733f468cd62d2399b8cbd33a
f69bdd82ca22268d090832707e37b1cae408ba96476843b55feedac11acc6277
+ 9 additional samples on MalwareBazaar
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:raccoon family:redline family:smokeloader family:tofsee family:vidar botnet:afefd33a49c7cbd55d417545269920f24c85aa37 backdoor discovery evasion infostealer persistence stealer trojan
Link:
https://tria.ge/reports/210327-t8l1g1fds6/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Launches sc.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Creates new service(s)
Executes dropped EXE
Modifies Windows Firewall
Raccoon
RedLine
SmokeLoader
Suspicious use of NtCreateProcessExOtherParentProcess
Tofsee
Vidar
Malware Config
C2 Extraction:
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
http://xsss99.icu/upload/
http://bingooodsg.icu/upload/
http://junntd.xyz/upload/
http://ginessa11.xyz/upload/
http://overplayninsx.xyz/upload/
http://bananinze.com/upload/
http://daunimlas.com/upload/
Unpacked files
SH256 hash:
2d80eb1f45fbbfa834211cb26597c463d3033217afa53cd9727f4030cf25e122
MD5 hash:
5a240bb6dcd0af07ba295025c2624d1a
SHA1 hash:
3e0d3be59c87628cedb99efb43b0d85ab1451b83
Link:
https://www.unpac.me/results/4845fda2-7c92-49a6-a544-deabb32aed51/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d80eb1f45fbbfa834211cb26597c463d3033217afa53cd9727f4030cf25e122

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a paste
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 2d80eb1f45fbbfa834211cb26597c463d3033217afa53cd9727f4030cf25e122

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1095245/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127282/
  
URLhaus
https://urlhaus.abuse.ch/url/1096685/

Comments