MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a64941353e52a3d8fb3bc898189a0d684b1a88a9c5fdbc496ef58738f42c444. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a64941353e52a3d8fb3bc898189a0d684b1a88a9c5fdbc496ef58738f42c444
SHA3-384 hash: 88e1f080738e85aded5e5aed06b4f782cc4ee58bb002e0fa2be9eee4087147b5112dfec194014c994365a8635d29a7e1
SHA1 hash: bf1d475cfc6fdd656770b9d9cdac5342cafb9c2a
MD5 hash: c0e20d0b3011455a5f9ff9d7f5a39dd1
humanhash: leopard-lemon-snake-carbon
File name:3a64941353e52a3d8fb3bc898189a0d684b1a88a9c5fdbc496ef58738f42c444
Download: download sample
File size:11'812'040 bytes
First seen:2021-03-29 08:12:00 UTC
Last seen:2021-03-29 08:43:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bdc5a9caae3c3cac8c0aed5418f3c304
ssdeep 196608:y9berPbn1E7KvCBbxj/SB8Dux5YV/DIYyLXH3:xn1EmCX/euVDIpXX
Threatray 637 similar samples on MalwareBazaar
TLSH D8C60101E9858973D8B3013552BB9BAB497AA9202715C5D3A7D43C387A707C17A3B3EF
Reporter JAMESWT_WT
Tags:Bisoyetutu Ltd Ltd signed

Code Signing Certificate

Organisation:Bisoyetutu Ltd Ltd
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-03-18T00:00:00Z
Valid to:2022-03-18T23:59:59Z
Serial number: 262ca7ae19d688138e75932832b18f9d
Intelligence: 9 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 55dd0f160ab77ef1feff218774fe4760ed9f7b87ce650e95c76c04e15cd00b2a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3a64941353e52a3d8fb3bc898189a0d684b1a88a9c5fdbc496ef58738f42c444
Verdict:
Malicious activity
Analysis date:
2021-03-29 08:16:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9572281f-d727-412d-8ca2-85980b164e75

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127514/
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.56824.16142.23366.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Launching cmd.exe command interpreter
Sending a UDP request
Launching a process
DNS request
Creating a file in the %temp% directory
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/656617
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 377240 Sample: TH6erahmls Startdate: 29/03/2021 Architecture: WINDOWS Score: 100 44 t1.cloudshielding.xyz 2->44 52 Antivirus detection for dropped file 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 3 other signatures 2->58 9 TH6erahmls.exe 2->9         started        signatures3 process4 signatures5 60 Detected unpacking (changes PE section rights) 9->60 62 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->62 64 Hijacks the control flow in another process 9->64 66 3 other signatures 9->66 12 TH6erahmls.exe 5 9->12         started        process6 dnsIp7 46 t1.cloudshielding.xyz 195.181.169.92, 443, 49705, 49730 CDN77GB United Kingdom 12->46 48 srv2.checkblanco.xyz 12->48 40 C:\Program Files (x86)\...\prun.exe, PE32 12->40 dropped 42 C:\Program Files (x86)\...\appsetup.exe, PE32 12->42 dropped 68 Adds a directory exclusion to Windows Defender 12->68 17 cmd.exe 1 12->17         started        20 cmd.exe 1 12->20         started        22 cmd.exe 1 12->22         started        24 11 other processes 12->24 file8 signatures9 process10 signatures11 50 Adds a directory exclusion to Windows Defender 17->50 26 powershell.exe 8 17->26         started        28 powershell.exe 8 20->28         started        30 powershell.exe 9 22->30         started        32 powershell.exe 8 24->32         started        34 powershell.exe 5 24->34         started        36 powershell.exe 24->36         started        38 7 other processes 24->38 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a64941353e52a3d8fb3bc898189a0d684b1a88a9c5fdbc496ef58738f42c444/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2021-03-29 07:39:50 UTC
File Type:
PE (Exe)
Extracted files:
58
AV detection:
11 of 48 (22.92%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
04c950e9fb1cf6ff2de10fd17f04191f8e938189766482ef856efa2581df8dbb
064cad19bee4580a82bc4ee3558e8510100ebba8da83720749f553cc411d5cb3
06fa1b160e322bd7710c9110b1e4e873795b5c2680b8bbe70bbaf23484533459
1bceb4e84115eabb8bf3df704b5cc014834ca08b126451ae95d60a968e66d666
38272fb3fbcabee6980aeb4be9ae17147a7979dc415cb3cfbedc48cc298bbefa
67b662f28ef6c6a148443ebece272e63e7eeb9d366032b4366fe459b7c5c41f8
70289206a05f5f5a83afa162b4fdbf5cd5d2ebfc9e8615d6d9e42ac839fd4302
7c84f12d1931043664fde0954a5af1b0e30edd8f7fcc6b33cfe298fc431baa84
7e88f1c425154e6fff6d031aaaa4d8bb4c8ff131e429f44310fd936bfc08b357
f22bf1d09f5ae3c0c2ed9c67c9e78f57bc5d053c1f4fb87c317644f4e419e60b
+ 627 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence spyware stealer upx
Link:
https://tria.ge/reports/210329-frnmn5tgxj/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
690ea9962032324bd608ad8633444f5b0c960b70be465e9ca3ec3a79ab85646b
MD5 hash:
9abe2771861a166516985426e1da17b6
SHA1 hash:
66f98c79c318e97ee11bd93c71f776ef2a3b2f5c
Link:
https://www.unpac.me/results/e3c02a23-25bb-48f2-bb68-1e59e44dfff9/
SH256 hash:
3a64941353e52a3d8fb3bc898189a0d684b1a88a9c5fdbc496ef58738f42c444
MD5 hash:
c0e20d0b3011455a5f9ff9d7f5a39dd1
SHA1 hash:
bf1d475cfc6fdd656770b9d9cdac5342cafb9c2a
Link:
https://www.unpac.me/results/e3c02a23-25bb-48f2-bb68-1e59e44dfff9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a64941353e52a3d8fb3bc898189a0d684b1a88a9c5fdbc496ef58738f42c444

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/127514/

Comments