MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b87d209178da51dc473f3c63ba4bf1dd5435ca8b35f6c562d5d7614d3414eba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b87d209178da51dc473f3c63ba4bf1dd5435ca8b35f6c562d5d7614d3414eba
SHA3-384 hash: d88e91b9f9d921c569f8c39be651dcc7e028eaa520edbcfb1f771659374435661210d6c6103d6161fe846a2fadc43c81
SHA1 hash: db6f83bf7fd8f386af36e7dec78d92dd66d38a31
MD5 hash: d394d11206884455bd32758865419a73
humanhash: finch-salami-purple-lactose
File name:3b87d209178da51dc473f3c63ba4bf1dd5435ca8b35f6c562d5d7614d3414eba
Download: download sample
File size:2'467'860 bytes
First seen:2021-02-28 15:40:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9a98f3ae58986838319f8f6033718417
ssdeep 49152:pnb082+IeoU/iNfsknArfL0GyM3Mm+z3jshvMl7VNce:9b0NuoY+00CYu3XvMl7VN5
Threatray 36 similar samples on MalwareBazaar
TLSH 33B533C65E109BE5E2015B7EF38F3EDE7A19AB342E4047E27616D891490387EB7970C2
Reporter c3rb3ru5d3d53c2


Avatar
c3rb3ru5d3d53c
@c3rb3ru5d3d53c Live Hunt

Intelligence

File Origin
# of uploads :
1
# of downloads :
547
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3b87d209178da51dc473f3c63ba4bf1dd5435ca8b35f6c562d5d7614d3414eba
Verdict:
Malicious activity
Analysis date:
2021-02-28 15:42:34 UTC
Tags:
rat backdoor dcrat trojan evasion
Link:
https://app.any.run/tasks/9b4ac74b-14ac-452c-9c40-b595f1501542

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/120023/
Detection(s):
Win.Malware.Uztuby-9774369-0
Create hunting rule

Win.Dropper.Nanocore-9774881-0
Create hunting rule

Win.Malware.Uztuby-9797514-0
Create hunting rule

Win.Malware.Uztuby-9836295-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Sending a UDP request
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Program Files subdirectories
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Stealing user critical data
Creating a file in the mass storage device
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices by creating the autorun.inf autorun file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621396
Signature
.NET source code contains in memory code execution
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates multiple autostart registry keys
Detected VMProtect packer
Disables the Windows task manager (taskmgr)
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample is protected by VMProtect
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359690 Sample: TR9mQbdXjb Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 73 Antivirus detection for dropped file 2->73 75 Antivirus / Scanner detection for submitted sample 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 10 other signatures 2->79 13 TR9mQbdXjb.exe 3 6 2->13         started        17 scbkoWArWd.exe 2->17         started        19 csrss.exe 2->19         started        21 2 other processes 2->21 process3 file4 71 C:\drivercrt\kJ91X9n17bEumqaECHde.exe, PE32 13->71 dropped 93 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->93 95 Hides threads from debuggers 13->95 23 wscript.exe 1 13->23         started        97 Antivirus detection for dropped file 17->97 99 Machine Learning detection for dropped file 17->99 101 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->101 signatures5 process6 process7 25 cmd.exe 1 23->25         started        process8 27 kJ91X9n17bEumqaECHde.exe 6 25->27         started        30 conhost.exe 25->30         started        file9 69 C:\drivercrt\reviewruntime.exe, PE32 27->69 dropped 32 wscript.exe 1 27->32         started        process10 process11 34 cmd.exe 1 32->34         started        process12 36 reviewruntime.exe 4 11 34->36         started        40 reg.exe 34->40         started        42 conhost.exe 34->42         started        file13 61 C:\drivercrt\csrss.exe, PE32 36->61 dropped 63 C:\Recovery\scbkoWArWd.exe, PE32 36->63 dropped 65 C:\ProgramData\dbg\csrss.exe, PE32 36->65 dropped 67 2 other malicious files 36->67 dropped 81 Antivirus detection for dropped file 36->81 83 Machine Learning detection for dropped file 36->83 85 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 36->85 89 3 other signatures 36->89 44 csrss.exe 3 36->44         started        47 schtasks.exe 1 36->47         started        49 schtasks.exe 1 36->49         started        51 2 other processes 36->51 87 Disables the Windows task manager (taskmgr) 40->87 signatures14 process15 signatures16 91 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 44->91 53 conhost.exe 47->53         started        55 conhost.exe 49->55         started        57 conhost.exe 51->57         started        59 conhost.exe 51->59         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b87d209178da51dc473f3c63ba4bf1dd5435ca8b35f6c562d5d7614d3414eba/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-28 15:41:08 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
21 of 48 (43.75%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
148feabec33f94aece0555b58ff452996a62c1b1437b1a01aebef8541c80e3b6
1840872e8117b0efa252bc324ae2944d5c5b9242c928e3a568ccde06354eec35
6a25a9e6507be33ffb55afd80d51a2f00b761417f17ad6fe5399e36e78226c61
7125ff46ae7468216b1764b9e22b5811d4890f33a237776c6cbf22c8d8f09bbc
9410e496d1a29876d153d83af6cf3ffb21d7d072b476d6a8a28497e4b5f4ae63
bf375d5c15abb5c57b0cc3371a3537b79560fe82b1aff486afde752e05971ebb
c0258a01a5881d1f5de632d7617a0e225173696db23fb99f72ea1c84e6be396c
d2e32cba0f48d078bfbb00b65652d69b053136c31c85135217dce00aeed80a3c
edd956a7bc18bf82d3716d1b7a9a485c7ed665edd53cd9459580e005e2735c17
f6a307d243c407c27489de37adac83e9205be531cbb4e2cb71545627faf813fd
+ 26 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence spyware vmprotect
Link:
https://tria.ge/reports/210228-ls7as1pp36/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Executes dropped EXE
Unpacked files
SH256 hash:
93d9ce6291eb10f727da27c487816b29fcba1b907d252f94d11ea0c3a99175fa
MD5 hash:
c7fc3bcb573b112eca27af5ef7192cce
SHA1 hash:
e43a907bdaced88d3c4444844e72d2381e9f1ad7
Link:
https://www.unpac.me/results/7e7939f6-d7fb-4cf8-9b9d-37f5ff50817b/
SH256 hash:
3b87d209178da51dc473f3c63ba4bf1dd5435ca8b35f6c562d5d7614d3414eba
MD5 hash:
d394d11206884455bd32758865419a73
SHA1 hash:
db6f83bf7fd8f386af36e7dec78d92dd66d38a31
Link:
https://www.unpac.me/results/7e7939f6-d7fb-4cf8-9b9d-37f5ff50817b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b87d209178da51dc473f3c63ba4bf1dd5435ca8b35f6c562d5d7614d3414eba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.virustotal.com/gui/file/3b87d209178da51dc473f3c63ba4bf1dd5435ca8b35f6c562d5d7614d3414eba/details
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/120023/

Comments