MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bd0eb640c37fb31423b560aeb5bf4f9f6117cb60c2a9e4509b7a0db80e0a092. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	3bd0eb640c37fb31423b560aeb5bf4f9f6117cb60c2a9e4509b7a0db80e0a092
SHA3-384 hash:	5a3db8109e865be685c76afbc983dee17f39ae0ece8eaeafde2ae5cc2a6867c63c4b4ea6f48f0fffd21b02c773519fbe
SHA1 hash:	02868a443c1864bb0afbe0832545736bd538028f
MD5 hash:	1770a7731a4ea1030149e7f05cff1705
humanhash:	muppet-neptune-spaghetti-nebraska
File name:	keygen-step-4.exe
Download:	download sample
File size:	7'941'835 bytes
First seen:	2021-02-18 18:41:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep	196608:K90XryNC3HMcOrcX4MPIJe9A1eGL+pieBJPE11ExWR:1iUDX4MQwA1PCpiey11Z
Threatray	296 similar samples on MalwareBazaar
TLSH	5D863371BAD60633C4A069390EFE7331997CBC615BB55EDB03F0912F5A781C0B928B96
Reporter	Anonymous

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Advanced_Office_Password_keygen_by_Lz0.exe

Verdict:

Malicious activity

Analysis date:

2020-11-24 20:29:01 UTC

Tags:

trojan rat azorult stealer evasion socelars pony fareit vidar kpot phishing adware loader cracknet cracknet.net

Link:

https://app.any.run/tasks/481f6fb8-65dd-4daa-9d92-aec0eb83de67

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Amadey

Link:

https://www.capesandbox.com/analysis/117866/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.29565.11601.15012.UNOFFICIAL

Win.Malware.Upatre-9829421-0

PUA.Win.Packer.Mpress-7

Win.Malware.Razy-9789744-0

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-4

Win.Malware.Spyagent-9830839-0

Win.Dropper.Glupteba-9800365-0

Win.Dropper.Glupteba-9800366-0

Win.Dropper.Glupteba-9800473-0

Win.Dropper.Glupteba-9800474-0

Win.Dropper.Glupteba-9800475-0

Win.Malware.Bunitu-9800478-0

Win.Dropper.Glupteba-9800479-0

Win.Malware.Ranumbot-9800481-0

Win.Malware.Glupteba-9800763-0

Win.Malware.Generickdz-9802565-0

SecuriteInfo.com.Trojan.GenericKD.44081008.21193.10752.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a file

Reading critical registry keys

Creating a file in the %AppData% subdirectories

DNS request

Sending a UDP request

Creating a file in the Program Files subdirectories

Deleting a recently created file

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Running batch commands

Sending an HTTP GET request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3bd0eb640c37fb31423b560aeb5bf4f9f6117cb60c2a9e4509b7a0db80e0a092/

Threat name:

Win32.Downloader.Upatre

Status:

Malicious

First seen:

2020-11-24 20:52:32 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

3/5

Verdict:

malicious

74bbc2a055be8f2717fa06e764b100d02f9a1d9c2a026d281fbbbbb47b655199

7f40d0fe270f72aec76ec5348630f3b354ea4dd010d60edcdd865693824981de

9e5f370201251e8dc138678f8e0d4f0bdd75e1353edcc77d41c8401621c2c671

a60a583165e55f8a569cf4942d7bfb9622ab349aa34aec48705f72cbf3b2e45f

ab9e78f844176f90e2815978b083362683d6080da73034a019de13489aa125e7

b2accff6cdcb8f4b5cbf2e493a8474f9e444a12be5f46d54a925bbe4a43a0703

c65ea9eee506b0a71170d4e3778d3ccadda12f67217e89e3b93db61890ab548d

c684906ca32b3dd720ecc86aa54ca56a69f8300e112bd3af5f54d569e9e5ba27

d4e87e3eb3e3a5e08db5a708bd95fedac322088446c87ba37f0aeca529a928cc

+ 286 additional samples on MalwareBazaar

Result

Malware family:

plugx

Score:

10/10

Tags:

family:plugx bootkit evasion macro persistence spyware trojan upx xlm

Link:

https://tria.ge/reports/210218-wym8yfp3ys/

Behaviour

Checks SCSI registry key(s)

Kills process with taskkill

Modifies system certificate store

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Adds Run key to start application

Checks whether UAC is enabled

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Writes to the Master Boot Record (MBR)

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Suspicious Office macro

UPX packed file

Nirsoft

PlugX

Unpacked files

SH256 hash:

db071b8f63d56f195e88643b5c1f0309a3cffee76772884ea67d037500856e7f

MD5 hash:

58198ad565bb0b69472be575c38260b9

SHA1 hash:

f53dda888e86ddd2b69db906c957c6d903b06a73

Link:

https://www.unpac.me/results/fb86b360-d8d9-4fdb-afe4-f9ade4e5b3c8/

SH256 hash:

0f0e9138c181cbcf65d4c1eaf0022c33ec58afc1b60e61bed62604998f9771be

MD5 hash:

9e4a2e427b7a64f435f9c3c8a9b873f3

SHA1 hash:

f0b50b31936f5a0d15868329613244ee9fd87ef5

Link:

https://www.unpac.me/results/fb86b360-d8d9-4fdb-afe4-f9ade4e5b3c8/

SH256 hash:

15c031cb785e29ac11dadbd92a6a15d73fba1372aa1f4a2c9779388d90452eb6

MD5 hash:

fba47137b68af7de52b1542a710ef84e

SHA1 hash:

c77a8fdf6970c9a27f42106f17a8b97720e78500

Link:

https://www.unpac.me/results/fb86b360-d8d9-4fdb-afe4-f9ade4e5b3c8/

SH256 hash:

9637eea136218c40cc9799073122d567b531234e7d9206964fc50a8482684541

MD5 hash:

00210c10b4d67291e4d58f0ed00f087b

SHA1 hash:

b50b4919cb1602a6e98f7462a9fe794ff3c1583c

Link:

https://www.unpac.me/results/fb86b360-d8d9-4fdb-afe4-f9ade4e5b3c8/

SH256 hash:

e7c02d9f66bbc38625f659ff3fbed32a125b402d8196621d08637f57a8f33b05

MD5 hash:

7f666437306af8caf8ed85facdbace59

SHA1 hash:

86bcd4d34996e8b5f79cb9bb3b04c668b8c37817

Link:

https://www.unpac.me/results/fb86b360-d8d9-4fdb-afe4-f9ade4e5b3c8/

SH256 hash:

809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

MD5 hash:

84878b1a26f8544bda4e069320ad8e7d

SHA1 hash:

51c6ee244f5f2fa35b563bffb91e37da848a759c

Link:

https://www.unpac.me/results/fb86b360-d8d9-4fdb-afe4-f9ade4e5b3c8/

SH256 hash:

97e749927b029c035060dbed0476522c59696f0ee17b94bba88dd01811e7ad36

MD5 hash:

092ddb256b45e55bc21269f8d6b9200e

SHA1 hash:

47dfc21b1e46504dcf69a9b40eaa962416d29809

Link:

https://www.unpac.me/results/fb86b360-d8d9-4fdb-afe4-f9ade4e5b3c8/

SH256 hash:

45f9f5bcc850992521e55a0fe30445f0e2fbb0ab289d8d8b604cad46f5ab260d

MD5 hash:

4f5d8fc618cf0f73b60815796741aaf2

SHA1 hash:

716e30fcd4a5efcb9c846f1837574a2ddb5d4081

Link:

https://www.unpac.me/results/fb86b360-d8d9-4fdb-afe4-f9ade4e5b3c8/

SH256 hash:

db3e0ea9321426ff0983f6b6a82721024486f5547d47fddf4c44b81c2d7603b6

MD5 hash:

28e147fcf3f0e3d72f34f1aa73630e2a

SHA1 hash:

17585595f240981b9221bdf7cf941d0e53457bcd

Link:

https://www.unpac.me/results/fb86b360-d8d9-4fdb-afe4-f9ade4e5b3c8/

SH256 hash:

7c0cb64dd0fc0c56452cc448f84eb40744a3a7d85db702cf935c145a7ad41c25

MD5 hash:

d0d11bfb37fc6a17575aa4bad5998bec

SHA1 hash:

db72140f3fad3ca4ecafe2ae634931a187e77620

Link:

https://www.unpac.me/results/fb86b360-d8d9-4fdb-afe4-f9ade4e5b3c8/

SH256 hash:

3bd0eb640c37fb31423b560aeb5bf4f9f6117cb60c2a9e4509b7a0db80e0a092

MD5 hash:

1770a7731a4ea1030149e7f05cff1705

SHA1 hash:

02868a443c1864bb0afbe0832545736bd538028f

Link:

https://www.unpac.me/results/fb86b360-d8d9-4fdb-afe4-f9ade4e5b3c8/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/117866/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample