MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c1f3dca6ac8776c79fba50e2a2b605f907964e9eeeff4891b8c9b4b27cdec24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	3c1f3dca6ac8776c79fba50e2a2b605f907964e9eeeff4891b8c9b4b27cdec24
SHA3-384 hash:	3074b7fb007537c241a5fa11b017f0de8058dfef61ebf2d997806199757ff3c63779fe0aad332b4206563b15b0a9d450
SHA1 hash:	f9f8dc6436787f2a7a2e3adc2099fbf95b9f3924
MD5 hash:	e6b556dafd087a3d79f48f8e86e09a3e
humanhash:	july-blossom-blue-ink
File name:	CMOYDB.exe
Download:	download sample
File size:	2'368'206 bytes
First seen:	2021-08-06 13:33:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d3bf8a7746a8d1ee8f6e5960c3f69378 (247 x Formbook, 75 x AgentTesla, 64 x SnakeKeylogger)
ssdeep	12288:8hkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aEoH0I3T1oVAI:0RmJkcoQricOIQxiZY1iarH0MoV1
Threatray	5'693 similar samples on MalwareBazaar
TLSH	T1D5B583E4B8290DADE58E316DFAC4355AB7F3AAF8B938998E0DCCB5157C205E044B441F
dhash icon	25328c2aa675718a
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

CMOYDB.exe

Verdict:

Suspicious activity

Analysis date:

2021-08-06 13:36:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/aadb146e-e3e0-479b-8a89-5f223172c96f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/177019/

Detection(s):

SecuriteInfo.com.AIT.Trojan.Nymeria.281.11358.26640.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a UDP request

Unauthorized injection to a recently created process

Setting a keyboard event handler

Creating a file in the %temp% directory

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/615b9484-1ca9-4662-9371-e8555e45e59c

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/828307

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Tries to harvest and steal browser information (history, passwords, etc)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3c1f3dca6ac8776c79fba50e2a2b605f907964e9eeeff4891b8c9b4b27cdec24/

Threat name:

Win32.Trojan.Nymeria

Status:

Malicious

First seen:

2021-08-06 13:34:15 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hqpt3stkzb3wy6p3uuhcuk3al6ihszhj53x7jci3rsnuwj6n5qsa._file

Verdict:

malicious

38e5fde6988bbf02467d7b59ba15a3dfbdaedfab4804c60cf3ae44db6b48a844

3d3cdbc05416c888b5779c01e83e7e9dfce24a81e3c736f55aac3a34f8cd488d

647260f08017b3f63e2c5178e751b9d37503850cc18aeaa367506e7808b1e249

6c5e170ec02d30c57a8bbceb8533eb73efd7b46f8ae1cd6e552fa6a5656afb36

83b924a12b9d879758a2cd4c73a095de0ba4016163f76c94404820e741534030

9129967bfcf44c87ec6eb83a30f5500a5e453c76281b7ec3b0c1caa778377e08

af842257a5720b2a587284626867caed0bbc03fbaf8163258eb52d36b053a428

aff4652e2ee285a5ad71717a36e215c1eb59787d74e73a763701b0a5f68751a7

ed105272dc3c77f54e7d170474afa6590a98477e6b076d7e5d1cf6c5e152319d

+ 5'683 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence spyware stealer

Link:

https://tria.ge/reports/210806-wefkns6bws/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

0cd4d25a7e0370290fd8c8ffac2baad117fbb44fd9390a7d285c456b6809470a

MD5 hash:

9910d94cbfcbab42697461f92c013d7a

SHA1 hash:

4665296baeb03eea22f255710352badfb1516baf

Link:

https://www.unpac.me/results/8ee7b5b0-63f8-485b-bacd-9736efa44bce/

SH256 hash:

3c1f3dca6ac8776c79fba50e2a2b605f907964e9eeeff4891b8c9b4b27cdec24

MD5 hash:

e6b556dafd087a3d79f48f8e86e09a3e

SHA1 hash:

f9f8dc6436787f2a7a2e3adc2099fbf95b9f3924

Link:

https://www.unpac.me/results/8ee7b5b0-63f8-485b-bacd-9736efa44bce/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3c1f3dca6ac8776c79fba50e2a2b605f907964e9eeeff4891b8c9b4b27cdec24

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/177019/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample