MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e3ab416abadd9093b15f9dcce92f3530709aba8addff16a74e89bd3a7bfd8fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 6 File information Yara Comments

SHA256 hash: 3e3ab416abadd9093b15f9dcce92f3530709aba8addff16a74e89bd3a7bfd8fd
SHA3-384 hash: 3f97272e5c7b89b537e35ea93c5997796bfd57af71aa63ad99c1e5b00f4313bc8bf1887c4e821ff05d8613f5cc95ab11
SHA1 hash: f1009c96203862812cefa14e186dcff610ccc634
MD5 hash: 532524e6b61b197d92f3bd4ed3331d3d
humanhash: kentucky-winter-two-utah
File name:SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959
Download: download sample
Signature n/a
File size:747'008 bytes
First seen:2020-08-01 19:30:25 UTC
Last seen:2020-08-02 07:34:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 12288:3PokR3Wry+Qs4SsyWJQ1r0S7pvhnGlDKacgEcqnn/cKWmbzILD69g5qAvJZ:/okR3WryKEJ4rLJJGlDpEc+/Pbz6G9GJ
TLSH 7FF46D917398CD16C17E437194EE082847FCC705A7E2EBA62A9065F139C37913E9E1AF
Reporter @SecuriteInfoCom

Intelligence


File Origin
# of uploads :
2
# of downloads :
18
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Sending a UDP request
Creating a file
Creating a file in the %temp% directory
Launching a process
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Connection attempt
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255570 Sample: SecuriteInfo.com.Trojan.PWS... Startdate: 01/08/2020 Architecture: WINDOWS Score: 96 47 .NET source code contains method to dynamically call methods (often used by packers) 2->47 49 Machine Learning detection for sample 2->49 51 Machine Learning detection for dropped file 2->51 53 4 other signatures 2->53 7 SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.exe 19 2->7         started        11 RuntimeBroker.exe 3 2->11         started        13 MJnEFvNgIJqiFpsMVAANBvKDsiT.exe 3 2->13         started        15 svchost.exe 2->15         started        process3 file4 37 C:\Windows\Offline Web Pages\svchost.exe, PE32 7->37 dropped 39 C:\Users\Default\RuntimeBroker.exe, PE32 7->39 dropped 41 C:\ProgramData\dbg\svchost.exe, PE32 7->41 dropped 43 7 other files (6 malicious) 7->43 dropped 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->57 59 Drops PE files to the user root directory 7->59 61 Drops executables to the windows directory (C:\Windows) and starts them 7->61 65 3 other signatures 7->65 17 svchost.exe 7->17         started        21 schtasks.exe 1 7->21         started        23 schtasks.exe 1 7->23         started        25 3 other processes 7->25 63 Machine Learning detection for dropped file 11->63 signatures5 process6 dnsIp7 45 94.250.251.54, 80 THEFIRST-ASRU Russian Federation 17->45 55 System process connects to network (likely due to code injection or exploit) 17->55 27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        signatures8 process9
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Status:
Malicious
First seen:
2020-07-28 07:04:22 UTC
AV detection:
25 of 31 (80.65%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Drops file in Program Files directory
Executes dropped EXE

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 3e3ab416abadd9093b15f9dcce92f3530709aba8addff16a74e89bd3a7bfd8fd

(this sample)

  
Delivery method
Distributed via web download

Comments