MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e79be51a78170ac177641b8225b22d37548617800ea0362733eeadc77445b98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e79be51a78170ac177641b8225b22d37548617800ea0362733eeadc77445b98
SHA3-384 hash: cbd9374ca2d433e45224203a4e59d46492426ec94a1f015d96482d9c78965cda73225a482125556431c644beeabfc81c
SHA1 hash: d1b6962ea7338ac56a99e1a5e6a95d15379032a0
MD5 hash: 49cc3130496079ebfea58a069aa4b97a
humanhash: gee-bacon-pip-minnesota
File name:Unconfirmed 696687.exe
Download: download sample
File size:305'287 bytes
First seen:2020-08-13 21:44:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 6144:0/fAhvV6B8ErzPZp5wdz753RSJT+tLFS9UHb:QfAv6B8azBwdQT+t0SHb
Threatray 235 similar samples on MalwareBazaar
TLSH F854BF02FAC184F2D63219365A29AB21757C7D301F25CE6FB3D86E6DDA301C1A625B73
Reporter suspicious_link

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
Win.Packed.njRAT-7086562-0
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

PUA.Win.Dropper.Nssm-6917179-0
Create hunting rule

PUA.Win.File.Generic-7109589-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.31721986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Deleting a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Launching the process to change network settings
Launching a service
Launching the process to change the firewall settings
Launching the process to interact with network services
Launching a tool to kill processes
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.mine
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/427776
Signature
Found strings related to Crypto-Mining
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 266429 Sample: Unconfirmed 696687.exe Startdate: 15/08/2020 Architecture: WINDOWS Score: 48 26 Found strings related to Crypto-Mining 2->26 9 Unconfirmed 696687.exe 4 6 2->9         started        process3 process4 11 wscript.exe 1 9->11         started        process5 13 cmd.exe 1 11->13         started        signatures6 28 Uses cmd line tools excessively to alter registry or file data 13->28 16 net.exe 1 13->16         started        18 taskkill.exe 1 13->18         started        20 conhost.exe 13->20         started        22 24 other processes 13->22 process7 process8 24 net1.exe 1 16->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e79be51a78170ac177641b8225b22d37548617800ea0362733eeadc77445b98/
Threat name:
Win32.Trojan.Skeeyah
Create hunting rule
Status:
Malicious
First seen:
2019-06-03 11:05:15 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1aca49752cef2bb58d097e0ac96963e32f14e4e6b1e6e24e11125d1e9ef54cf2
43ed3081859def68a8b2ef50292e6d9dcbac7aea6ddb03de294fb9ed367c9f06
5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98
6ec6d3425cc3bdc664f5938119469a2947ad061dac33fafbd303998c9311a254
70d86fc8d1247dcd26ed0927411614973d45216d676978f768e14cb16d362536
8f60548d2cde9e0681d8609aef71f51c820073a2a70e75bfa0fa56e3890d94e0
90dd2d39ffc0ebcf1db286191a316c833ddc3111337e1c05e3d847e03e67c377
b5c7fbd5e805b6f1a9796c041be4f9829d2157e5b59a6608871511d045b8d79c
b5e39716f576e5ff21e945560a98ee7ca7309491b2b7f2643728cd341b9c19de
c7962bac550ffe20ff69bbcecea355ea9689fa1e76506d3d8343f1b1f5619706
+ 225 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence evasion
Link:
https://tria.ge/reports/200813-jqq7bmwjnx/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies registry key
Runs net.exe
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Creates scheduled task(s)
Kills process with taskkill
Modifies registry class
Modifies registry key
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Drops file in Windows directory
Launches sc.exe
Drops file in Windows directory
Launches sc.exe
Modifies service
Drops file in System32 directory
Modifies service
Adds Run key to start application
Adds Run key to start application
Modifies Windows Firewall
Modifies Windows Firewall
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e79be51a78170ac177641b8225b22d37548617800ea0362733eeadc77445b98

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 3e79be51a78170ac177641b8225b22d37548617800ea0362733eeadc77445b98

(this sample)

anyrun
any.run
https://app.any.run/tasks/66d1b2e8-2fed-4983-b2b9-be89f0e50d07
Cape
Cape
https://www.capesandbox.com/analysis/45425/
  
URLhaus
https://urlhaus.abuse.ch/url/219672/
  
Delivery method
Distributed via web download

Comments