MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8
SHA3-384 hash: 4c3505f3b621d7c1437dae7e0775805a45ad3b7c2879ada6f0d5fad02f4e53c9f19be32e04f1590df980ee9e56c9c90b
SHA1 hash: 30268fc11e0ef7e54e219ef0dee3b75734a85c67
MD5 hash: c4f7ad9cdb934e4414e2cf58eb0062d1
humanhash: one-hydrogen-bluebird-yankee
File name:winsvcs.exe
Download: download sample
File size:69'120 bytes
First seen:2020-11-04 07:20:17 UTC
Last seen:2020-11-05 21:16:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ca962fd475e46eae1935406bdb62435 (4 x Phorpiex)
ssdeep 768:ByHXfl0YTXiC0UoJJNeFUNpJeYN/ZjrOYwj+byQuqqA:ByHvl0uiPeF
Threatray 44 similar samples on MalwareBazaar
TLSH DC6333C1584C63A7E170CB3434AE8A760FDA3C7AA7F10946B9D3358B52EA0F2693515F
Reporter cocaman
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/82287/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.41067.21912.10555.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for many windows
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
DNS request
Creating a file in the %temp% directory
Deleting a recently created file
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking the Windows Security Center notifications
Creating a file in the mass storage device
Enabling threat expansion on mass storage devices by creating a special LNK file
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spre.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/519891
Signature
Antivirus / Scanner detection for submitted sample
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executable to a common third party application directory
Found Tor onion address
Hides that the sample has been downloaded from the Internet (zone.identifier)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes many files with high entropy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 309046 Sample: winsvcs.exe Startdate: 04/11/2020 Architecture: WINDOWS Score: 84 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Machine Learning detection for sample 2->37 39 Found Tor onion address 2->39 6 winsvcs.exe 4 18 2->6         started        process3 dnsIp4 29 trik.ws 217.8.117.10, 49750, 49751, 49769 CREXFEXPEX-RUSSIARU Russian Federation 6->29 31 304049943.ws 64.70.19.203, 49775, 49776, 49777 CENTURYLINK-LEGACY-SAVVISUS United States 6->31 15 C:\Users\user\AppData\...\1963333143.exe, data 6->15 dropped 17 C:\Users\user\AppData\...\1325127087.exe, data 6->17 dropped 19 C:\Users\user\AppData\Local\...\1[1], data 6->19 dropped 41 Changes security center settings (notifications, updates, antivirus, firewall) 6->41 43 Writes many files with high entropy 6->43 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 6->45 11 1325127087.exe 501 501 6->11         started        file5 signatures6 process7 file8 21 C:\ProgramData\...\customizations.xml, data 11->21 dropped 23 C:\ProgramData\...\SharePointTeamSite.ico, data 11->23 dropped 25 C:\ProgramData\...\SharePointPortalSite.ico, data 11->25 dropped 27 22 other files (14 malicious) 11->27 dropped 47 Writes many files with high entropy 11->47 49 Drops executable to a common third party application directory 11->49 51 Infects executable files (exe, dll, sys, html) 11->51 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8/
Threat name:
Win32.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2020-11-04 07:22:05 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
09344b412ef8dbc6b398dd6e3580f482382bd24b672554039668b17a39661b50
0a75ebd1ee56d4f5b5b48ba75a79667bec5e4faff103524831fce9be825a4b19
1ae52558dadc5c5b388c0a64b6e54ead3280540b5a1db2d90f20d960257004dd
4fa82bcc428147d23e5abc86fb9bfdc61829d91094659e74250ac43ab9a73ab4
657c48c3e07fed5d334e86e1286ac8289c0269f4f53375e6ce4307fbd59a2f27
aac2024789ffd2bfce97d6a509136ecf7c43b18c2a83280b596e62d988cedb10
b215d5e7cf39628497363e29d2dce0475e7180da848f7f6032d1187c78fd16bf
b528251075071c38ce1e0b667af69434125bd6f8afb0de6401b83b41939b2ced
bb48fbcf365f8a493866cba9818c84614cfc6a9877a6e30e2f7cb445253be1d9
f9397a0438f1e3a8d03aa326dc4910482df49dd295228d9a4dda1f55247fd6e3
+ 34 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware spyware trojan
Link:
https://tria.ge/reports/201104-s5yqsv56qa/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Modifies service
Drops desktop.ini file(s)
Enumerates connected drives
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
Modifies Installed Components in the registry
Modifies extensions of user files
Windows security bypass
Unpacked files
SH256 hash:
3ee3db80ebec5075b9dfb525f00bc9a494af450a9d650c995fbe01e0ec2c84b8
MD5 hash:
c4f7ad9cdb934e4414e2cf58eb0062d1
SHA1 hash:
30268fc11e0ef7e54e219ef0dee3b75734a85c67
Link:
https://www.unpac.me/results/280b2b5a-0612-4725-ba22-48aaac6e4713/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/82287/
  
URLhaus
https://urlhaus.abuse.ch/url/785475/

Comments