MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 412baf955c1e256c4e8bf7e07ce0f1fbf14c03d11ed98932be45a58a14d55690. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Kimsuky


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 412baf955c1e256c4e8bf7e07ce0f1fbf14c03d11ed98932be45a58a14d55690
SHA3-384 hash: f19c1aa5016548c7bb387b81f95c32bbc14b1929ae7073afc9f065de39e9f6b3d17705447674e43304c8eb7f119e2eae
SHA1 hash: 82719ba7e498fff85a255dbfda631ffdaf3cf2a8
MD5 hash: 7c86ce42fed192ba7d1e09af0a7bf821
humanhash: hawaii-fillet-beer-stairway
File name:412baf955c1e256c4e8bf7e07ce0f1fbf14c03d11ed98932be45a58a14d55690.bin
Download: download sample
Signature Kimsuky
Create hunting rule
File size:5'733'888 bytes
First seen:2021-03-06 23:09:56 UTC
Last seen:2021-03-07 00:37:23 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash dbfedc155114e93b03253d2457becdac (2 x RaccoonStealer, 1 x Kimsuky)
ssdeep 98304:EyPfvMQDZdIdedljCcS+TYuTfiMO7qm+ST3EBoEpt6Gus6o/c/I:EAfvMQDZdIdenf/Tdkx+yEBoEpIq
Threatray 57 similar samples on MalwareBazaar
TLSH 72462337977910CAE4E18C398637FEE5B5F6035F8B80B8B850EA69C124264F5E623953
Reporter Arkbird_SOLG
Tags:apt Kimsuky

Intelligence

File Origin
# of uploads :
2
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/122666/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.35817125.3899.4044.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a file
Running batch commands
Launching a process
Creating a process with a hidden window
DNS request
Deleting a recently created file
Sending a UDP request
Setting a single autorun event
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/630660
Signature
Contains functionality to capture and log keystrokes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 364302 Sample: e3Y6aKW6hw.bin Startdate: 07/03/2021 Architecture: WINDOWS Score: 76 49 monkey.funnystory.tech 2->49 67 Multi AV Scanner detection for dropped file 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Machine Learning detection for sample 2->71 73 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->73 9 loaddll32.exe 1 2->9         started        11 regsvr32.exe 2->11         started        13 regsvr32.exe 2->13         started        signatures3 process4 process5 15 regsvr32.exe 6 9->15         started        18 rundll32.exe 1 14 9->18         started        21 cmd.exe 1 9->21         started        23 regsvr32.exe 15 11->23         started        26 regsvr32.exe 13->26         started        dnsIp6 77 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 15->77 79 Contains functionality to capture and log keystrokes 15->79 81 Tries to detect virtualization through RDTSC time measurements 15->81 28 regsvr32.exe 15 15->28         started        32 cmd.exe 1 15->32         started        47 C:\Users\user\AppData\...\AlCommon.dll, PE32 18->47 dropped 34 regsvr32.exe 15 18->34         started        36 cmd.exe 1 18->36         started        38 iexplore.exe 1 73 21->38         started        51 monkey.funnystory.tech 23->51 53 monkey.funnystory.tech 26->53 file7 signatures8 process9 dnsIp10 55 monkey.funnystory.tech 28->55 40 conhost.exe 32->40         started        57 192.168.2.1 unknown unknown 34->57 59 monkey.funnystory.tech 34->59 75 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 34->75 42 conhost.exe 36->42         started        44 iexplore.exe 151 38->44         started        signatures11 process12 dnsIp13 61 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49744, 49745 FASTLYUS United States 44->61 63 geolocation.onetrust.com 104.20.185.68, 443, 49734, 49735 CLOUDFLARENETUS United States 44->63 65 7 other IPs or domains 44->65
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/412baf955c1e256c4e8bf7e07ce0f1fbf14c03d11ed98932be45a58a14d55690/
Threat name:
Win32.Spyware.Xegumumune
Create hunting rule
Status:
Malicious
First seen:
2020-12-23 03:59:32 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  2/5
Verdict:
suspicious
Similar samples:
1ddfb2740131dc898d5c24380afd5b6fcf99f6818d74e608b7651acc3c0642de
Kimsuky
1e04c1e4eefe23f454553364e757209462f2561d8455628b296b1dbe83fc6ec2
Kimsuky
22f105861b8c373e94d70ac51cdbc0f03e784acee57727dae0d734587c6033a7
Kimsuky
2858b9c680f3285fad75031739a45e0c267cce2a3070c34e770d7c164eaf9845
Kimsuky
29c4de280ceb33f0e9374185fad275661979f9a787b5517dee6dd3b7679628d8
Kimsuky
45d473eb0961855e45ba3bc0afb395aed0f772e7c8a477d40d4f43e5494ca9f7
Kimsuky
5eb285443b7b9ab49c8b73112f66813eacc811d752e294fd2ca8db89da49589d
Kimsuky
88741b14f426f4cb2f942dea22a70f85ae06a9e86ee03decd1ae79e6371f1b59
Kimsuky
a761168b889a5c5ff56defeb1cedb786ffa90e3b61b6660cfc41e49b1ee638f0
Kimsuky
fc0eee220cef0c364edb4cb6ff45e12b2d3c035b2be1072c627e40c4a298ea72
Kimsuky
+ 47 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/210306-4xtfp5mbyn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
Enumerates connected drives
Deletes itself
Loads dropped DLL
Unpacked files
SH256 hash:
a8dc12362bd8bdeb2cac921a13046f06358c8b9a7df287611f3e01a1de3ad6c3
MD5 hash:
523b2a7da45489fdf7e76cbdd125fbf8
SHA1 hash:
d2cf6492baa0cbe07c54c1f97e881cd04cbe9a28
Link:
https://www.unpac.me/results/a10ccaa2-3d4a-4469-9808-859e6fb150e5/
SH256 hash:
412baf955c1e256c4e8bf7e07ce0f1fbf14c03d11ed98932be45a58a14d55690
MD5 hash:
7c86ce42fed192ba7d1e09af0a7bf821
SHA1 hash:
82719ba7e498fff85a255dbfda631ffdaf3cf2a8
Link:
https://www.unpac.me/results/a10ccaa2-3d4a-4469-9808-859e6fb150e5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/412baf955c1e256c4e8bf7e07ce0f1fbf14c03d11ed98932be45a58a14d55690

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/BaoshengbinCumt/status/1366640125636091906
Cape
Cape
https://www.capesandbox.com/analysis/122666/

Comments