MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41609e0f1ff71e0b6421e8e3bfbac0307c0f5f80f9e1b3b60de547a54a80de51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41609e0f1ff71e0b6421e8e3bfbac0307c0f5f80f9e1b3b60de547a54a80de51
SHA3-384 hash: a14e142ef4074498193021c8b50fadd4154df7ab555181ce3561133be0b02a58b38636ba7edcf5b13455701ee37e54c3
SHA1 hash: 4ca53804b9ca4ff74b760db6c032a26af8b4e4ae
MD5 hash: 6e783d9862fa359f21e195a3e479f67b
humanhash: fourteen-robin-pluto-freddie
File name:6e783d9862fa359f21e195a3e479f67b.exe
Download: download sample
File size:2'518'381 bytes
First seen:2021-02-15 07:54:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:P1Lrjs0SAyxsMC+a4AadaRrawKL+JF8OuiAAq2uEfE:P1Ls0mxsMC++a1+3hYAqToE
Threatray 387 similar samples on MalwareBazaar
TLSH FBC52301FEC18872D03219311A3B9644B9FEBC205F244A9FB3DC766D9B706F16A75B62
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6e783d9862fa359f21e195a3e479f67b.exe
Verdict:
Malicious activity
Analysis date:
2021-02-15 07:59:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/df3b6644-69ce-4da1-abd7-04d72434daeb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117141/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a file
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Deleting a recently created file
Sending a UDP request
Forced system process termination
Creating a file in the Windows subdirectories
Launching the process to interact with network services
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Launching a process
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/607849
Signature
Bypasses PowerShell execution policy
Creates files in alternative data streams (ADS)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: Dot net compiler compiles file from suspicious location
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 352953 Sample: FvBQzeTPzW.exe Startdate: 15/02/2021 Architecture: WINDOWS Score: 80 66 Multi AV Scanner detection for submitted file 2->66 68 Sigma detected: Dot net compiler compiles file from suspicious location 2->68 70 Bypasses PowerShell execution policy 2->70 11 FvBQzeTPzW.exe 12 2->11         started        process3 file4 54 C:\Users\user\AppData\...\Readme.txt:meta, Microsoft 11->54 dropped 56 C:\Users\user\AppData\Local\...\Readme.txt, ASCII 11->56 dropped 74 Creates files in alternative data streams (ADS) 11->74 15 wscript.exe 1 11->15         started        signatures5 process6 signatures7 80 Wscript starts Powershell (via cmd or directly) 15->80 82 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 15->82 18 cmd.exe 1 15->18         started        process8 process9 20 wscript.exe 1 18->20         started        23 cmd.exe 1 18->23         started        25 conhost.exe 18->25         started        27 more.com 1 18->27         started        signatures10 72 Wscript starts Powershell (via cmd or directly) 20->72 29 powershell.exe 57 20->29         started        33 extrac32.exe 10 23->33         started        process11 file12 58 C:\Windows\SysWOW64\rdpclip.exe, PE32+ 29->58 dropped 60 C:\Users\user\AppData\...\shvvoxhz.cmdline, UTF-8 29->60 dropped 76 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 29->76 78 Powershell drops PE file 29->78 35 csc.exe 29->35         started        38 csc.exe 29->38         started        40 powershell.exe 29->40         started        42 conhost.exe 29->42         started        62 C:\Users\user\AppData\Local\Temp\start.vbs, ASCII 33->62 dropped 64 C:\Users\user\AppData\Local\Temp\ready.ps1, ASCII 33->64 dropped signatures13 process14 file15 50 C:\Users\user\AppData\Local\...\shvvoxhz.dll, PE32 35->50 dropped 44 cvtres.exe 35->44         started        52 C:\Users\user\AppData\Local\...\dj0zskst.dll, PE32 38->52 dropped 46 cvtres.exe 38->46         started        48 conhost.exe 40->48         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41609e0f1ff71e0b6421e8e3bfbac0307c0f5f80f9e1b3b60de547a54a80de51/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-15 07:55:08 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
0fa5f308271acceabd13e15871b230e030550825e17bdd0b3b1e53724ca5abd6
34f907b9f543ecf0f4f99adb7e55963ab5bc1c8e6e64081a8fef9a06043828b7
3d783630a9df4cc2fc3bed2bd696e006c4eb018ca419295fc1fc94010659ecac
4873869d22df0e7fcec173e490e31f14e42b55bf594bf5c722d08ed43a9e5292
7c5296a628df511b5a1cee6f32910c80afb607b2bc8412e6741f7feb2d93b0c5
86b0b53349b935048562758a34e08ae6190c67fa522e8742f60702b334625d36
a144d424d0ace63551d67ee67efe8ff6242df2b5c55d8f2494e0731f2d88f711
bcee5b3f4acfc85f500a2edd23402b92b87bca11263ffc3ef31f8c0a6c31f6a6
ee2e84f75b0b6043c2a2e3b84bdeabc0be4a4a1e4c6ec6a3ff255963b545425d
fd59571b52f8bfc7244a8ecf6cc057f1690964091b7141227ddd8315bba4d93a
+ 377 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210215-w681b9cn7a/
Behaviour
NTFS ADS
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
cfb31853cf730e0b853f53a4ecb4bbce7dc2354e13b09e5db4869066d0167ed2
MD5 hash:
337c7f78ed7c58ba800a91354a192591
SHA1 hash:
60a2ae80515f9a5b03485f5f1115b85ba8c665bd
Link:
https://www.unpac.me/results/79b43585-bc6b-4a96-aaba-7406c3e7968b/
SH256 hash:
41609e0f1ff71e0b6421e8e3bfbac0307c0f5f80f9e1b3b60de547a54a80de51
MD5 hash:
6e783d9862fa359f21e195a3e479f67b
SHA1 hash:
4ca53804b9ca4ff74b760db6c032a26af8b4e4ae
Link:
https://www.unpac.me/results/79b43585-bc6b-4a96-aaba-7406c3e7968b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41609e0f1ff71e0b6421e8e3bfbac0307c0f5f80f9e1b3b60de547a54a80de51

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 41609e0f1ff71e0b6421e8e3bfbac0307c0f5f80f9e1b3b60de547a54a80de51

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1000821/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/117141/

Comments