MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42ca73a2f64b86c9e59cc795eaf28450bdfd1149a35b052e2a8baf1b47e82204. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Generic


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42ca73a2f64b86c9e59cc795eaf28450bdfd1149a35b052e2a8baf1b47e82204
SHA3-384 hash: 07b242f739779c77e43fca83b39634b584d4b924266a7323e8531927f8af4595f4e4857e3bb7dd1aaba9f872effde06c
SHA1 hash: f633611416eacf26ca20291e672a954a186220cd
MD5 hash: 41c38b28a965f10261a320ec88c7adc0
humanhash: papa-uniform-snake-nineteen
File name:VVV.exe
Download: download sample
Signature Adware.Generic
Create hunting rule
File size:16'520'930 bytes
First seen:2020-10-16 15:14:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic)
ssdeep 393216:i6eS1UH9VJcP/hDcSWodYkg7S1e1uBFBecboH86C:i6eS1cVJcXcBMiuFBemoH8L
Threatray 4 similar samples on MalwareBazaar
TLSH C9F633E182817359EBC839F11C9159AA3DF1CF438FA8FE6C7525339296423AD05E50E7
Reporter Marco_Ramilli
Tags:Adware.Generic

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72172/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Deleting a recently created file
Searching for analyzing tools
Searching for the window
Creating a window
DNS request
Connection attempt
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/493903
Signature
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299402 Sample: VVV.exe Startdate: 16/10/2020 Architecture: WINDOWS Score: 100 78 Antivirus detection for dropped file 2->78 80 Multi AV Scanner detection for dropped file 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 8 other signatures 2->84 8 VVV.exe 22 2->8         started        11 RealtekSb.exe 2->11         started        14 RealtekSb.exe 2->14         started        process3 file4 50 C:\Users\user\AppData\...\software.exe, PE32 8->50 dropped 52 C:\Users\user\AppData\Roaming\...behaviorgraphlad_84.exe, PE32 8->52 dropped 54 C:\Users\user\AppData\Roaming\...\Crew_95.exe, PE32 8->54 dropped 56 2 other files (1 malicious) 8->56 dropped 16 Glad_84.exe 8 8->16         started        20 Pigeon_39.exe 4 8->20         started        23 Crew_95.exe 8->23         started        92 Hides threads from debuggers 11->92 94 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->94 signatures5 process6 dnsIp7 58 178.159.43.35, 49730, 49733, 80 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 16->58 64 Antivirus detection for dropped file 16->64 66 Multi AV Scanner detection for dropped file 16->66 68 Detected unpacking (changes PE section rights) 16->68 76 2 other signatures 16->76 25 cmd.exe 16->25         started        28 cmd.exe 1 16->28         started        30 cmd.exe 1 16->30         started        32 cmd.exe 1 16->32         started        48 C:\Users\user\AppData\...\RealtekSb.exe, PE32 20->48 dropped 70 Tries to detect virtualization through RDTSC time measurements 20->70 72 Hides threads from debuggers 20->72 74 Tries to detect sandboxes / dynamic malware analysis system (registry check) 20->74 34 RealtekSb.exe 20->34         started        60 rsttrs.site 23->60 62 telete.in 195.201.225.248, 443, 49732 HETZNER-ASDE Germany 23->62 36 WerFault.exe 23 9 23->36         started        file8 signatures9 process10 signatures11 86 Uses ping.exe to sleep 25->86 38 conhost.exe 25->38         started        40 PING.EXE 25->40         started        42 conhost.exe 28->42         started        44 conhost.exe 30->44         started        46 conhost.exe 32->46         started        88 Hides threads from debuggers 34->88 90 Tries to detect sandboxes / dynamic malware analysis system (registry check) 34->90 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42ca73a2f64b86c9e59cc795eaf28450bdfd1149a35b052e2a8baf1b47e82204/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-06-25 13:57:09 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
4d9b89978e6ca9cf14cb1f04859e01e66c1e0dbefedd1663617647535c0b3fa0
Adware.Generic
51c53576e439424a479865f5b9c19288f4ba48743b513cd3ead582d0cc647187
Adware.Generic
7c3c41d8da242f6ae707daaf842c0c0afb4ff541e3b009c62e51bc7d93eca86b
Adware.Generic
831ba6efa4a49eb1c7ff749fe442b393c5a614f383bf1efb52512a183b4362fc
Adware.Generic
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion
Link:
https://tria.ge/reports/201016-p7h3vthk52/
Behaviour
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Drops startup file
Identifies Wine through registry keys
Loads dropped DLL
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
ServiceHost packer
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
42ca73a2f64b86c9e59cc795eaf28450bdfd1149a35b052e2a8baf1b47e82204
MD5 hash:
41c38b28a965f10261a320ec88c7adc0
SHA1 hash:
f633611416eacf26ca20291e672a954a186220cd
Link:
https://www.unpac.me/results/c79640fc-6f99-432c-afe1-7fb79d1824f5/
SH256 hash:
9099ab433811b1b6d04ccc123d106740ffeb2e89b03f1f3aa9490567700cd06a
MD5 hash:
e852a4d1b5b7952a76613987eec26934
SHA1 hash:
821c5950f6bd0306f34ba3cdd62370a745fccbae
Link:
https://www.unpac.me/results/c79640fc-6f99-432c-afe1-7fb79d1824f5/
SH256 hash:
2e781622d5e569295e902dd1fa44723439630b864b7f2e5f8860e6e49c3a530b
MD5 hash:
1ba9563ffa159be22d499079902b89a6
SHA1 hash:
60499e34e487690f40d1a2be27568ea887e2d3a7
Link:
https://www.unpac.me/results/c79640fc-6f99-432c-afe1-7fb79d1824f5/
SH256 hash:
7130a5ee1444dcf441bd88eddf4e0e69a6d34d23b300d2d47854260f760cd6ca
MD5 hash:
0f1cd43ee6566baa9c60d55a4a839416
SHA1 hash:
f54bc7f1e8f17fac53a632dacab2c2d13419bfdb
Link:
https://www.unpac.me/results/c79640fc-6f99-432c-afe1-7fb79d1824f5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Themida
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/42ca73a2f64b86c9e59cc795eaf28450bdfd1149a35b052e2a8baf1b47e82204

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:win_raccoon_a0
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/72172/

Comments