MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42d3be363dd71be21102baba9ef2e2d7a4a3629431e94bca22ae171766dbe3da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Kimsuky


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42d3be363dd71be21102baba9ef2e2d7a4a3629431e94bca22ae171766dbe3da
SHA3-384 hash: ce08a08f437bcecb98d1865ef923a96d3377ab0ec8c7db59b143ad031b46a776d42a839cb16d87c9e6bde060288c219e
SHA1 hash: a7b836229d981ae34227efe9f9e996c2753f9262
MD5 hash: 18a0abb7a6f4bd5a25cedb9abe077060
humanhash: artist-florida-oscar-arizona
File name:42d3be363dd71be21102baba9ef2e2d7a4a3629431e94bca22ae171766dbe3da
Download: download sample
Signature Kimsuky
Create hunting rule
File size:466'944 bytes
First seen:2022-03-18 10:20:27 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 3fd366df84422b0208852233e8b35e52 (1 x Kimsuky)
ssdeep 12288:D0CyhqdvdvufeWBjQ3CdKdz6SbsPQEzmdMULyL5Alyfip:gJhqdvdxgJSYPVmBL2Aly6p
Threatray 11 similar samples on MalwareBazaar
TLSH T1E6A423C0A9FBA371D2A389F49C3B0F6DF7BF72C9C579695DAC21101D91106A5328CE92
Reporter JAMESWT_WT
Tags:dll Kimsuky

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/252418/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop19.24514.11963.4132.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Running batch commands
Using the Windows Management Instrumentation requests
Searching for the window
Launching a tool to kill processes
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
explorer.exe packed winnti
Link:
https://www.filescan.io/uploads/62345d1d0cd58dbd92b5c04e/reports/39bf3923-233b-4011-8cdb-899003fca046/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7d4a9e32-ffb0-46c8-bbbb-1775dc84a5c0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/959779
Signature
Allocates memory in foreign processes
Detected VMProtect packer
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 592281 Sample: FPT7uWYzTv Startdate: 18/03/2022 Architecture: WINDOWS Score: 100 74 prda.aadg.msidentity.com 2->74 76 mail.daum.net 2->76 78 2 other IPs or domains 2->78 102 Malicious sample detected (through community Yara rule) 2->102 104 Multi AV Scanner detection for dropped file 2->104 106 Multi AV Scanner detection for submitted file 2->106 108 6 other signatures 2->108 10 rundll32.exe 2->10         started        12 loaddll32.exe 1 2->12         started        14 rundll32.exe 2->14         started        signatures3 process4 process5 16 rundll32.exe 10->16         started        19 rundll32.exe 7 12->19         started        22 cmd.exe 1 12->22         started        24 rundll32.exe 5 12->24         started        26 rundll32.exe 6 12->26         started        28 rundll32.exe 14->28         started        file6 94 Writes to foreign memory regions 16->94 96 Allocates memory in foreign processes 16->96 98 Injects a PE file into a foreign processes 16->98 30 svchost.exe 16->30         started        66 C:\Users\user\AppData\...\iertutil.dll, PE32 19->66 dropped 68 C:\Users\...\iertutil.dll:Zone.Identifier, ASCII 19->68 dropped 100 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 19->100 34 cmd.exe 19->34         started        36 rundll32.exe 1 6 22->36         started        38 cmd.exe 1 24->38         started        40 cmd.exe 1 26->40         started        signatures7 process8 file9 72 C:\Users\user\AppData\Roaming\...\mg_6334, iAPX 30->72 dropped 110 Writes to foreign memory regions 30->110 112 Allocates memory in foreign processes 30->112 114 Injects a PE file into a foreign processes 30->114 42 iexplore.exe 30->42         started        46 iexplore.exe 30->46         started        48 iexplore.exe 30->48         started        56 7 other processes 30->56 58 2 other processes 34->58 50 cmd.exe 1 36->50         started        52 taskkill.exe 1 38->52         started        54 conhost.exe 38->54         started        60 2 other processes 40->60 signatures10 process11 dnsIp12 80 logins-ltm0w7xt.kgslb.com 203.133.167.18, 443, 49769, 49771 DAUM-NETKakaoCorpKR Korea Republic of 42->80 90 3 other IPs or domains 42->90 70 C:\Users\Public\1.dat, iAPX 42->70 dropped 82 logins.daum.net 46->82 84 211.231.99.82, 443, 49773, 49775 KAKAO-AS-KRKakaoCorpKR Korea Republic of 48->84 86 logins.daum.net 48->86 62 taskkill.exe 1 50->62         started        64 conhost.exe 50->64         started        88 211.231.99.19, 443, 49780 KAKAO-AS-KRKakaoCorpKR Korea Republic of 56->88 92 5 other IPs or domains 56->92 file13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42d3be363dd71be21102baba9ef2e2d7a4a3629431e94bca22ae171766dbe3da/
Threat name:
Win32.Trojan.Kimsuky
Create hunting rule
Status:
Malicious
First seen:
2022-01-11 07:32:00 UTC
File Type:
PE (Dll)
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
53d9e2e96f2d7cf4fc75099166a2d2d613183e54beb62435bfed5e004b640c3b
Kimsuky
727bc43e3d9cdf3e79c2232cf3f647bdf94ad2012c31403434c17e5bbeb3c339
Kimsuky
98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5
Kimsuky
9cb8d08fd8a52329c510b33e643739bd3dcaaa6d0e79542608f8b6d1b19e6c75
Kimsuky
9f86527e3ca4530bb3209d8608dae083afab4ef2cf7b0ae23bcd6fdc322a0c33
Kimsuky
b31922461be215289c3801f6d2f6c2ad14edd8e8ef648a274b37121d7dd155ea
Kimsuky
c11ce0fc31a66ae6a55fabd6d31553062c53646399d461b6896e141acf74c6e7
Kimsuky
cd3b42b2ca77ce40fb72780b4d1e589c740fe3c7e1b44a3a6faf4a4494f09b63
Kimsuky
d0c1200f4a5094c371836004c9c4456ca1b243e0cdde1d1331434c98e0364f71
Kimsuky
f9246e651945795f890eefb4a4bd771576c7724d8c2ba753de25e7322818c0dc
Kimsuky
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware stealer vmprotect
Link:
https://tria.ge/reports/220318-metwpshebn/
Behaviour
Enumerates processes with tasklist
Gathers network information
Gathers system information
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
VMProtect packed file
Unpacked files
SH256 hash:
dc44fd461110f1c768d95109fd7a87dae12a274cbcd375ea2b8ce6666b4cc043
MD5 hash:
27f99c16143caa9fbd9f8affdcaa65c7
SHA1 hash:
d7d38e6aa1687c3a0a5dc27b7e1d02b62d1b2b4b
Link:
https://www.unpac.me/results/7498829d-ba44-4674-9ad9-bb5edcccb84d/
SH256 hash:
42d3be363dd71be21102baba9ef2e2d7a4a3629431e94bca22ae171766dbe3da
MD5 hash:
18a0abb7a6f4bd5a25cedb9abe077060
SHA1 hash:
a7b836229d981ae34227efe9f9e996c2753f9262
Link:
https://www.unpac.me/results/7498829d-ba44-4674-9ad9-bb5edcccb84d/
Malware family:
Winnti Group
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/42d3be363dd7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/42d3be363dd71be21102baba9ef2e2d7a4a3629431e94bca22ae171766dbe3da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:Winnti_NlaifSvc
Create hunting rule
Author:Florian Roth
Description:Winnti sample - file NlaifSvc.dll
Reference:https://goo.gl/VbvJtL
Rule name:Winnti_NlaifSvc_RID2CFF
Create hunting rule
Author:Florian Roth
Description:Winnti sample - file NlaifSvc.dll
Reference:https://goo.gl/VbvJtL

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/252418/

Comments