MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 435858766d123afb7afef259fca8564e883fffce4bdebe7da7b047f8030dfe4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 435858766d123afb7afef259fca8564e883fffce4bdebe7da7b047f8030dfe4f
SHA3-384 hash: ed8ebc51748616867622c2fad93b69dc92c6b5fefeee30443789640bb7532fb1bc21334d00cbab9ecd4afe1490c4a7b6
SHA1 hash: e31f571471c2449da61b9ba56bbf1bad856669c9
MD5 hash: c03eb782ec7e5617c0020c785247b7a4
humanhash: minnesota-india-spaghetti-blossom
File name:csrss2.exe
Download: download sample
File size:1'940'480 bytes
First seen:2021-03-07 22:26:00 UTC
Last seen:2021-03-07 23:31:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 37e53d0e8ac0c4dfebe65c8f74f067f8
ssdeep 49152:d345+ujYuLmlCbPmrSQKv9Ug/b2aMhDHO2:d34waLm8rmrBK1Ugj2aY
Threatray 88 similar samples on MalwareBazaar
TLSH 1D953390C296750CD85BE139BF4E42C5BDFAB9DD9A32CE2947A7B012B57E5009833C83
Reporter r3dbU7z
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
csrss2.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-07 22:27:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/93a6f3ef-8c97-409f-8322-ba08af390e33

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/122696/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows directory
Creating a process from a recently created file
Enabling the 'hidden' option for recently created files
Delayed reading of the file
Creating a file in the Windows subdirectories
Connection attempt
Sending a UDP request
Deleting a recently created file
Creating a file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
ETERNALBLUE
Create hunting rule
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/630795
Signature
Antivirus detection for dropped file
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected ETERNALBLUE
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/435858766d123afb7afef259fca8564e883fffce4bdebe7da7b047f8030dfe4f/
Threat name:
Win32.Trojan.EquationDrug
Create hunting rule
Status:
Malicious
First seen:
2021-01-26 14:11:51 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
15de7f8defad6bace8c44bd3bd7725c10c0dc8336a58a7e8d92075a651fd61d0
2e13c882d28c2236893a0a543e67c74a4f2e560d98c98b800f95c07938156a37
56133c0d017af35f49253926e3583cf72c36146ab7faa65b6058971685166652
7333ddf4a7e53eeda33a8360b307471358597aeff78f4a5a7f4610640f97bdc7
75b388003cc32b680abc3d9b41bc6c435af723de235eaab36a323fddcb906f62
799b7395c9f279d8cd1cd24657788ecb37db7ae03c0dddeb3344a95a551d1325
7c72220143c425a516165961c18921c0e63fc760d7dc1a68da52087b99f1350d
b6a56587ff63ad2c27323d56510915125be1f171324029353303659eb438d0ed
f4158e798cb1c425cd5c50250f7016e9acd26bae7373e46585907682f120c546
f7a8d3fb89711f208f281c267ed8dd647cda207ecb514d37892b56a0ddafbe9a
+ 78 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210307-as7s9129dj/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Deletes itself
Executes dropped EXE
Unpacked files
SH256 hash:
5c7b49091a17719028a30b46baf6e5ca6ae04deecd28428cb1575eb53696b9ee
MD5 hash:
cbb7abeaf714ccd199b34c6b16695a02
SHA1 hash:
3dfa76d5c3b9fb7491f8f4aa446d5bf3b740cb45
Link:
https://www.unpac.me/results/25029db6-397d-470a-8feb-abc3a93d982c/
SH256 hash:
435858766d123afb7afef259fca8564e883fffce4bdebe7da7b047f8030dfe4f
MD5 hash:
c03eb782ec7e5617c0020c785247b7a4
SHA1 hash:
e31f571471c2449da61b9ba56bbf1bad856669c9
Link:
https://www.unpac.me/results/25029db6-397d-470a-8feb-abc3a93d982c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/435858766d123afb7afef259fca8564e883fffce4bdebe7da7b047f8030dfe4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:upx_packed
Create hunting rule
Description:UPX packed file

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/122696/

Comments