MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 435c71d1697fc65aecf34399586a55e217fffb21f1bb694861974de2822be126. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gootkit

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	435c71d1697fc65aecf34399586a55e217fffb21f1bb694861974de2822be126
SHA3-384 hash:	f4294af0ef061a4307af374200fa563cb508f769147148a926f2f59c97b7c66a84884407f73d571ed42b5daa58ff9c19
SHA1 hash:	faf6e96f18f3678b9ef1dd06709a178afac72ca8
MD5 hash:	5a6a4c519f6dd89781daf3666ed00d0d
humanhash:	double-equal-happy-earth
File name:	435c71d1697fc65aecf34399586a55e217fffb21f1bb694861974de2822be126
Download:	download sample
Signature	Gootkit Create hunting rule
File size:	284'160 bytes
First seen:	2020-11-15 23:17:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b7c6f05963454ae2f440d4ee64cc8d5e (4 x Gootkit)
ssdeep	3072:TbBuDEANubLasX3MAHCuFMMeWc/+KcfiT1YeGyk2yL6yhlX5MZnIgmQy:2NuisnnxFi+cxYeGyk2yL6yxamQ
Threatray	2 similar samples on MalwareBazaar
TLSH	9554CF79F5F22C0FC7A3037096AE6B776A5A5F700B06C9821F46D97AD48AD57C8123C8
Reporter	seifreed
Tags:	Gootkit

Intelligence

File Origin

# of uploads :

# of downloads :

1'401

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a process with a hidden window

Sending a UDP request

DNS request

Sending a custom TCP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/536991

Signature

Accesses win32k, likely to find offsets for exploits

Antivirus / Scanner detection for submitted sample

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to detect sandboxes (registry SystemBiosVersion/Date)

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/435c71d1697fc65aecf34399586a55e217fffb21f1bb694861974de2822be126/

Threat name:

Win32.Ransomware.Cerber

Status:

Malicious

First seen:

2020-11-15 23:21:38 UTC

AV detection:

26 of 28 (92.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=inohduljp7dfv3htiomvq2sv4il776zb6g5wssdbs5g6farl4eta._file

Verdict:

malicious

Gootkit

adf5232a1643d236bfc7055c70e5fb3e05671e1fc91bc6178bd59163e8cbaad7

Gootkit

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201115-hxewtln6bj/

Behaviour

Modifies data under HKEY_USERS

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Drops file in System32 directory

Unpacked files

SH256 hash:

435c71d1697fc65aecf34399586a55e217fffb21f1bb694861974de2822be126

MD5 hash:

5a6a4c519f6dd89781daf3666ed00d0d

SHA1 hash:

faf6e96f18f3678b9ef1dd06709a178afac72ca8

Link:

https://www.unpac.me/results/24fb46bd-0496-410c-a03d-3a192806a976/

SH256 hash:

ba4b95f77000470c1fba73e11dbd687241a564e7fce67965fc461d770a6301e6

MD5 hash:

990f891f2b1041f57862795a044033f7

SHA1 hash:

7f5520ba39b04957e3e8c88243a24d053e14fef4

Link:

https://www.unpac.me/results/24fb46bd-0496-410c-a03d-3a192806a976/

SH256 hash:

5c4ea4bf3fdcfab0a3bd1d80b7cc43ed3136859798f27448d695833f02aa5d14

MD5 hash:

b606b3518156872bc354a467162b6a30

SHA1 hash:

adffca1b9ab3b9742fcd41b5a7d7850a57514fb3

Detections:

win_gootkit_g0

win_gootkit_auto

Link:

https://www.unpac.me/results/24fb46bd-0496-410c-a03d-3a192806a976/

Parent samples :

6d5ee8b9ce1f9548ff8cd1198fc7934fe3f9f2034d215f406cca14e533670d3d
adf5232a1643d236bfc7055c70e5fb3e05671e1fc91bc6178bd59163e8cbaad7
435c71d1697fc65aecf34399586a55e217fffb21f1bb694861974de2822be126
0c2e07c74c6579471657b040a6e069e8a9a88d23227a3fb8b18a985cfd2553e7

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/435c71d1697fc65aecf34399586a55e217fffb21f1bb694861974de2822be126

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	VMware_detection_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	VMWare detection

Rule name:	win_gootkit_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample