MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43919cb86c587b0587b051f513b236247e4fd95cba88a8198e30c4603082cad8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43919cb86c587b0587b051f513b236247e4fd95cba88a8198e30c4603082cad8
SHA3-384 hash: 0a96bde67d385fe9936bd55c875db46a78b4cce2f84dfda8a66968be817988ed7eaed71bd58d92adbd0ddbfe843d09d7
SHA1 hash: fcac50b5cb007cc8bbbac0d029204fa2025f22db
MD5 hash: 783fdfceeb96ff7c05ae85e5b5159b0b
humanhash: romeo-cardinal-earth-robert
File name:山寨版的“顶级投资机构”,正在诈骗你老家的亲戚朋友“视频”.exe
Download: download sample
File size:638'976 bytes
First seen:2021-01-09 12:01:40 UTC
Last seen:2021-01-09 13:44:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c40ce05cc0d79183a4a1cea34f7452de
ssdeep 12288:e9Ap1JlFOZwQ+cTfHfNy4uZtNeugNvhAVbGM4eTBww:e9ULwwQdr/huZtN7gygeVww
Threatray 14 similar samples on MalwareBazaar
TLSH 39D4CE1177F2C077C913C1324E46C39C66BABE519E26C687BBE13B0EBE74191DA28E45
Reporter vm001cn
Tags:exe


Avatar
vm001cn
111.177.18.200

Intelligence

File Origin
# of uploads :
2
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
山寨版的“顶级投资机构”,正在诈骗你老家的亲戚朋友“视频”.exe
Verdict:
No threats detected
Analysis date:
2021-01-09 11:58:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bd5b5315-5028-40ca-9edb-5058f4b05b8f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111117/
Detection(s):
SecuriteInfo.com.Backdoor.Win32.Zegost.L.17938.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/577276
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337689 Sample: 91#U201d.exe Startdate: 09/01/2021 Architecture: WINDOWS Score: 92 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected Mimikatz 2->45 47 Uses ping.exe to sleep 2->47 49 3 other signatures 2->49 7 91#U201d.exe 1 2 2->7         started        10 Sklme.exe 2->10         started        13 svchost.exe 2->13         started        15 8 other processes 2->15 process3 file4 31 C:\Windows\Sklme.exe, PE32 7->31 dropped 33 C:\Windows\Sklme.exe:Zone.Identifier, ASCII 7->33 dropped 17 cmd.exe 1 7->17         started        53 Multi AV Scanner detection for dropped file 10->53 55 Machine Learning detection for dropped file 10->55 57 Drops executables to the windows directory (C:\Windows) and starts them 10->57 21 Sklme.exe 10->21         started        59 Changes security center settings (notifications, updates, antivirus, firewall) 13->59 23 MpCmdRun.exe 1 13->23         started        signatures5 process6 dnsIp7 35 127.0.0.1 unknown unknown 17->35 51 Uses ping.exe to sleep 17->51 25 conhost.exe 17->25         started        27 PING.EXE 1 17->27         started        37 mip.chinaz.com 219.129.216.239, 80 CHINATELECOM-GUANGDONG-IDCGuangdongCN China 21->37 39 192.168.2.1 unknown unknown 21->39 41 192.168.2.3, 443, 49563, 49679 unknown unknown 21->41 29 conhost.exe 23->29         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43919cb86c587b0587b051f513b236247e4fd95cba88a8198e30c4603082cad8/
Threat name:
Win32.Infostealer.Magania
Create hunting rule
Status:
Malicious
First seen:
2021-01-09 12:02:06 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
02965941d39eef787b6d2483095f7c5c6eec84a2a97ce4e85eee9e0e610506e2
0367ec4f514399dfae2b74ed8b9303f1f47e527d5bc7bd7cb900710937add0a4
4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9
82c8c241387c128a1d00eb9a96ec415ccad32461600441cb9a6c9176cfebd617
851f2df17ce8673bc0747d4ec64b2904b3749a5e9028acbc65db70613b3e5ad5
a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
a66d1021e54269963e9a54892869d569ffa1c74d9fb1b67f023ea5fdfd90c1a6
c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e
d19b02a35003c637360cc342d5fcdae87dc7336fc7925f07f5c0636eae22ba37
+ 4 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210109-lah5laec9x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Drops file in Windows directory
UPX packed file
Unpacked files
SH256 hash:
43919cb86c587b0587b051f513b236247e4fd95cba88a8198e30c4603082cad8
MD5 hash:
783fdfceeb96ff7c05ae85e5b5159b0b
SHA1 hash:
fcac50b5cb007cc8bbbac0d029204fa2025f22db
Link:
https://www.unpac.me/results/fb456afe-2a76-4557-87dc-1d968783d6d2/
SH256 hash:
94ce3e4ea8aecf7246aaf4525c09882a9918e84fd5dd8b0b134c98c673d9738f
MD5 hash:
e135cb91e86549635f329db4b5cfcbe5
SHA1 hash:
fb8263d67a285c69de702990bb47cb7b02932d95
Link:
https://www.unpac.me/results/fb456afe-2a76-4557-87dc-1d968783d6d2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Emotet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43919cb86c587b0587b051f513b236247e4fd95cba88a8198e30c4603082cad8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/111117/

Comments