MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43fc7007823fa8f0e718a782ba2d85a5e63eb77a8efebc223e72d5671465e44f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43fc7007823fa8f0e718a782ba2d85a5e63eb77a8efebc223e72d5671465e44f
SHA3-384 hash: ed19d4311efa44a94ac4ab326f0f35e55e2843bca22b29a4a397b1ee028a086d1745db4d62f5328ffa02dd5685efa352
SHA1 hash: 916daef6e4c37ecc87a3f7ce59571b1fddd62815
MD5 hash: f54463794e09f680a869d9f989399025
humanhash: crazy-july-xray-ceiling
File name:43fc7007823fa8f0e718a782ba2d85a5e63eb77a8efebc223e72d5671465e44f
Download: download sample
File size:1'253'376 bytes
First seen:2021-02-23 15:35:51 UTC
Last seen:2021-02-23 18:06:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep 24576:X/MQ9W7MqT39TOVeoPtX8S+Ax2YdTJ8ibdQYm4cBl5Mxw5FhgKKH:X0uqTtTYeoP/SY/zb2b5BXMxIgKKH
Threatray 4 similar samples on MalwareBazaar
TLSH 654533932865C735EF86F4B0DE361616EB76E4CD4B5F4ED90405A82AF13BE4BC96C802
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
2
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
EnigmaStub
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118677/
Detection(s):
PUA.Win.Packer.EnigmaProtector-19
Create hunting rule

PUA.Win.Packer.EnigmaProtector-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file
Launching a process
Creating a process from a recently created file
Sending a UDP request
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %temp% directory
Deleting a recently created file
Creating a window
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/615743
Signature
.NET source code contains in memory code execution
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356879 Sample: x0yccMVTIb Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for dropped file 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 16 other signatures 2->59 7 x0yccMVTIb.exe 1 21 2->7         started        11 csrss.exe 3 2->11         started        13 lsass.exe 3 2->13         started        15 3 other processes 2->15 process3 file4 39 C:\Windows\Cursors\lsass.exe, PE32 7->39 dropped 41 C:\Users\...\KmOHIKDFeaExRhycxADTBYehJ.exe, PE32 7->41 dropped 43 C:\...\KmOHIKDFeaExRhycxADTBYehJ.exe, PE32 7->43 dropped 45 9 other malicious files 7->45 dropped 65 Detected unpacking (changes PE section rights) 7->65 67 Detected unpacking (overwrites its own PE header) 7->67 69 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->69 79 3 other signatures 7->79 17 RuntimeBroker.exe 7->17         started        21 schtasks.exe 1 7->21         started        23 schtasks.exe 1 7->23         started        25 4 other processes 7->25 71 Antivirus detection for dropped file 11->71 73 Multi AV Scanner detection for dropped file 11->73 75 Machine Learning detection for dropped file 11->75 77 Hides threads from debuggers 13->77 signatures5 process6 dnsIp7 47 ipinfo.io 216.239.38.21, 443, 49726 GOOGLEUS United States 17->47 49 denum.beget.tech 5.101.153.248, 49718, 49738, 80 BEGET-ASRU Russian Federation 17->49 51 192.168.2.1 unknown unknown 17->51 61 Tries to harvest and steal browser information (history, passwords, etc) 17->61 63 Hides threads from debuggers 17->63 27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        37 conhost.exe 25->37         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43fc7007823fa8f0e718a782ba2d85a5e63eb77a8efebc223e72d5671465e44f/
Threat name:
Win32.Packed.EnigmaProtector
Create hunting rule
Status:
Malicious
First seen:
2021-02-22 21:46:56 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
25 of 48 (52.08%)
Threat level:
  1/5
Verdict:
suspicious
Similar samples:
5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98
9a080e918c88adb048ffca38c0604318eee80e19be5a578186a63cdd64d45a41
9cda5e5ad6ca68a803516013fbf62e6b06383b20fccf1ee6aed4730c916a3b55
ccae475b281127a3280a51906a2ab50248c8b7f75c34e93c5bd62ccc0fded850
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/210223-5jybz6cjsx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
43fc7007823fa8f0e718a782ba2d85a5e63eb77a8efebc223e72d5671465e44f
MD5 hash:
f54463794e09f680a869d9f989399025
SHA1 hash:
916daef6e4c37ecc87a3f7ce59571b1fddd62815
Link:
https://www.unpac.me/results/b9149ba9-5153-4cb6-bc01-d35ba840c727/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43fc7007823fa8f0e718a782ba2d85a5e63eb77a8efebc223e72d5671465e44f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_Honker__builder_shift_SkinH
Create hunting rule
Author:Florian Roth
Description:Sample from CN Honker Pentest Toolset - from files builder.exe, shift.exe, SkinH.exe
Reference:Disclosed CN Honker Pentest Toolset
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/118677/

Comments