MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4428c955f11bf14ee87a1c6540314b9f24f6adbe848724dab4029242fef22137. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4428c955f11bf14ee87a1c6540314b9f24f6adbe848724dab4029242fef22137
SHA3-384 hash: 387edeab46ea07d9d7027f97277fdbcec9ab70662649a311958ca490cd9e3a91144fe9baddf88c936b6d35e853e5bc86
SHA1 hash: e75c8ab934161493c347b2d4fa553de49bf51169
MD5 hash: 012e070fb7343a002506974adc39dcef
humanhash: orange-foxtrot-eighteen-london
File name:Config.exe
Download: download sample
File size:2'050'048 bytes
First seen:2021-10-18 20:52:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (87 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 49152:idB7cScxVB5tHJv+mhH2DkNHPanMLtDoweoSmTjW:E7cScxVB5tDWDG7iLoSmnW
Threatray 129 similar samples on MalwareBazaar
TLSH T1859533115F1A1CE0D47E0EBE6AF846A9E4285E9C46E0A5A72187F3522F1CD2FDF00757
Reporter JaffaCakes118
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/198321/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
Running batch commands
Launching a process
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/616ddeb29a5a1e91c5c4750e/reports/53979f1f-69c2-4757-9db1-6727219bfe7d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19b8c8da-ac08-4574-82bd-3288ca7eac6a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/872671
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Sigma detected: Powershell Defender Exclusion
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 505097 Sample: Config.exe Startdate: 18/10/2021 Architecture: WINDOWS Score: 68 80 Sigma detected: Powershell Defender Exclusion 2->80 11 Config.exe 2->11         started        14 services32.exe 2->14         started        process3 signatures4 98 Writes to foreign memory regions 11->98 100 Allocates memory in foreign processes 11->100 102 Creates a thread in another existing process (thread injection) 11->102 16 conhost.exe 5 11->16         started        20 conhost.exe 5 14->20         started        process5 file6 64 C:\Windows\System32\services32.exe, PE32+ 16->64 dropped 66 C:\Windows\...\services32.exe:Zone.Identifier, ASCII 16->66 dropped 70 Adds a directory exclusion to Windows Defender 16->70 22 cmd.exe 1 16->22         started        25 cmd.exe 1 16->25         started        27 cmd.exe 1 16->27         started        68 C:\Windows\System32\...\sihost32.exe, PE32+ 20->68 dropped 72 Drops executables to the windows directory (C:\Windows) and starts them 20->72 29 sihost32.exe 20->29         started        31 cmd.exe 1 20->31         started        signatures7 process8 signatures9 84 Drops executables to the windows directory (C:\Windows) and starts them 22->84 33 services32.exe 22->33         started        36 conhost.exe 22->36         started        86 Uses schtasks.exe or at.exe to add and modify task schedules 25->86 88 Adds a directory exclusion to Windows Defender 25->88 38 powershell.exe 23 25->38         started        40 conhost.exe 25->40         started        42 powershell.exe 25->42         started        48 2 other processes 27->48 90 Writes to foreign memory regions 29->90 92 Allocates memory in foreign processes 29->92 94 Creates a thread in another existing process (thread injection) 29->94 44 conhost.exe 29->44         started        46 powershell.exe 23 31->46         started        50 2 other processes 31->50 process10 signatures11 74 Writes to foreign memory regions 33->74 76 Allocates memory in foreign processes 33->76 78 Creates a thread in another existing process (thread injection) 33->78 52 conhost.exe 2 33->52         started        process12 signatures13 82 Adds a directory exclusion to Windows Defender 52->82 55 cmd.exe 1 52->55         started        process14 signatures15 96 Adds a directory exclusion to Windows Defender 55->96 58 conhost.exe 55->58         started        60 powershell.exe 55->60         started        62 powershell.exe 55->62         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4428c955f11bf14ee87a1c6540314b9f24f6adbe848724dab4029242fef22137/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-10-18 20:53:09 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
12439fc7c876b8bf881db4e97ed57827c1c4f2fd0ebccc29a4e197b19c80488b
2636b0f988e2d2129d014b870101be731b72d39e4f8ff12156b1b523a5c36c6a
40387bebfe97eea9c90425caf5519019dfc0e7425bb238246ec9f7bb5d621293
9b8c70d1c0537d946bf7233df72a7e0ebdff2cb70404a69ee6a2419730973462
b41455dfe45bf98bd2f1acec07d7a0df02a3c83e1fdecfb403df3984ab794761
dc050b963c642e86bf74da5e85fbfcb0b3c12bd692808bf8ae12a36f4bcf3c84
e558134f888d403ba60d7db59978502a9071951528cd4873bd4702921012d69e
e7b94b42550145f6653edad5a47879f3bad1abe865f065d7036ca942c572e842
fbf130705ed4de523fd2e38a6c64848af5d6e1ce6a268251e7b6d6e3f8089957
fd6996eab709c3ed21ef140958d9a9147902336b85b47bc896372a18e469a6fc
+ 119 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211018-zpbjbsffen/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
4428c955f11bf14ee87a1c6540314b9f24f6adbe848724dab4029242fef22137
MD5 hash:
012e070fb7343a002506974adc39dcef
SHA1 hash:
e75c8ab934161493c347b2d4fa553de49bf51169
Link:
https://www.unpac.me/results/af0d0bc1-a646-44bb-bebb-b74424dda347/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4428c955f11b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/4428c955f11bf14ee87a1c6540314b9f24f6adbe848724dab4029242fef22137

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4428c955f11bf14ee87a1c6540314b9f24f6adbe848724dab4029242fef22137

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/198321/

Comments