MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Hupigon


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db
SHA3-384 hash: 2d12e3eda52a92965db9cc22bfa110017e268bd726b884c4470e2b832b71d88f61de8e7ff32dcaf53378c871d5370b05
SHA1 hash: ef13b532ced32acf7318f1143883a7df63725971
MD5 hash: c03f75f276a4723370d6c6d6615c5125
humanhash: iowa-quiet-delta-network
File name:c03f75f276a4723370d6c6d6615c5125
Download: download sample
Signature Hupigon
Create hunting rule
File size:666'112 bytes
First seen:2021-11-24 19:44:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 24fe7ddb81105d98c91c163e135557c8 (1 x Hupigon)
ssdeep 12288:T3jOn2k7T+CMPW5AAX4tbAYRrYJAeZ1sugXKyAt8wGpB5NPuvubQdGUGDFF+:T3i2Q+C8W5AqYDrYhi3KyAt8wJvmQ8N
TLSH T140E48E22F2908477D1736A3C9C1F52995829BF103E29B94B3BE81E4C9F397917D292D3
File icon (PE):PE icon
dhash icon c9d4c4cda6a8cec6 (5 x Gh0stRAT, 2 x Formbook, 2 x FatalRAT)
Reporter zbetcheckin
Tags:32 exe Hupigon

Intelligence

File Origin
# of uploads :
1
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c03f75f276a4723370d6c6d6615c5125
Verdict:
Suspicious activity
Analysis date:
2021-11-24 20:36:25 UTC
Tags:
installer
Link:
https://app.any.run/tasks/e4a6b252-b824-4780-aec0-eb20c1fba14a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Trojan.Delf-1521
Create hunting rule

Win.Trojan.Delf-1459
Create hunting rule

Win.Trojan.Hupigon-7432837-0
Create hunting rule

Win.Trojan.Hupigon-34392
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Creating a service
Launching a service
Creating a process from a recently created file
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Enabling autorun for a service
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
monero
Link:
https://www.filescan.io/uploads/619e9645f36138de3f3a7bbf/reports/dff1fac1-bcb9-42ea-b03b-4a523a78bc3a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Hupigon
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b59d3fe4-3473-4a40-a072-0e66b1fbfc5e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/895715
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Delayed program exit found
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528193 Sample: MGyFdGKXHV.exe Startdate: 24/11/2021 Architecture: WINDOWS Score: 100 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Machine Learning detection for sample 2->42 44 Drops executables to the windows directory (C:\Windows) and starts them 2->44 7 Etool.exe 1 2->7         started        11 MGyFdGKXHV.exe 3 2->11         started        14 svchost.exe 2->14         started        16 9 other processes 2->16 process3 dnsIp4 32 mastertest.f3322.net 222.211.72.29, 49748, 6189 CHINANET-SCIDC-AS-APCHINANETSiChuanTelecomInternetData China 7->32 46 Antivirus detection for dropped file 7->46 48 Multi AV Scanner detection for dropped file 7->48 50 Machine Learning detection for dropped file 7->50 18 iexplore.exe 7->18         started        28 C:\Windowstool.exe, PE32 11->28 dropped 30 C:\Windowstool.exe:Zone.Identifier, ASCII 11->30 dropped 52 Contains functionality to inject code into remote processes 11->52 54 Delayed program exit found 11->54 56 Contains functionality to detect sleep reduction / modifications 11->56 20 cmd.exe 1 11->20         started        58 Changes security center settings (notifications, updates, antivirus, firewall) 14->58 22 MpCmdRun.exe 1 14->22         started        34 127.0.0.1 unknown unknown 16->34 36 192.168.2.1 unknown unknown 16->36 file5 signatures6 process7 process8 24 conhost.exe 20->24         started        26 conhost.exe 22->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db/
Threat name:
Win32.Backdoor.Hupigon
Create hunting rule
Status:
Malicious
First seen:
2021-11-19 22:32:05 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
44 of 45 (97.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=izotvlb4utnktlkn4bh4xgm7gwbzn36xvpho3fybzhbiyi6be3nq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211124-ygd4tagge8/
Behaviour
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Deletes itself
Executes dropped EXE
Unpacked files
SH256 hash:
465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db
MD5 hash:
c03f75f276a4723370d6c6d6615c5125
SHA1 hash:
ef13b532ced32acf7318f1143883a7df63725971
Link:
https://www.unpac.me/results/9c5ad1b0-c2c9-4b6a-b4bf-7e8cc2bdcba3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Hupigeon
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Hupigon

Executable exe 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/209174/
  
URLhaus
https://urlhaus.abuse.ch/url/1813898/

Comments


Avatar
zbet commented on 2021-11-24 19:44:44 UTC

url : hxxp://222.211.72.29:35641/gz.exe