MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46f1855a26af76a635b843e10c9885029e44ba1bb2194f602cf7041430f72293. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46f1855a26af76a635b843e10c9885029e44ba1bb2194f602cf7041430f72293
SHA3-384 hash: a5d872a798ad30f4ea9c5577611cd6598928f99e91396e976f6d9bfcd2b4f561b1fd3d7bcbb6175ebe829667af7f23a6
SHA1 hash: a7f064958626dcac3209d3ee9294755432701a7f
MD5 hash: c3c1704da6242a52877806e3bde2c46b
humanhash: delaware-eighteen-zulu-rugby
File name:c3c1704da6242a52877806e3bde2c46b.exe
Download: download sample
File size:1'010'166 bytes
First seen:2020-12-26 08:23:33 UTC
Last seen:2020-12-26 09:37:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:Y2G/nvxW3WsT4U6cpXXWdF6zXyPo5E31fdJQF6iXyJo5oJqPf7MQ:YbA3D4XcZXywQUEl7QwPUokPzMQ
TLSH 00251202BAC159B3D6714C35456DAB21657CBC201F149FE7A3D42EADEA302C0AB35BB7
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
362
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109487/
Detection(s):
PUA.Win.File.Generic-7109589-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Running batch commands
Launching a service
Creating a file
Enabling the 'hidden' option for recently created files
DNS request
Sending a custom TCP request
Reading critical registry keys
Changing a file
Replacing files
Deleting a recently created file
Sending a UDP request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Moving a recently created file
Delayed reading of the file
Connection attempt
Launching a tool to kill processes
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/570176
Signature
Modifies Chrome's extension installation force list
Multi AV Scanner detection for submitted file
Sigma detected: MSHTA Spawning Windows Shell
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses regedit.exe to modify the Windows registry
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 334148 Sample: ZqM8Y76cVK.exe Startdate: 26/12/2020 Architecture: WINDOWS Score: 76 69 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 Uses known network protocols on non-standard ports 2->73 75 2 other signatures 2->75 11 ZqM8Y76cVK.exe 24 2->11         started        process3 file4 45 C:\Users\user\AppData\Local\...\chrome64.bat, DOS 11->45 dropped 47 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 11->47 dropped 49 C:\Users\user\AppData\Local\Temp\...\main.exe, PE32+ 11->49 dropped 14 main.exe 1 5 11->14         started        process5 dnsIp6 59 ukndesw19x.com 45.77.254.200, 49736, 49751, 80 AS-CHOOPAUS United States 14->59 61 www.ukndesw19x.com 14->61 63 2 other IPs or domains 14->63 51 C:\Users\user\AppData\...\cookie-parse.exe, PE32+ 14->51 dropped 53 C:\Users\user\AppData\Local\Temp\...\curl.exe, PE32+ 14->53 dropped 18 cmd.exe 1 14->18         started        20 regedit.exe 3 14->20         started        23 cookie-parse.exe 14->23         started        25 5 other processes 14->25 file7 process8 signatures9 27 mshta.exe 21 18->27         started        77 Modifies Chrome's extension installation force list 20->77 79 Tries to harvest and steal browser information (history, passwords, etc) 23->79 process10 process11 29 cmd.exe 1 27->29         started        process12 31 chrome.exe 13 446 29->31         started        35 conhost.exe 29->35         started        dnsIp13 65 192.168.2.1 unknown unknown 31->65 67 239.255.255.250 unknown Reserved 31->67 41 C:\Users\user\AppData\Local\...\temp-index, COM 31->41 dropped 37 chrome.exe 21 31->37         started        file14 process15 dnsIp16 55 googlehosted.l.googleusercontent.com 216.58.215.225, 443, 49750 GOOGLEUS United States 37->55 57 clients2.googleusercontent.com 37->57 43 C:\Users\user\AppData\Local\...\Cookies, SQLite 37->43 dropped file17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46f1855a26af76a635b843e10c9885029e44ba1bb2194f602cf7041430f72293/
Threat name:
Win32.Trojan.Rasftuby
Create hunting rule
Status:
Malicious
First seen:
2020-12-26 08:00:29 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/201226-a5hy7vrkha/
Behaviour
Kills process with taskkill
Modifies Internet Explorer settings
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
JavaScript code in executable
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
46f1855a26af76a635b843e10c9885029e44ba1bb2194f602cf7041430f72293
MD5 hash:
c3c1704da6242a52877806e3bde2c46b
SHA1 hash:
a7f064958626dcac3209d3ee9294755432701a7f
Link:
https://www.unpac.me/results/c394f238-85bf-422e-b102-75d49612362d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Scar
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46f1855a26af76a635b843e10c9885029e44ba1bb2194f602cf7041430f72293

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 46f1855a26af76a635b843e10c9885029e44ba1bb2194f602cf7041430f72293

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/942372/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/109487/

Comments