MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4901558e82430e4a21b5fbf6615d76e02bb7a0941e4c7f3dd92293f6f65ffce6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Macoute

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	4901558e82430e4a21b5fbf6615d76e02bb7a0941e4c7f3dd92293f6f65ffce6
SHA3-384 hash:	b1d7f64e93f1951c081ca1e944a06334629e5dcef298871c20138af0121511237d9fa7ac589b2e571130a8c9ae3d7a57
SHA1 hash:	e6afd4bc54818eac5535e73933dbbaaffd3a1441
MD5 hash:	fa373b50ddba26ca622b83e46aff3c38
humanhash:	black-diet-red-crazy
File name:	4901558e82430e4a21b5fbf6615d76e02bb7a0941e4c7f3dd92293f6f65ffce6
Download:	download sample
Signature	Macoute Create hunting rule
File size:	684'032 bytes
First seen:	2021-09-06 06:44:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	23b7a2ad6dd5722f5566eaa0d8a348bf (44 x Macoute, 3 x Worm.Virut)
ssdeep	6144:RafsiuvAQ+tTm6cyERSiytj71cEE4jKS6v5oCDrPGqIdqArr:GCvAQ+q6ctRt636EfjO7DyNqA
Threatray	5'075 similar samples on MalwareBazaar
TLSH	T1CAE4C082EBC340F1D8970F715567A37F9B325B09542CDE9AD3986E45AC33323AA2E354
dhash icon	f4dcccc8ccccd810 (35 x Macoute, 3 x Worm.Virut)
Reporter	JAMESWT_WT
Tags:	exe Macoute

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4901558e82430e4a21b5fbf6615d76e02bb7a0941e4c7f3dd92293f6f65ffce6

Verdict:

Malicious activity

Analysis date:

2021-09-06 07:21:04 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a259cd1c-bd82-4d77-8bfb-50a8f58eee3b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/185586/

Detection(s):

Win.Malware.Zusy-6888246-0

Win.Worm.Autorunvb-7053731-0

Win.Packed.Ulpm-9799291-0

Win.Malware.Zusy-9889629-0

Win.Trojan.Agent-1379661

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt to an infection source

Creating a file in the Program Files subdirectories

Launching the default Windows debugger (dwwin.exe)

Sending a UDP request

Query of malicious DNS domain

Sending a TCP request to an infection source

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a browser process

Malware family:

Tinba

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a9993af9-3118-4b92-840c-d58a99c9f0d2

Result

Threat name:

Macoute

Detection:

malicious

Classification:

spre.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/845807

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes memory attributes in foreign processes to executable or writable

Contains functionality to steal Internet Explorer form passwords

Creates a thread in another existing process (thread injection)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Sigma detected: Suspicious Svchost Process

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Macoute

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4901558e82430e4a21b5fbf6615d76e02bb7a0941e4c7f3dd92293f6f65ffce6/

Threat name:

Win32.Virus.Virut

Status:

Malicious

First seen:

2021-08-31 00:03:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

43 of 43 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jeavlducimheuinv7p3gcxlw4av3pieudzgh6pozekj7n5s77tta._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

10/10

Tags:

evasion persistence suricata

Link:

https://tria.ge/reports/210906-hhm54sdgbr/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in Program Files directory

Adds Run key to start application

Modifies firewall policy service

Suspicious use of NtCreateProcessExOtherParentProcess

suricata: ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup

Unpacked files

SH256 hash:

4901558e82430e4a21b5fbf6615d76e02bb7a0941e4c7f3dd92293f6f65ffce6

MD5 hash:

fa373b50ddba26ca622b83e46aff3c38

SHA1 hash:

e6afd4bc54818eac5535e73933dbbaaffd3a1441

Link:

https://www.unpac.me/results/0044ebc6-0034-4b88-be13-9907f44ad29f/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/4901558e8243/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4901558e82430e4a21b5fbf6615d76e02bb7a0941e4c7f3dd92293f6f65ffce6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/185586/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample