MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49fe6c1cce117dc28884b4713f1583af943af16dd936f760c46b1aedfdad75ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49fe6c1cce117dc28884b4713f1583af943af16dd936f760c46b1aedfdad75ca
SHA3-384 hash: 9e7aee37aa991a06c0b1d06097116615dc77a6822207ca2856e99c543201e5a759c5ee4f395a8c3dcc0408b335d43979
SHA1 hash: 51cfe381fd1379fe38550632307b8c4bf67d815c
MD5 hash: f5cf9ca73dd30caf43d75dd19240a79e
humanhash: oregon-south-florida-quiet
File name:49fe6c1cce117dc28884b4713f1583af943af16dd936f760c46b1aedfdad75ca
Download: download sample
File size:125'928 bytes
First seen:2020-07-29 08:12:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ebb3c09b06b1666d307952e824c8697 (15 x RedLineStealer, 13 x LgoogLoader, 7 x NanoCore)
ssdeep 3072:WGu9BlfzWIbXWm+w0J95i+yQ5ao7/tPlvXLrKzvABEV:W/0uoEQ5a8PLr2N
Threatray 82 similar samples on MalwareBazaar
TLSH 84C39E1296E4813BE4F233B05AF912631B35BCE06F75A39F828955D95C753C0AA3836F
Reporter JAMESWT_WT

Code Signing Certificate

Organisation:PET SERVICES d.o.o.
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Dec 13 00:00:00 2019 GMT
Valid to:Dec 12 23:59:59 2020 GMT
Serial number: D5690D94F15315E143DB10AF35497DC5
Thumbprint Algorithm:SHA256
Thumbprint: C0FC08C743F954A57F1A60CB1BF1775F926D86B85943ECB3369E077526D04B9B
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34627/
Detection(s):
SecuriteInfo.com.BACKDOOR.Trojan.2860.9358.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/402075
Signature
Opens network shares
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 253391 Sample: xQAq3214fP Startdate: 29/07/2020 Architecture: WINDOWS Score: 56 6 xQAq3214fP.exe 1 4 2->6         started        8 rundll32.exe 2->8         started        process3 10 cmd.exe 3 2 6->10         started        process4 12 wscript.exe 6 10->12         started        16 conhost.exe 10->16         started        dnsIp5 18 95.181.157.218, 443, 49758, 49759 MSKHOSTRU Russian Federation 12->18 20 System process connects to network (likely due to code injection or exploit) 12->20 22 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->22 24 Opens network shares 12->24 signatures6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49fe6c1cce117dc28884b4713f1583af943af16dd936f760c46b1aedfdad75ca/
Threat name:
Win32.Trojan.Skeeyah
Create hunting rule
Status:
Malicious
First seen:
2020-07-26 17:19:47 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0c64aa3ccc9b4f7482dbd5f3291a82bea3607c1290fad0a91b18d7101387d185
1023c7d9224250cd2a21a365f5b9a5f434180acd13fd22acda7d8b34915c5757
2592c39ffbe369b2a6d1cf29e90bc0d0459ac881ae5fc2425ee61aa04ff2e97a
b2f041348835c102db3769245ee4c28dd00cb19c3c6710fc9c11228f3bbce61b
b479533a51ba629bd5f20a7e9faa3bcccfddc72218b23dfd5a4ab15825204944
ba9c641828f465a988c43c858463602faadc4bc688b5b58d9a80bd25fd45a4d6
e6fd67f6f97b12e9c521c165db7d021c9c86ac1f45582692a8972090f20a9a6d
e7a8f968f1c68de29d5cbadaef5ae9b10cc8b8098669feed67a5a570814182ce
ea05817e0614fd085e2775d01e7197e93bde58cf57789aeb49ed39f6c295973c
fc0ffda44e2748b424639a1592356cc209abf6045a8d6a069f5f562ea1f31763
+ 72 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/200729-fyw8bbm24x/
Behaviour
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of WriteProcessMemory
JavaScript code in executable
Adds Run key to start application
JavaScript code in executable
Adds Run key to start application
Blacklisted process makes network request
Blacklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49fe6c1cce117dc28884b4713f1583af943af16dd936f760c46b1aedfdad75ca

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34627/

Comments