MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b027545342913b299157c8e60174c2c73bb8ae0b9a6343d4bd2d592f46092dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b027545342913b299157c8e60174c2c73bb8ae0b9a6343d4bd2d592f46092dc
SHA3-384 hash: 7a430b537cfb1bfb61c6da90f08d37342024c19d10a5520c0d3d9440deb62cdd1d0940ae85314769ce728da2413e437d
SHA1 hash: c49b3cf920cce766786cf1fda5514c8b0301a9f0
MD5 hash: c7c2ac2217134c6d865804ca8c2fd544
humanhash: sierra-jersey-purple-alpha
File name:c7c2ac22_by_Libranalysis
Download: download sample
File size:384'512 bytes
First seen:2021-05-03 15:02:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fa42f93dc60cac12d0cad7a486b61ed2
ssdeep 6144:pFdobqFu7I91KlofKJ4dxqIpJzr3vBERF5t/c0xqqXlaA:pFdobT091KcKJU00V3vBE35tEJqc
Threatray 19 similar samples on MalwareBazaar
TLSH 1E84CF0175C0C137D493297A8C65CAB44ABAB8A4675256CBBBC82EFD5F306D2973234F
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Generic-9857167-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a tool to kill processes
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/708154
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402996 Sample: c7c2ac22_by_Libranalysis Startdate: 03/05/2021 Architecture: WINDOWS Score: 68 20 Multi AV Scanner detection for submitted file 2->20 22 Machine Learning detection for sample 2->22 7 c7c2ac22_by_Libranalysis.exe 1 2->7         started        process3 signatures4 24 Detected unpacking (changes PE section rights) 7->24 26 Detected unpacking (overwrites its own PE header) 7->26 10 cmd.exe 1 7->10         started        12 WerFault.exe 9 7->12         started        14 WerFault.exe 9 7->14         started        16 5 other processes 7->16 process5 process6 18 conhost.exe 10->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b027545342913b299157c8e60174c2c73bb8ae0b9a6343d4bd2d592f46092dc/
Threat name:
Win32.Trojan.Caynamer
Create hunting rule
Status:
Malicious
First seen:
2021-05-02 02:09:10 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
2a39223aeb61946d7b64dc8a8ad0a591c5090ff79b902d49ef6a2f419619542f
5ad8c577246cf6b0b4e441a43921889d5a5ddc5e75791241eec78f6065f6734a
6ba3a45494c026647e4fa1d0f3256a12bd079b5e3c635379617e3476b7e2cb5a
a2a2de6ffa56b9dd3cd4f08f66661ba52deb04c2210afb97726c8e7cc539ff48
b87058debe148793a01173971935cb36fe7d56e2400282629f810cbb1ef14ef7
c1def118520e4ce168185e9fd2acdd32df8e2e0081e1e5477b0798a7074115f2
da7c1a29438b2c219e7ef8d84b198604d663de649d4f8fca71a3f46b895eaf1c
e42427d6531ff454ec019e117544fcf44d2c88b7bb5485bf76f93013ca91181a
ecac41ea859c9ba34b3f6bfbb6e4922aebf761c0655c20e2e9a965df7627410c
ed8e826f2058b1ab541bdcc2bfe66523b005ba5c0498eac8f5b74b4998141344
+ 9 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210503-z6svfmsyns/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Deletes itself
Unpacked files
SH256 hash:
ce8a00447c75348d988f2798c59f5c8bb82157dd2989eaebc427b5312d3c8088
MD5 hash:
c9c7449e1c567608fcb69821d498118e
SHA1 hash:
493a6fd12869589c476579453af3a133c0c9ef5c
Link:
https://www.unpac.me/results/e647a856-6ebe-4def-9ae1-1bbdcf94d18f/
SH256 hash:
4b027545342913b299157c8e60174c2c73bb8ae0b9a6343d4bd2d592f46092dc
MD5 hash:
c7c2ac2217134c6d865804ca8c2fd544
SHA1 hash:
c49b3cf920cce766786cf1fda5514c8b0301a9f0
Link:
https://www.unpac.me/results/e647a856-6ebe-4def-9ae1-1bbdcf94d18f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b027545342913b299157c8e60174c2c73bb8ae0b9a6343d4bd2d592f46092dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-03 16:03:38 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0003.002] Communication Micro-objective::Connect Pipe::Interprocess Communication
1) [C0003.001] Communication Micro-objective::Create Pipe::Interprocess Communication
2) [C0003.003] Communication Micro-objective::Read Pipe::Interprocess Communication
3) [C0003.004] Communication Micro-objective::Write Pipe::Interprocess Communication
4) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
5) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
6) [C0047] File System Micro-objective::Delete File
7) [C0049] File System Micro-objective::Get File Attributes
8) [C0051] File System Micro-objective::Read File
9) [C0052] File System Micro-objective::Writes File
10) [C0007] Memory Micro-objective::Allocate Memory
11) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
12) [C0040] Process Micro-objective::Allocate Thread Local Storage
13) [C0042] Process Micro-objective::Create Mutex
14) [C0041] Process Micro-objective::Set Thread Local Storage Value
15) [C0018] Process Micro-objective::Terminate Process
16) [C0039] Process Micro-objective::Terminate Thread