MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9
SHA3-384 hash: 79ae7b763fbc965f7a0261298f1c47212bcd55faa13caff57b63eb07051616169e5200615f7e99819738ebfcfa9e3d14
SHA1 hash: c8470ecc206181788b9a6a62111de2f750d89c49
MD5 hash: 6cbc6f193816ee37af9b0309d34e8657
humanhash: lima-cup-nineteen-violet
File name:6cbc6f193816ee37af9b0309d34e8657.exe
Download: download sample
File size:4'038'656 bytes
First seen:2020-12-28 07:20:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 81bd39165a9640df832d204eb04feb6a
ssdeep 98304:9qgigUXTc//////WJRgjqBZMGLd51YkPu4cJMGBj4DhDZANxBYts:EtX3gjwM0LNPy8DpZ+C2
Threatray 78 similar samples on MalwareBazaar
TLSH 1A16F155BDC9407AC38E19314BE5DB3D69BDA9801F04CB836764EEDD2932B81AF31836
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Vilsel-9772642-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Creating a service
Launching a service
Launching a process
Creating a file in the drivers directory
DNS request
Loading a system driver
Creating a file
Enabling autorun for a service
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/570516
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Checks if browser processes are running
Contains functionality to detect sleep reduction / modifications
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Suspicious Double Extension
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 334315 Sample: KrcT896PNT.exe Startdate: 28/12/2020 Architecture: WINDOWS Score: 100 71 Antivirus detection for dropped file 2->71 73 Antivirus / Scanner detection for submitted sample 2->73 75 Multi AV Scanner detection for dropped file 2->75 77 7 other signatures 2->77 10 KrcT896PNT.exe 1 2->10         started        14 Jbcdt.exe 2->14         started        16 svchost.exe 2->16         started        18 5 other processes 2->18 process3 file4 61 C:\Windows\SysWOW64\RdpSau.exe, PE32 10->61 dropped 93 Drops executables to the windows directory (C:\Windows) and starts them 10->93 20 RdpSau.exe 2 10->20         started        95 Antivirus detection for dropped file 14->95 97 Multi AV Scanner detection for dropped file 14->97 99 Machine Learning detection for dropped file 14->99 24 Jbcdt.exe 13 1 14->24         started        101 Checks if browser processes are running 16->101 103 Contains functionality to detect sleep reduction / modifications 16->103 63 C:\Windows\SysWOW64\                .exe, PE32 18->63 dropped 27                .exe 18->27         started        signatures5 process6 dnsIp7 55 C:\Users\user\AppData\Local\Temp\yu1.exe, PE32 20->55 dropped 57 C:\Users\user\AppData\Local\Temp\yu.exe, PE32 20->57 dropped 85 Antivirus detection for dropped file 20->85 87 Multi AV Scanner detection for dropped file 20->87 89 Machine Learning detection for dropped file 20->89 29 cmd.exe 1 20->29         started        31 cmd.exe 1 20->31         started        65 cf1549064127.xicp.net 174.128.255.252, 10086, 90 ST-BGPUS United States 24->65 59 C:\Windows\System32\drivers\QAssist.sys, PE32+ 24->59 dropped 91 Sample is not signed and drops a device driver 24->91 67 192.168.2.1 unknown unknown 27->67 file8 signatures9 process10 process11 33 yu1.exe 1 1 29->33         started        37 conhost.exe 29->37         started        39 yu.exe 3 2 31->39         started        41 conhost.exe 31->41         started        file12 51 C:\Windows\SysWOW64\Jbcdt.exe, PE32 33->51 dropped 79 Antivirus detection for dropped file 33->79 81 Multi AV Scanner detection for dropped file 33->81 83 Machine Learning detection for dropped file 33->83 43 cmd.exe 1 33->43         started        53 C:\Users\user\AppData\Local\...\4793375.txt, PE32 39->53 dropped signatures13 process14 dnsIp15 69 127.0.0.1 unknown unknown 43->69 105 Uses ping.exe to sleep 43->105 47 conhost.exe 43->47         started        49 PING.EXE 1 43->49         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9/
Threat name:
Win32.PUA.FlyStudio
Create hunting rule
Status:
Malicious
First seen:
2020-12-25 07:16:43 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
02965941d39eef787b6d2483095f7c5c6eec84a2a97ce4e85eee9e0e610506e2
31153d0989d41bd597297136f2457681ac68bb89051509bba7d52c10c554a09e
3bb1bbf49c6e224032025dc7dacb3862e8b16c8b39e5cc19c5aceda4dbc917d9
56133c0d017af35f49253926e3583cf72c36146ab7faa65b6058971685166652
75b388003cc32b680abc3d9b41bc6c435af723de235eaab36a323fddcb906f62
799b7395c9f279d8cd1cd24657788ecb37db7ae03c0dddeb3344a95a551d1325
82385c5627675bb1a2f760238c766d1b8d3c31e109e067334959c084d62e5d55
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e
d19b02a35003c637360cc342d5fcdae87dc7336fc7925f07f5c0636eae22ba37
+ 68 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/201228-fywhql7kye/
Behaviour
Runs ping.exe
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Sets DLL path for service in the registry
Sets service image path in registry
UPX packed file
Unpacked files
SH256 hash:
4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9
MD5 hash:
6cbc6f193816ee37af9b0309d34e8657
SHA1 hash:
c8470ecc206181788b9a6a62111de2f750d89c49
Link:
https://www.unpac.me/results/23719878-a48d-428c-93cb-3c39a87d7740/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments