MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ce2900b5846f04521fdeb065a8350023c59f1d67b3b9347d505bc4f1796892f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ce2900b5846f04521fdeb065a8350023c59f1d67b3b9347d505bc4f1796892f
SHA3-384 hash: 81dd0a7de6cd0039997e4c439737ea16e50d4640f6edd2068a27b8ae594b1d731ad3d51be3c2dce59a39b7f4bddbe5dd
SHA1 hash: 6d5a6285faa4260115be08a359aa5394b7c4ef30
MD5 hash: 3c12770819b2d930595e362ad113981b
humanhash: north-robert-summer-alpha
File name:SecuriteInfo.com.Trojan.GenericKD.41421404.8724.30102
Download: download sample
File size:12'340'736 bytes
First seen:2020-12-04 08:13:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 196608:7hc+fBbbp29+0T5IJA5ajto1pDOGp2HuH293YFZtZ0hCXODXk26jY1kKAp9DBNxU:7hc+fBbM+0T5IWWto1ppYK293YF/ZpWb
Threatray 1 similar samples on MalwareBazaar
TLSH 50C61232778AC53BE67259B1692CCA9F6059BF650F7190C793C81E6E48B48C34632E37
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.GenericKD.41421404.8724.30102
Verdict:
Malicious activity
Analysis date:
2020-12-04 08:17:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0c373940-6ffd-4901-9488-19f8510f1d8d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106724/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.41421404.8724.30102.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file
Creating a process from a recently created file
Creating a window
Creating a file in the %temp% subdirectories
Deleting a recently created file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
75 / 100
Link:
https://www.joesandbox.com/analysis/555450
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Bypasses PowerShell execution policy
Creates autostart registry keys with suspicious names
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample is not signed and drops a device driver
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 326823 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 04/12/2020 Architecture: WINDOWS Score: 75 87 Antivirus / Scanner detection for submitted sample 2->87 89 Multi AV Scanner detection for submitted file 2->89 91 Machine Learning detection for sample 2->91 93 2 other signatures 2->93 8 SecuriteInfo.com.Trojan.GenericKD.41421404.8724.exe 6 2->8         started        11 msiexec.exe 5 2->11         started        14 msiexec.exe 2->14         started        16 4 other processes 2->16 process3 dnsIp4 69 C:\ProgramData\RunWin.exe, PE32 8->69 dropped 71 C:\ProgramData\ProtonVPN.exe, PE32 8->71 dropped 73 SecuriteInfo.com.T...421404.8724.exe.log, ASCII 8->73 dropped 19 ProtonVPN.exe 2 67 8->19         started        23 RunWin.exe 8->23         started        75 C:\Users\user\AppData\Local\...\shiA2AE.tmp, PE32 11->75 dropped 77 C:\Users\user\AppData\Local\...\shiA0E7.tmp, PE32 11->77 dropped 79 C:\Users\user\AppData\Local\...\shi9B0A.tmp, PE32 11->79 dropped 81 C:\Users\user\AppData\Local\...\shi9A6D.tmp, PE32 11->81 dropped 103 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->103 105 Opens network shares 11->105 25 ProtonVPN.exe 15 11->25         started        83 C:\Users\user\AppData\...\pss57C4.tmp.ps1, Little-endian 14->83 dropped 27 powershell.exe 14->27         started        85 192.168.2.1 unknown unknown 16->85 29 cmd.exe 16->29         started        31 cmd.exe 16->31         started        file5 signatures6 process7 file8 57 C:\Users\user\AppData\Local\...\decoder.dll, PE32 19->57 dropped 59 C:\Users\user\AppData\Local\...\shi9742.tmp, PE32+ 19->59 dropped 61 C:\Users\user\AppData\Local\...\preEBD6.tmp, PE32 19->61 dropped 67 15 other files (none is malicious) 19->67 dropped 97 Creates autostart registry keys with suspicious names 19->97 33 ProtonVPNTap.exe 69 19->33         started        37 ProtonVPN.exe 19->37         started        99 Antivirus detection for dropped file 23->99 101 Multi AV Scanner detection for dropped file 23->101 63 C:\Users\user\AppData\...\ProtonVPNTap.exe, PE32 25->63 dropped 65 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 25->65 dropped 39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        43 chcp.com 29->43         started        signatures9 process10 file11 47 C:\Users\user\AppData\...\tapprotonvpn.sys, PE32 33->47 dropped 49 C:\Users\user\AppData\...\tapprotonvpn.sys, PE32+ 33->49 dropped 51 C:\Users\user\AppData\...\tapprotonvpn.Sys, PE32 33->51 dropped 55 6 other files (1 malicious) 33->55 dropped 95 Sample is not signed and drops a device driver 33->95 45 msiexec.exe 33->45         started        53 C:\Users\user\AppData\Local\...\shi39DA.tmp, PE32+ 37->53 dropped signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ce2900b5846f04521fdeb065a8350023c59f1d67b3b9347d505bc4f1796892f/
Threat name:
ByteCode-MSIL.Trojan.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2019-06-25 03:35:16 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
39067a6a8ac06d60189b34afbb9acd73e8e33aba91653c39a037c2f78f972f29
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201204-p1r736wfwe/
Behaviour
Modifies system certificate store
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates connected drives
JavaScript code in executable
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
4ce2900b5846f04521fdeb065a8350023c59f1d67b3b9347d505bc4f1796892f
MD5 hash:
3c12770819b2d930595e362ad113981b
SHA1 hash:
6d5a6285faa4260115be08a359aa5394b7c4ef30
Link:
https://www.unpac.me/results/27f819e7-6621-46d6-a866-aadf2ef6d160/
SH256 hash:
32899d4642474607ac17534bd799e3c78182fd975ab6e9f5f0db77d52acdc09f
MD5 hash:
7dba3f67223e1db36ccf17c010b5cea5
SHA1 hash:
4bfad0287f7ca34fab7496057a2e20b6a119bdd8
Link:
https://www.unpac.me/results/27f819e7-6621-46d6-a866-aadf2ef6d160/
SH256 hash:
a269429131fb8bbe27dcff8884d7f23e78d07665cb3088eac645d17a3b97f666
MD5 hash:
c3c7b914921de57306a4aae72e96e1e9
SHA1 hash:
595dba1899ff3f7d5ba6f4fff3fc57b60d3fefd2
Link:
https://www.unpac.me/results/27f819e7-6621-46d6-a866-aadf2ef6d160/
SH256 hash:
01a54b7f22717880d002a1b9287843268e8f7152a04192ddf80a59ea0ec662f7
MD5 hash:
5f315bc83c0bcaa5803ebd0febea2943
SHA1 hash:
6b406b8c3f495dad473d1754b69cfa4a2ec4151f
Link:
https://www.unpac.me/results/27f819e7-6621-46d6-a866-aadf2ef6d160/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ce2900b5846f04521fdeb065a8350023c59f1d67b3b9347d505bc4f1796892f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4ce2900b5846f04521fdeb065a8350023c59f1d67b3b9347d505bc4f1796892f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/887593/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/106724/

Comments