MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d3cf423de6f720602c72cf570b0746e2cafd32083ed77b73dd1efa36eb055a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d3cf423de6f720602c72cf570b0746e2cafd32083ed77b73dd1efa36eb055a5
SHA3-384 hash: 4f91e7dfcbe4cd1f50d4e606cdd8f488f0ba11aeae96afa40e60cc13c5f4f4e37ca6b2b89d1514c260789e00dc1bc1f7
SHA1 hash: 64f11dbbfbba1b59d265f5fbcb6ec6552e0bbf43
MD5 hash: 5625e9086d9da50cc5fe68db8ad0a569
humanhash: india-single-thirteen-missouri
File name:5625e9086d9da50cc5fe68db8ad0a569
Download: download sample
File size:6'300'672 bytes
First seen:2021-12-21 02:54:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep 98304:5DPq64p8tJ7lG4y0eO+EWjV+8RTOxdJt7vOA6pB:JqcJ7vyWWxgdJtt6
Threatray 7 similar samples on MalwareBazaar
TLSH T16D568C03F85561A9D6EED230C67582527B317888073033D36F95AABA2B77FD4AE78350
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5625e9086d9da50cc5fe68db8ad0a569
Verdict:
No threats detected
Analysis date:
2021-12-21 06:03:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7010c1a5-17ae-4907-b236-4d63473d83d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/215556/
Detection(s):
Win.Ransomware.Hive-9916034-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
Creating a file in the %AppData% directory
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Sending a custom TCP request
DNS request
Creating a window
Сreating synchronization primitives
Searching for the window
Reading critical registry keys
Changing a file
Sending a UDP request
Creating a file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2808/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed ransomware
Link:
https://www.filescan.io/uploads/61c141cd4ab5c44cbf4af7f0/reports/cb831caa-11c4-4539-8064-671b301fdd2a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed2b6b58-2184-4b9e-8212-d749e8bf4227
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/910714
Signature
Antivirus detection for URL or domain
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 543191 Sample: oVVmh7TTTG Startdate: 21/12/2021 Architecture: WINDOWS Score: 72 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Antivirus detection for URL or domain 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Machine Learning detection for sample 2->54 10 oVVmh7TTTG.exe 1 2->10         started        process3 dnsIp4 44 188.166.28.199, 49746, 80 DIGITALOCEAN-ASNUS Netherlands 10->44 34 C:\Users\user\AppData\...\counterstrike.exe, PE32+ 10->34 dropped 14 cmd.exe 1 10->14         started        file5 process6 process7 16 counterstrike.exe 2 14->16         started        20 conhost.exe 14->20         started        file8 32 C:\Users\user\AppData\Local\...\leakless.exe, PE32+ 16->32 dropped 46 Machine Learning detection for dropped file 16->46 22 leakless.exe 16->22         started        signatures9 process10 dnsIp11 36 127.0.0.1 unknown unknown 22->36 25 chrome.exe 5 160 22->25         started        28 taskkill.exe 1 22->28         started        process12 dnsIp13 38 youtube-ui.l.google.com 142.250.203.110, 443, 49753, 49754 GOOGLEUS United States 25->38 40 i.ytimg.com 142.250.203.118, 443, 49760, 59031 GOOGLEUS United States 25->40 42 8 other IPs or domains 25->42 30 conhost.exe 28->30         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d3cf423de6f720602c72cf570b0746e2cafd32083ed77b73dd1efa36eb055a5/
Threat name:
Win64.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2021-12-21 02:55:13 UTC
File Type:
PE+ (Exe)
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
53e95f5ab8f18a70baf702d59c2b308fb998de4cdc06d4d7d30c450e4cdfd4e3
5cbea0c2d3f18aafe1c3ab60b3d670bcc47e4001f26c8923c3e4735e6964708c
664543a2800a9d4d0ebae4f742350251bb0df2a447a302032c1fe22c7c1e7398
6cc8e13f66166e615a847f9444a0258b0e7a01fb8e607c49c482b2b4d50cd829
d708ff93f30255df025e9335dd05fc2f9bd818cb0925d8889d95cb477cfc81f2
eb4ed5f6140aa6e26adf5408f9924e5263b9c0fa3b66cec699f7e50eb893537c
f62434d2bfd1b9d953618d0be4ba442e3210b821575ae1b1c97ae6aa55ae394a
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211221-ddwjgachgk/
Behaviour
Enumerates system info in registry
GoLang User-Agent
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
4d3cf423de6f720602c72cf570b0746e2cafd32083ed77b73dd1efa36eb055a5
MD5 hash:
5625e9086d9da50cc5fe68db8ad0a569
SHA1 hash:
64f11dbbfbba1b59d265f5fbcb6ec6552e0bbf43
Link:
https://www.unpac.me/results/1b4e00b6-9373-4b00-8347-42695a232ac4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d3cf423de6f720602c72cf570b0746e2cafd32083ed77b73dd1efa36eb055a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4d3cf423de6f720602c72cf570b0746e2cafd32083ed77b73dd1efa36eb055a5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1905390/
Cape
Cape
https://www.capesandbox.com/analysis/215556/

Comments


Avatar
zbet commented on 2021-12-21 02:54:03 UTC

url : hxxp://data-file-data-7.com/files/4210_1640033693_7225.exe