MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ddfd623ef499cb59cd55be3a72e22acefb23488d1631692baaff001471b2bea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ddfd623ef499cb59cd55be3a72e22acefb23488d1631692baaff001471b2bea
SHA3-384 hash: bf28d7855c7ef1f5a3522ee82cc5c100176579782e04d7992f7f16c98a95947d7dcf633b5bcec6be912152893da4ba99
SHA1 hash: 68777907a0cb73b3823d681e1f4d391112b63767
MD5 hash: 64dcf99456b6e6239c6cc5b81ffcf9c8
humanhash: uranus-winner-sweet-lima
File name:ulti_final.scr
Download: download sample
File size:6'120'047 bytes
First seen:2020-10-22 06:27:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ba54e48d0f0346b349e9f7a2c8ecaf5c (1 x ValleyRAT)
ssdeep 98304:TtpaLq2gXJAT86nXlXxHh/ZEYoPHGlBBYYYR9MUFJADxpupX1Q8rsIRde:T3bNJAT8UXlVh/iYofG7rYnPuDCpSc
Threatray 6 similar samples on MalwareBazaar
TLSH 90563354212120E2FA7B5832C997662AD1F73450037A80DF4B2577297EA3F99BE3DB31
Reporter abuse_ch
Tags:scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail1.xcxicheng.com
Sending IP: 159.65.152.153
From: kpantinas@globalization-partners.com
Reply-To: stephen_button022@outlook.com
Subject: 5000 BTC available for sale with 5% discount using daily market price urgent buyers ONLY.
Attachment: Procedure_001132.rar (contains "ulti_final.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74468/
Detection(s):
SecuriteInfo.com.PE_File_pyinstaller.24421.30566.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
DNS request
Sending a UDP request
Sending a custom TCP request
Creating a file in the system32 subdirectories
Launching a process
Creating a window
Deleting a recently created file
Using the Windows Management Instrumentation requests
Creating a file
Creating a process with a hidden window
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/506633
Signature
Connects to a pastebin service (likely for C&C)
Potentially malicious time measurement code found
Windows Shell Script Host drops VBS files
Writes or reads registry keys via WMI
Writes registry values via WMI
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ddfd623ef499cb59cd55be3a72e22acefb23488d1631692baaff001471b2bea/
Threat name:
Win64.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 22:16:50 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jxp5mi7pjgollhgvlpr2olrcvtx3enei2frrnev2v7yacry3fpva._file
Verdict:
suspicious
Similar samples:
290452bb8eb4dfcc3cfb1590c8fb1b44427a3c9f0439ad5855e35bc39537a3a3
4b76ad80e9ce4c503bde0e476a88447426fc38315d440d22926627295e1b0ec6
50b73c4132c9240c404a85b5d2843436fe8d5022a7104b5faeab827f558c52e4
5f7edbfee38f8e9a93df459405b952189d48b4a7f2ddc7a81d25bdfd59b31c80
8d3c6da3f4d6513a1d38058a6cf6028e0c07210a5c0509f47150152362093636
e8c00468964966dfdbae2de1d15a8a24b5ba4dbe7dddd482888568f4430d4db1
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201022-e6crlxmkfj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
JavaScript code in executable
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Unpacked files
SH256 hash:
4ddfd623ef499cb59cd55be3a72e22acefb23488d1631692baaff001471b2bea
MD5 hash:
64dcf99456b6e6239c6cc5b81ffcf9c8
SHA1 hash:
68777907a0cb73b3823d681e1f4d391112b63767
Link:
https://www.unpac.me/results/22e29f02-b056-474a-80c2-90f656da97fc/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_File_pyinstaller
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Description:Detect PE file produced by pyinstaller
Reference:https://isc.sans.edu/diary/21057
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar ddb52a975d84855c94a8355cb9cf2374af6ded30ee7bf7672b1bdb99112afc8f

Executable exe 4ddfd623ef499cb59cd55be3a72e22acefb23488d1631692baaff001471b2bea

(this sample)

  
Dropped by
MD5 745b62e8b57f78df556b001059eb9655
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74468/
  
Dropped by
SHA256 ddb52a975d84855c94a8355cb9cf2374af6ded30ee7bf7672b1bdb99112afc8f

Comments