MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4dfc09bfab1e813c8122d6f8c3d83966346fe676464497ce100e8c385fe5e5f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Kimsuky


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4dfc09bfab1e813c8122d6f8c3d83966346fe676464497ce100e8c385fe5e5f9
SHA3-384 hash: 3250db82e2a155bc58a2c6aa8b6f0cad1738bb341a313dfb0e2a028fdb589bea431a0f514944f3bb31e66bcbef2f7b95
SHA1 hash: f05a89addf5940beb1eebaba973595649425d1eb
MD5 hash: 20e2de2d794dfff774b71b6dd2294a96
humanhash: avocado-sixteen-mockingbird-aspen
File name:Result_2024-0617.pdf.jse
Download: download sample
Signature Kimsuky
Create hunting rule
File size:22'327'890 bytes
First seen:2024-06-21 07:32:05 UTC
Last seen:Never
File type:JScript (JSE) jse
MIME type:text/plain
ssdeep 49152:mWo5NeWyJAstwlBNAS/cXpRnqlvq3IPQ7JcS5/eP/AQzEPnWWo5NeWyJAstwlBN8:r
TLSH T10C279D234B40665DB39C1D9BD07D1B2FB7B36F91D8A272CC56A3380769AFC1C6728918
Reporter smica83
Tags:apt jse Kimsuky

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66752cb250b6d35655cbd769win10vpnfull_triage
Tags:
Execution Generic Network Stealth
Verdict:
Malicious
Labled as:
Trojan.Script.ExpKit
Link:
https://www.hybrid-analysis.com/sample/4dfc09bfab1e813c8122d6f8c3d83966346fe676464497ce100e8c385fe5e5f9
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1460597
Signature
AI detected suspicious sample
JavaScript source code contains functionality to generate code involving a shell, file or stream
Multi AV Scanner detection for dropped file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Parent Double Extension File Execution
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Uses certutil -decode
Uses cmd line tools excessively to alter registry or file data
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1460597 Sample: Result_2024-0617.pdf.jse Startdate: 21/06/2024 Architecture: WINDOWS Score: 96 61 image.ionexusa.com 2->61 67 Multi AV Scanner detection for dropped file 2->67 69 JavaScript source code contains functionality to generate code involving a shell, file or stream 2->69 71 Uses an obfuscated file name to hide its real file extension (double extension) 2->71 73 4 other signatures 2->73 10 wscript.exe 4 3 2->10         started        14 rundll32.exe 2->14         started        16 svchost.exe 1 1 2->16         started        19 reg.exe 1 1 2->19         started        signatures3 process4 dnsIp5 57 C:\ProgramData\Result_2024-0617.pdf, PDF 10->57 dropped 77 Suspicious powershell command line found 10->77 79 Wscript starts Powershell (via cmd or directly) 10->79 81 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->81 83 Suspicious execution chain found 10->83 21 powershell.exe 7 10->21         started        24 Acrobat.exe 20 63 10->24         started        26 powershell.exe 11 10->26         started        85 Uses cmd line tools excessively to alter registry or file data 14->85 28 reg.exe 1 14->28         started        59 image.ionexusa.com 127.0.0.1 unknown unknown 16->59 30 conhost.exe 19->30         started        file6 signatures7 process8 signatures9 75 Uses certutil -decode 21->75 32 rundll32.exe 21->32         started        35 certutil.exe 2 21->35         started        38 conhost.exe 21->38         started        40 AcroCEF.exe 107 24->40         started        42 conhost.exe 26->42         started        44 cmd.exe 1 26->44         started        46 conhost.exe 28->46         started        process10 file11 65 Uses cmd line tools excessively to alter registry or file data 32->65 48 reg.exe 1 32->48         started        55 C:\ProgramData\dB7Z32t.dFq6, PE32+ 35->55 dropped 50 AcroCEF.exe 2 40->50         started        signatures12 process13 dnsIp14 53 conhost.exe 48->53         started        63 23.47.168.24, 443, 49723 AKAMAI-ASUS United States 50->63 process15
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jx6atp5ld2atzajc234mhwbzmy2g7ztwizcjptqqb2gdqx7f4x4q._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence
Link:
https://tria.ge/reports/240621-jdh62avfmm/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kimsuky
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4dfc09bfab1e813c8122d6f8c3d83966346fe676464497ce100e8c385fe5e5f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://x.com/asdasd13asbz/status/1803944724308595090

Comments