MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847
SHA3-384 hash: df16b823d4c4b47cd6110d61e62eac30338e6441016a779babed3889f44cdd20535d5679949a0b68a96c75c0d668c4f3
SHA1 hash: da9a80127e455854c5b7d4eaec8f7f48b22e3e3d
MD5 hash: cd808dc04c0f37c12e86183d4ef05b62
humanhash: carpet-single-snake-failed
File name:4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847.bin
Download: download sample
File size:5'000'704 bytes
First seen:2021-04-09 20:33:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2615839934fefd2d342149f561ecc715 (1 x StrongPity)
ssdeep 98304:gfI2hjQdyM8X5PaIw8I2hjQdyM8X5PaIw:Mvh0duX53w8vh0duX53w
Threatray 14 similar samples on MalwareBazaar
TLSH C93622D9E4C580C8C82BBEF44A9D1CA9E231ED326854F5761FCDFC452E9319239998B3
Reporter Arkbird_SOLG
Tags:apt APT-C-41

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133458/
Detection(s):
Win.Trojan.StrongPity3-8208368-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Creating a window
Reading critical registry keys
Enabling the 'hidden' option for files in the %temp% directory
Delayed writing of the file
Sending a UDP request
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
StrongPity
Create hunting rule
Detection:
suspicious
Classification:
troj.evad
Score:
34 / 100
Link:
https://www.joesandbox.com/analysis/671826
Signature
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected StrongPity
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 384858 Sample: N4SdrR9mTC.bin Startdate: 09/04/2021 Architecture: WINDOWS Score: 34 61 Multi AV Scanner detection for domain / URL 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 Yara detected StrongPity 2->65 67 Machine Learning detection for sample 2->67 8 N4SdrR9mTC.exe 1 4 2->8         started        11 svchost.exe 3 4 2->11         started        13 nvwmisrv.exe 1 2->13         started        15 5 other processes 2->15 process3 dnsIp4 43 C:\Users\user\AppData\Local\...\winmsism.exe, PE32 8->43 dropped 45 C:\Users\user\AppData\Local\...\nvwmisrv.exe, PE32 8->45 dropped 47 C:\Users\user\AppData\Local\...\fnmsetup.exe, PE32 8->47 dropped 18 fnmsetup.exe 2 8->18         started        21 nvwmisrv.exe 1 8->21         started        24 WerFault.exe 11->24         started        26 conhost.exe 13->26         started        59 192.168.2.1 unknown unknown 15->59 28 conhost.exe 15->28         started        file5 process6 dnsIp7 41 C:\Users\user\AppData\Local\...\fnmsetup.tmp, PE32 18->41 dropped 30 fnmsetup.tmp 23 158 18->30         started        57 resolutionplatform.com 103.253.40.229, 443 TELE-ASTeleAsiaLimitedHK Hong Kong 21->57 33 winmsism.exe 5 21->33         started        35 conhost.exe 21->35         started        file8 process9 file10 49 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 30->49 dropped 51 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 30->51 dropped 53 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 30->53 dropped 55 112 other files (none is malicious) 30->55 dropped 37 FindAndMount.exe 6 30->37         started        39 WerFault.exe 23 9 33->39         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847/
Threat name:
Win32.Trojan.Pandopera
Create hunting rule
Status:
Malicious
First seen:
2021-04-04 09:14:10 UTC
AV detection:
24 of 48 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
04c6b2e93ee33d4b12f61c565ef164931ce8bb8225d0a80cae32782c1c30a802
0e4651625abda88df56952b7e97d7fb64a3e1ea97bfe01e931d47381c0952e98
1185998fd595936708c1fc5a3ddeadbdd46b88e216419597da0b461e136ddfa7
2ea1ff8dc4a5ea276f8ae4137cbce0fd80b27d662dc0969127b454f5c0aa34e1
3da5ad345fa5dc65c5313a0846897ba696630e1b4c6b9388e7a479edce27745e
72239d0cba7a80895957b43d854680fb2fefbaa8b1f68b001ce5905c32ddcde1
d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78
d9402b75daf385ed652cc1d8c3bf7f3ea306fbc16996dead5a8741eff4f54b2f
dfd0f4b821438d8a9277728e42ab58bdc2667aa7173892ffd6ede75a5d5645f5
f81d16d98d7c5423e8f231fe47778b0824360fb41525fd545097bb8e700e1a8d
+ 4 additional samples on MalwareBazaar
Result
Malware family:
strongpity
Create hunting rule
Score:
  10/10
Tags:
family:strongpity persistence spyware stealer
Link:
https://tria.ge/reports/210409-xshpj55vba/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
StrongPity
StrongPity Spyware
Unpacked files
SH256 hash:
b43b899f195e9002a384c4d3e0c6c07012a0bd167b018ef0cf224b6b57c02dfe
MD5 hash:
0892ce7f20c8447bf8f79f1bf1309cd8
SHA1 hash:
8498879ba6ba00575764ae2e32838bd922533ab1
Link:
https://www.unpac.me/results/d6a1e9a7-61ef-4ad3-9bd5-f71cff4ae1ba/
SH256 hash:
d9402b75daf385ed652cc1d8c3bf7f3ea306fbc16996dead5a8741eff4f54b2f
MD5 hash:
f050cfe9ded513f1b8e9a4846a0fa3a7
SHA1 hash:
64cb47c16c5636bdc5046107480aa3c7c97a2bf3
Link:
https://www.unpac.me/results/d6a1e9a7-61ef-4ad3-9bd5-f71cff4ae1ba/
SH256 hash:
07b7db0f1188ff24e16f1f9a622cb9d40d92bcc5bb51cdd099b594c24e20ba3a
MD5 hash:
654319445ff169615b0c8402185e05df
SHA1 hash:
f6da6044e9417bef303bafee7090c29497825369
Link:
https://www.unpac.me/results/d6a1e9a7-61ef-4ad3-9bd5-f71cff4ae1ba/
SH256 hash:
5e1d05065ef181111d2a49afb3db78defbe5e96f5a5ed2542f54514c772bdaff
MD5 hash:
4d9a9b20d13c843fc526e008db282408
SHA1 hash:
ba1b85285e77d3eecb36964149abd79fe55eb9c2
Link:
https://www.unpac.me/results/d6a1e9a7-61ef-4ad3-9bd5-f71cff4ae1ba/
SH256 hash:
4d217ea30e3ea097234da20a5a006818d0492ceb56a7fa8462fd03503e3d5df6
MD5 hash:
ff82d374b2addfca9895b2f8f149dbcc
SHA1 hash:
15b2938b3e907fc9e2c28e8af5a4e7b2585c26c3
Link:
https://www.unpac.me/results/d6a1e9a7-61ef-4ad3-9bd5-f71cff4ae1ba/
SH256 hash:
cb381a0e342b274d1c853c6a464126768db702225c21c88afec3a43e6df480d7
MD5 hash:
0e33985611268bd87474791d97354eaa
SHA1 hash:
0093f096208d8a922a74d30366eb5ebe8ae8751c
Link:
https://www.unpac.me/results/d6a1e9a7-61ef-4ad3-9bd5-f71cff4ae1ba/
SH256 hash:
4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847
MD5 hash:
cd808dc04c0f37c12e86183d4ef05b62
SHA1 hash:
da9a80127e455854c5b7d4eaec8f7f48b22e3e3d
Link:
https://www.unpac.me/results/d6a1e9a7-61ef-4ad3-9bd5-f71cff4ae1ba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ef9f634f3c2bcda5eb99a58a1f7d4619fd5cd166b4154242fe88ab794a0c847

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/BaoshengbinCumt/status/1380150818914119681
Cape
Cape
https://www.capesandbox.com/analysis/133458/

Comments