MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5066020c9801057b9e6e6e5ced5ef8d35854cb58118e4aae55d7d3b532ebcecd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5066020c9801057b9e6e6e5ced5ef8d35854cb58118e4aae55d7d3b532ebcecd
SHA3-384 hash: 5f3e6715af9bab6b2c8441806ce27373bd58e6296681a1afb523520c05511f7c6c546d55afc1ee9a48627bd80166ac21
SHA1 hash: 7b6fd6ad2a57578b2012108880bf89afd315ea9c
MD5 hash: 3f43374d0862425c4894da8a4ea9c7f2
humanhash: three-harry-two-emma
File name:-
Download: download sample
File size:285'544 bytes
First seen:2020-06-26 07:29:01 UTC
Last seen:2021-07-14 13:04:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 05d3dce2be32df01ca249872dd2cc117 (1 x GuLoader, 1 x HijackLoader)
ssdeep 6144:qmvr9RLcN0BvxoLjGRU4UUU3UUUD9rOAexZc2/SM0GuX98YglwRY1evB6pL:qmr9RUsJGjqU4UUU3UUUZa7x+kc98YqV
Threatray 52 similar samples on MalwareBazaar
TLSH 655412318E04CCA7C6828ABCF868D6FE61AC9FD4F95483FF9059FE147435A5109942AF
Reporter JAMESWT_WT

Code Signing Certificate

Organisation:Dummy
Issuer:Dummy
Algorithm:sha256WithRSAEncryption
Valid from:Jan 1 07:00:00 2013 GMT
Valid to:Jan 2 07:00:00 2013 GMT
Serial number: 7E89B9DF006BD1AA4C48D865039634CA
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 20B80284B8F23151B348126D08F69E603D02793404E452A52666EF566DB71D07
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/14694/
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Reading critical registry keys
Searching for the window
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
spyw
Score:
20 / 100
Link:
https://www.joesandbox.com/analysis/369326
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 236635 Sample: - Startdate: 08/06/2020 Architecture: WINDOWS Score: 20 7 -.exe 3 2->7         started        file3 19 C:\Users\user\AppData\...\setup-stub.exe, PE32 7->19 dropped 10 setup-stub.exe 3 53 7->10         started        process4 file5 21 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 10->21 dropped 23 C:\Users\user\AppData\Local\...\UserInfo.dll, PE32 10->23 dropped 25 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 10->25 dropped 27 3 other files (none is malicious) 10->27 dropped 31 Tries to harvest and steal browser information (history, passwords, etc) 10->31 14 iexplore.exe 3 84 10->14         started        signatures6 process7 process8 16 iexplore.exe 69 14->16         started        dnsIp9 29 mozilla.org 63.245.208.195, 443, 49736, 49737 unknown United States 16->29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5066020c9801057b9e6e6e5ced5ef8d35854cb58118e4aae55d7d3b532ebcecd/
Verdict:
malicious
Similar samples:
0992e4668212efdaf0f5bd92983ff0b50f4024bd6f5fe5e4e77c2816e62e8504
1495a59a2300245b0c8cfdfe2e467de7f79a4d287e10e9119a96cdac0a1b7c5b
1b17871866c25b4791c357d03abe3737e49bb5256cde43dd938acc78c975f085
2d40a6c3d1200616055b55031daa8a6b010b3c99219f6b6da87bcd2b2f27d6c2
85e0ff2f0c03b8d8ce1d32b446dcef0e32b79fa581a9c27dcf4d0bb92c6b167f
ad3bb3f26289dc46ab58afb6cdf67ca9a256519fd9d087a418f849f9bcb78c25
c7d7e6c6dc477e5fdb2b2a26eed1b53e77d455dbec8df800927a5bae69a2cc10
e5d4600354cad7a882caac33f0e18bc6702a269dab9315ef71835fbbad747626
ed8328548179948fb69a7326022255984c289763041bdccd38cc0968a005e7d7
f635354e86b28a65eb77122574493cfe2e37efeca2d3df316a4880db6e3786b9
+ 42 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence evasion trojan spyware
Link:
https://tria.ge/reports/200626-z8h2s9krqn/
Behaviour
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Drops file in Program Files directory
Modifies service
Checks whether UAC is enabled
Modifies system certificate store
Checks for installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/14694/

Comments