MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 516cf8b5fbb0a99104baf04078d959371a46d32dda7f448eaa1d2fd52339a020. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 516cf8b5fbb0a99104baf04078d959371a46d32dda7f448eaa1d2fd52339a020
SHA3-384 hash: 4cd967d1e8cb5f7cee603c4870c09511bef8fcd57a57ae716b695c0a87461a94320b2b5b5265683a122452e53172c53a
SHA1 hash: 3b9518fca08dddb8daae96fb36f8f69b2c76b989
MD5 hash: fd401aa718d0d7142760899e130da3b7
humanhash: alaska-september-sodium-sweet
File name:fd401aa718d0d7142760899e130da3b7.exe
Download: download sample
File size:5'681'152 bytes
First seen:2022-11-03 07:27:09 UTC
Last seen:2022-11-03 09:26:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 37 x Vidar)
ssdeep 98304:K53rmpCkIESo3sH9NdZO6D9/5mtqov5ceEO:KJrmC4So3sH9NdZO6D9/5bq5KO
Threatray 57 similar samples on MalwareBazaar
TLSH T1F8463B07F85195A8C0AAD230CA65D293BA307C945F3023D33B51FBBA2B76BD46E79354
gimphash 373753505f5d3a16bea87a97633669ce471766c9efad2cd1231dd7bbf873e52a
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fd401aa718d0d7142760899e130da3b7.exe
Verdict:
No threats detected
Analysis date:
2022-11-03 07:34:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8900f7fb-fcab-42ea-95d1-3645a21ce485

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/327648/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.63345558.28962.7395.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for the window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/47810/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm golang greyware
Link:
https://www.filescan.io/uploads/63636d8373a0205b3f778b18/reports/0711eff6-0116-46c1-9bbe-2909ac75424a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4e4b47bd-3ffa-4d53-8862-3e63a842cf53
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1104101
Signature
Found Tor onion address
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 736762 Sample: UC4teiZeCN.exe Startdate: 03/11/2022 Architecture: WINDOWS Score: 64 71 Multi AV Scanner detection for submitted file 2->71 73 Machine Learning detection for sample 2->73 75 Found Tor onion address 2->75 7 UC4teiZeCN.exe 1 6 2->7         started        12 Dameon.exe 2->12         started        14 Dameon.exe 2->14         started        16 Dameon.exe 2->16         started        process3 dnsIp4 57 get.geojs.io 7->57 59 ookla.wwz.ch 212.4.68.246, 49698, 49699, 49700 TELEZUGWWZTelekomAGTELEZUGCH Switzerland 7->59 63 6 other IPs or domains 7->63 55 C:\Users\user\AppData\Roaming\...\Dameon.exe, PE32+ 7->55 dropped 79 May check the online IP address of the machine 7->79 18 powershell.exe 11 7->18         started        21 powershell.exe 7 7->21         started        23 cmd.exe 1 7->23         started        29 4 other processes 7->29 61 172.67.70.233 CLOUDFLARENETUS United States 12->61 65 4 other IPs or domains 12->65 25 cmd.exe 12->25         started        27 cmd.exe 12->27         started        31 5 other processes 12->31 67 4 other IPs or domains 14->67 33 7 other processes 14->33 69 4 other IPs or domains 16->69 35 7 other processes 16->35 file5 signatures6 process7 signatures8 77 Uses schtasks.exe or at.exe to add and modify task schedules 18->77 37 conhost.exe 18->37         started        39 2 other processes 21->39 41 2 other processes 23->41 43 2 other processes 25->43 45 2 other processes 27->45 47 5 other processes 29->47 49 6 other processes 31->49 51 10 other processes 33->51 53 10 other processes 35->53 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/516cf8b5fbb0a99104baf04078d959371a46d32dda7f448eaa1d2fd52339a020/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-11-02 17:26:00 UTC
File Type:
PE+ (Exe)
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kfwprnp3wcuzcbf26bahrwkzg4nenuzn3j7ujdvkdux5kizzuaqa._file
Verdict:
malicious
Similar samples:
38f8d6a333875ca3ed81b1afb0868326d519f8922f85187cd372a1197130eb0f
62bdc536263d92e4fbb3a98cd2c7c554c0f15608566f6b190ccd3feef8907d45
96d65099ce676adfa8198b974afa4d1a66fcad60d964743261e6b508348fafe5
e21288cc3c6a809ac4572f311b1a00b60674658165fa1ef9c46ec5d81ad62e76
ed1f2d8c625a0490cadb176127bded6ef65605e17ceba2b2501aa89a9f0be72d
efb1e519d5a9d527a474eb694ba20dc7589a0cd7347941185a6276d76d0c8f34
+ 47 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/221103-janmcaaacl/
Behaviour
Creates scheduled task(s)
GoLang User-Agent
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9fef8b95-8f28-4c69-b1bb-19fcdb31d668
Unpacked files
SH256 hash:
516cf8b5fbb0a99104baf04078d959371a46d32dda7f448eaa1d2fd52339a020
MD5 hash:
fd401aa718d0d7142760899e130da3b7
SHA1 hash:
3b9518fca08dddb8daae96fb36f8f69b2c76b989
Link:
https://www.unpac.me/results/3be5ed5c-ad21-4b40-b900-39c0b5dfac77/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/516cf8b5fbb0a99104baf04078d959371a46d32dda7f448eaa1d2fd52339a020

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 516cf8b5fbb0a99104baf04078d959371a46d32dda7f448eaa1d2fd52339a020

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2398819/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/327648/

Comments