MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53554568971a309034dac6fc10291bf47de77b6299ef6a7ce70fd9603814d078. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 53554568971a309034dac6fc10291bf47de77b6299ef6a7ce70fd9603814d078
SHA3-384 hash: 4cbf812c5ec319a2b2bc6fca582816b5ccbd3423cd54b0c8110c4e88064f5e701f18bec909f267c219e7a058f7d25086
SHA1 hash: 1503e20b0129f17fb3e0d5b66cf333a65b3cc911
MD5 hash: 0681c2dd2e2335143eec7c5caf299890
humanhash: apart-alanine-twenty-stream
File name:virussign.com_0681c2dd2e2335143eec7c5caf299890
Download: download sample
File size:3'481'784 bytes
First seen:2022-07-15 15:49:38 UTC
Last seen:2024-07-24 14:23:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c16c795b57934183422be5f6df7d891 (36 x Mofksys, 18 x CryptOne, 6 x AveMariaRAT)
ssdeep 49152:sw5Wg1t/LDkQmYwhW8RXUm1kY4FSReqx/SKYdFo9RtLLhTHe7pnmPqu7W8RXUmJ:D0gcQC1V42eXKOOtLNe7pmbJ
Threatray 1'045 similar samples on MalwareBazaar
TLSH T10CF5AD4092884529F7F91A34E32D58C01B22DD1E69AC870E2F49FD493A77E7E5CED24E
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
dhash icon cc8e336969358ecc
Reporter KdssSupport
Tags:exe


Avatar
KdssSupport
Uploaded with API

Intelligence

File Origin
# of uploads :
4
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
virussign.com_0681c2dd2e2335143eec7c5caf299890
Verdict:
No threats detected
Analysis date:
2022-07-16 10:40:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/60c59585-61ab-46f6-acd7-438d8fefd18c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
FloodFix
Create hunting rule
Link:
https://www.capesandbox.com/analysis/289771/
Detection(s):
Win.Virus.Pioneer-9111434-0
Create hunting rule

ditekSHen.MALWARE.Win.Ransomware.STOP.UNOFFICIAL
Create hunting rule

Win.Trojan.VBGeneric-6735875-0
Create hunting rule

MiscreantPunch.SingleXOR.EXE.197.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Сreating synchronization primitives
Creating a window
Creating a file in the Program Files subdirectories
DNS request
Sending an HTTP GET request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm cmd.exe obfuscated overlay packed packed rundll32.exe shell32.dll
Link:
https://www.filescan.io/uploads/62d18ce78dab2096b99f1ab8/reports/b8edc14f-fec3-4068-a783-b666d3f049d1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Floxif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/af63efa6-f432-48ea-bcbb-04894850c590
Result
Threat name:
CryptOne, FloodFix, Mofksys
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1034768
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
System process connects to network (likely due to code injection or exploit)
Yara detected FloodFix
Yara detected Generic Dropper
Yara detected Mofksys
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 667261 Sample: 9LEoy6Ep6s.com_0681c2dd2e23... Startdate: 17/07/2022 Architecture: WINDOWS Score: 100 79 Malicious sample detected (through community Yara rule) 2->79 81 Antivirus detection for dropped file 2->81 83 Antivirus / Scanner detection for submitted sample 2->83 85 8 other signatures 2->85 10 9LEoy6Ep6s.exe 1 6 2->10         started        15 svchost.exe 2->15         started        17 svchost.exe 1 1 2->17         started        19 11 other processes 2->19 process3 dnsIp4 61 192.168.2.1 unknown unknown 10->61 53 C:\Program Files\Common Files\...\symsrv.dll, PE32 10->53 dropped 55 C:\Windows\Resources\Themes\icsys.icn.exe, MS-DOS 10->55 dropped 57 C:\Users\user\AppData\...\B9941954193C.tmp, MS-DOS 10->57 dropped 59 C:\Users\user\Desktop\9leoy6ep6s.exe, PE32 10->59 dropped 111 Drops executables to the windows directory (C:\Windows) and starts them 10->111 21 icsys.icn.exe 2 10->21         started        25 9leoy6ep6s.exe 10->25         started        113 Changes security center settings (notifications, updates, antivirus, firewall) 15->113 27 MpCmdRun.exe 1 15->27         started        63 127.0.0.1 unknown unknown 17->63 29 consent.exe 2 19->29         started        file5 signatures6 process7 file8 49 C:\Windows\Resources\Themes\explorer.exe, MS-DOS 21->49 dropped 87 Antivirus detection for dropped file 21->87 89 Machine Learning detection for dropped file 21->89 91 Drops executables to the windows directory (C:\Windows) and starts them 21->91 93 Drops PE files with benign system names 21->93 31 explorer.exe 14 21->31         started        36 conhost.exe 27->36         started        signatures9 process10 dnsIp11 65 codecmd03.googlecode.com 31->65 67 codecmd02.googlecode.com 31->67 69 2 other IPs or domains 31->69 47 C:\Windows\Resources\spoolsv.exe, MS-DOS 31->47 dropped 71 Antivirus detection for dropped file 31->71 73 System process connects to network (likely due to code injection or exploit) 31->73 75 Machine Learning detection for dropped file 31->75 77 Drops PE files with benign system names 31->77 38 spoolsv.exe 2 31->38         started        file12 signatures13 process14 file15 51 C:\Windows\Resources\svchost.exe, MS-DOS 38->51 dropped 95 Antivirus detection for dropped file 38->95 97 Machine Learning detection for dropped file 38->97 99 Drops executables to the windows directory (C:\Windows) and starts them 38->99 101 Drops PE files with benign system names 38->101 42 svchost.exe 2 2 38->42         started        signatures16 process17 signatures18 103 Antivirus detection for dropped file 42->103 105 Detected CryptOne packer 42->105 107 Machine Learning detection for dropped file 42->107 109 Drops executables to the windows directory (C:\Windows) and starts them 42->109 45 spoolsv.exe 1 42->45         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/53554568971a309034dac6fc10291bf47de77b6299ef6a7ce70fd9603814d078/
Threat name:
Win32.Virus.Pioneer
Create hunting rule
Status:
Malicious
First seen:
2022-07-14 07:35:56 UTC
File Type:
PE (Exe)
Extracted files:
156
AV detection:
39 of 41 (95.12%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=knkuk2exdiyjang2y36baki36r66o63cthxwu7hhb7mwaoau2b4a._file
Verdict:
malicious
Similar samples:
0374ead74fa807fb1737d8829fdb5bad6c93779f6b9eb7162eddabff7a64acff
229e27d75b86582a1c728de0898c3a8193f463db7b07176ac6cde7bbc8e9883a
23d67bc537f5cfd46de2cba9580f80cdfb06e85a57ad74d3da20ed1196528d1c
36ed7e4e8dfce10773b1b1f1b7302e80d38bfd75d7c35bc5da2abf9a8a0b99e3
5d843a991e50d5cb0b420c0416b855aea512a3f7296a0964d1ccd224f3ac8718
7c793c742aff570a9052b1a2f559b781c70342678ad6582a42c6cc47260da425
877c0c4537bce1b5e8730eaa12cb2ffbb0ad17067e7dcfd2b89c4985f33e4f17
94b9abbe10bd9d6abcb8dce27814992bf7a09ed416c66998bd3496bda1490713
b2b465aad0a254c202bee124ff4beb540ac09ce04655f61478b5824509a1f6a2
b4373e36a5aa7a4ed214da50dc54d3f89503f2cff576d5523b51f1dab202b048
+ 1'035 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence upx
Link:
https://tria.ge/reports/220715-s9xhzabha7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Drops file in Program Files directory
Enumerates connected drives
Loads dropped DLL
Modifies AppInit DLL entries
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Unpacked files
SH256 hash:
9b430cf0279ea266bee0497fd21628c65442342d6270a8f7918522fa4fe9c387
MD5 hash:
f598b6379f84e43532b6adc2198bfd9c
SHA1 hash:
73fcd6e681a26ab2ea356a9b951a8557bbc43f4c
Link:
https://www.unpac.me/results/d16befa2-4bd1-4564-ab24-6f3ed7faa2fb/
Parent samples :
ed61a0c490e5b16ba93721a48865fb3312c314d2b42df1c45c997e2347e0fbea
5824816c15c14812f8d8fe64a2317520ac6e1e96f59d4477aacbaff84d706718
8603a6629d84f5151f3c14463f58a86b24baff50280fa66cc26c086e3211b89f
fd05a5d4e619781f5e1affdfb88dfd117b616df12c8c42e8f05fbcc24ebcfaae
aed65c4e500b4d5da1b557da1b4c7d916868aa100f0b0eab243892036422a3db
e40e040b7604a94d6f9db5175e1a1cc4eb762c035c90ba49f952e723a9c8258a
d014b70080dc2525f222f7eb5aa8c97b35ac366f2c1ad0e0b656f7879d4cb4a1
038d79354607ff85b37621bed1e5e33c68ae21b483730b0e6067abcdd5276c9a
ea201b8fe8ee9d0514b5cc3e273e02b1a06872ebadec937a57285c049de1854d
e58eb39c66efd238b3d957301383ab74099577cf79204d0f7ead51d9cb9c4b1c
56f790633aa97cca376318d0f6f9055ac17c0f102e12f2bf6f078b361c316aa3
e0b7c369ac7cd497c804fe503a65a76606fabed39db60c117ad196607f9c8aa4
3672c48abefd98e598090174265dc3051ff712838e7214ed009c6fcfede22654
a74ee1dbb1120582708462beadf602396c36e9738b150bbf21bdfce09ecd7538
c4e805cafe001cbf1ede9535183d4101c0c2409a8c0ee7debd74ccda64d827f1
6df588b4ad822707978cdc32b85764c300895f946f6581d529b6b9fe086ae706
f7deee99b91289f666e2f0f0043b7330e2c28e88cb319b44c2d1c4499ff9f45f
ee1c03beade3bc4d590fc2a208b7b4006a8918576f992b348c5488c61e7b3dc5
09e3afe1513862f13cc241700fa5f8e4084fee568bc0b12044c94bc458b6b36c
95eb3c2415875d0898a9a206222d25138e0261b4188be73bc6edd965dbe207a5
a419c37fe7f832d9c6541d699124426071b30de1c0e0c9754d0af85cba0ed021
fe1e5468f98a5abe64a3a98a801078fb61fcf393eb8c63ca153275d4f9c61655
29cfbcef98823aabf25d4bc612e9991ce971d7546f4d4660505eb75bbdc57eb8
9cc8ee5bceb4329db551ab0f1c20ddc51feb6ad3f07f876e911e61b1c632664d
9a831200151eb0fb1191eeb1ec85a0006acaeaeb834e3150c63b2ddfc7eb9fca
1886c8a0b8111446cc2f76dd0394264c14a8ae5f53e3dcbe7399c43e71b1b1f7
791a4219e0a98665d6abe5f0267c03499bd8d842c894daaac554f5e3200bc5fb
ce40e5f365dc4a4af4688ebfc262edbdb129fdab31de51f6e67f7fa52fe9fc2a
99d9b3e49c9eaed0615aaf6289a235ff9f39cb5c3b7382d6f51304a6ec04594a
SH256 hash:
3bd75eaf6e1612cd0bd8f30b123ad9ec6f51b3b107e62beb8c12d1f53ee31c92
MD5 hash:
6f7ff959f49636b0421b9b68d2c46722
SHA1 hash:
fefad41a81fdbea91daf08d674d70d6c8e96b907
Link:
https://www.unpac.me/results/d16befa2-4bd1-4564-ab24-6f3ed7faa2fb/
SH256 hash:
d62d9aa0159f1ce64cac52105700fb083fe2aadb11719df1601325f2416f0f81
MD5 hash:
cbcc4ac8dd5132125795a44243e03a0b
SHA1 hash:
0cf89852ac44b8ce51809434cc5666e021d6f7c9
Link:
https://www.unpac.me/results/d16befa2-4bd1-4564-ab24-6f3ed7faa2fb/
SH256 hash:
9b430cf0279ea266bee0497fd21628c65442342d6270a8f7918522fa4fe9c387
MD5 hash:
f598b6379f84e43532b6adc2198bfd9c
SHA1 hash:
73fcd6e681a26ab2ea356a9b951a8557bbc43f4c
Link:
https://www.unpac.me/results/d16befa2-4bd1-4564-ab24-6f3ed7faa2fb/
Parent samples :
ed61a0c490e5b16ba93721a48865fb3312c314d2b42df1c45c997e2347e0fbea
5824816c15c14812f8d8fe64a2317520ac6e1e96f59d4477aacbaff84d706718
8603a6629d84f5151f3c14463f58a86b24baff50280fa66cc26c086e3211b89f
fd05a5d4e619781f5e1affdfb88dfd117b616df12c8c42e8f05fbcc24ebcfaae
aed65c4e500b4d5da1b557da1b4c7d916868aa100f0b0eab243892036422a3db
e40e040b7604a94d6f9db5175e1a1cc4eb762c035c90ba49f952e723a9c8258a
d014b70080dc2525f222f7eb5aa8c97b35ac366f2c1ad0e0b656f7879d4cb4a1
038d79354607ff85b37621bed1e5e33c68ae21b483730b0e6067abcdd5276c9a
ea201b8fe8ee9d0514b5cc3e273e02b1a06872ebadec937a57285c049de1854d
e58eb39c66efd238b3d957301383ab74099577cf79204d0f7ead51d9cb9c4b1c
56f790633aa97cca376318d0f6f9055ac17c0f102e12f2bf6f078b361c316aa3
e0b7c369ac7cd497c804fe503a65a76606fabed39db60c117ad196607f9c8aa4
3672c48abefd98e598090174265dc3051ff712838e7214ed009c6fcfede22654
a74ee1dbb1120582708462beadf602396c36e9738b150bbf21bdfce09ecd7538
c4e805cafe001cbf1ede9535183d4101c0c2409a8c0ee7debd74ccda64d827f1
6df588b4ad822707978cdc32b85764c300895f946f6581d529b6b9fe086ae706
f7deee99b91289f666e2f0f0043b7330e2c28e88cb319b44c2d1c4499ff9f45f
ee1c03beade3bc4d590fc2a208b7b4006a8918576f992b348c5488c61e7b3dc5
09e3afe1513862f13cc241700fa5f8e4084fee568bc0b12044c94bc458b6b36c
95eb3c2415875d0898a9a206222d25138e0261b4188be73bc6edd965dbe207a5
a419c37fe7f832d9c6541d699124426071b30de1c0e0c9754d0af85cba0ed021
fe1e5468f98a5abe64a3a98a801078fb61fcf393eb8c63ca153275d4f9c61655
29cfbcef98823aabf25d4bc612e9991ce971d7546f4d4660505eb75bbdc57eb8
9cc8ee5bceb4329db551ab0f1c20ddc51feb6ad3f07f876e911e61b1c632664d
9a831200151eb0fb1191eeb1ec85a0006acaeaeb834e3150c63b2ddfc7eb9fca
1886c8a0b8111446cc2f76dd0394264c14a8ae5f53e3dcbe7399c43e71b1b1f7
791a4219e0a98665d6abe5f0267c03499bd8d842c894daaac554f5e3200bc5fb
ce40e5f365dc4a4af4688ebfc262edbdb129fdab31de51f6e67f7fa52fe9fc2a
99d9b3e49c9eaed0615aaf6289a235ff9f39cb5c3b7382d6f51304a6ec04594a
SH256 hash:
3bd75eaf6e1612cd0bd8f30b123ad9ec6f51b3b107e62beb8c12d1f53ee31c92
MD5 hash:
6f7ff959f49636b0421b9b68d2c46722
SHA1 hash:
fefad41a81fdbea91daf08d674d70d6c8e96b907
Link:
https://www.unpac.me/results/d16befa2-4bd1-4564-ab24-6f3ed7faa2fb/
SH256 hash:
d62d9aa0159f1ce64cac52105700fb083fe2aadb11719df1601325f2416f0f81
MD5 hash:
cbcc4ac8dd5132125795a44243e03a0b
SHA1 hash:
0cf89852ac44b8ce51809434cc5666e021d6f7c9
Link:
https://www.unpac.me/results/d16befa2-4bd1-4564-ab24-6f3ed7faa2fb/
SH256 hash:
53554568971a309034dac6fc10291bf47de77b6299ef6a7ce70fd9603814d078
MD5 hash:
0681c2dd2e2335143eec7c5caf299890
SHA1 hash:
1503e20b0129f17fb3e0d5b66cf333a65b3cc911
Link:
https://www.unpac.me/results/d16befa2-4bd1-4564-ab24-6f3ed7faa2fb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/53554568971a309034dac6fc10291bf47de77b6299ef6a7ce70fd9603814d078

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 53554568971a309034dac6fc10291bf47de77b6299ef6a7ce70fd9603814d078

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/289771/

Comments