MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5978884a07ea7559941ec2a1ce86e08e4be36a9aae9d535f58021602b24cdaba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: 5978884a07ea7559941ec2a1ce86e08e4be36a9aae9d535f58021602b24cdaba
SHA3-384 hash: dfdcee2694b5a537bbd10b3c0acdfd3de5cb754db4f853502c8723b04ac956b5afd658674ce4afa9f95c26a8466201b2
SHA1 hash: 37c20c2ed8556b27217264dbaa7aa5a96894ca23
MD5 hash: a6cb3103fac2e6ad873ce6774e4ebddb
humanhash: carpet-south-island-spaghetti
File name:skynet_0.4.vir
Download: download sample
Signature n/a
File size:3'764'224 bytes
First seen:2020-07-19 19:30:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 337804e527a143f26af77d8bd177a8c3
ssdeep 49152:kVitxtxcEKWnky3bYiFOfhi1nL3iQ4pHyacf5wnbh9MG57i:kkzxUWnky2Q1nL3347W5w4Ee
TLSH 5A062211F740C4BEDA5705B17258D3BE6A287BB9226B1CD3B3C41F586E346DA7920B0B
Reporter @tildedennis
Tags:skynet


Twitter
@tildedennis
skynet version 0.4

Intelligence


File Origin
# of uploads :
1
# of downloads :
19
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
ZeusVM
Detection:
malicious
Classification:
bank.troj.evad.mine
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247328 Sample: skynet_0.4.vir Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 55 Antivirus / Scanner detection for submitted sample 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Machine Learning detection for sample 2->59 61 4 other signatures 2->61 10 skynet_0.4.exe 2->10         started        process3 signatures4 63 Detected unpacking (changes PE section rights) 10->63 65 Detected unpacking (overwrites its own PE header) 10->65 67 Contains functionality to determine the online IP of the system 10->67 69 2 other signatures 10->69 13 skynet_0.4.exe 10->13         started        process5 signatures6 75 Writes to foreign memory regions 13->75 77 Allocates memory in foreign processes 13->77 79 Injects a PE file into a foreign processes 13->79 16 svchost.exe 13->16         started        19 iexplore.exe 13->19         started        21 iexplore.exe 13->21         started        23 3 other processes 13->23 process7 signatures8 51 Detected ZeusVM e-Banking Trojan 16->51 53 Injects a PE file into a foreign processes 16->53 25 svchost.exe 13 16->25         started        process9 dnsIp10 39 checkip.dyndns.com 216.146.43.70, 49705, 80 DYNDNSUS United States 25->39 41 checkip.dyndns.org 25->41 71 System process connects to network (likely due to code injection or exploit) 25->71 73 Injects a PE file into a foreign processes 25->73 29 svchost.exe 9 25->29         started        33 iexplore.exe 25->33         started        35 svchost.exe 25->35         started        signatures11 process12 dnsIp13 43 86.59.21.38, 443, 49726 UTA-ASAT Austria 29->43 45 212.112.245.170, 443 QSC-AG-IPXDE Germany 29->45 47 171.25.193.9, 49727, 80 DFRI-ASForeningenfordigitalafri-ochrattigheterSE Sweden 29->47 81 System process connects to network (likely due to code injection or exploit) 29->81 37 conhost.exe 29->37         started        49 127.0.0.1 unknown unknown 33->49 signatures14 process15
Threat name:
Win32.Trojan.Kryptik
Status:
Malicious
First seen:
2014-10-16 10:11:00 UTC
AV detection:
25 of 31 (80.65%)
Threat level
  2/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Looks up external IP address via web service
UPX packed file
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments