MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a793b0d7422c599f190d907f38c095e35964b3deb1c9726a413173c2650a621. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a793b0d7422c599f190d907f38c095e35964b3deb1c9726a413173c2650a621
SHA3-384 hash: 834dab05bc0f59acbd98bcb711725644c490b491dfbc18858a80a1a9c4331f9789142316d772c7c7323c9d4449a8d578
SHA1 hash: 917143ff4aea20d6b2e94fb2c201cb89fa87f6ba
MD5 hash: 4fd8837d4d61592caed82ac2cda2b773
humanhash: carbon-nebraska-moon-july
File name:5a793b0d7422c599f190d907f38c095e35964b3deb1c9726a413173c2650a621
Download: download sample
File size:6'967'161 bytes
First seen:2021-04-05 09:26:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4df47bd79d7fe79953651a03293f0e8f (4 x Mimikatz, 3 x Beapy, 1 x Quakbot)
ssdeep 196608:eAqjTpnhXlmyWCZNulPKQ8hY/Bkr/fOIT/+VdlBFKazt:kfauN/HYOSIT/EVF9B
Threatray 723 similar samples on MalwareBazaar
TLSH B4663381F0928CBAE8F611371AB6D1353A7AF5230B0585AF639C5A977A303D1A77C61C
Reporter JAMESWT_WT
Tags:Shenzhen Smartspace Software technology Co.Limited signed

Code Signing Certificate

Organisation:Shenzhen Smartspace Software technology Co.,Limited
Issuer:VeriSign Class 3 Code Signing 2010 CA
Algorithm:sha1WithRSAEncryption
Valid from:2015-04-21T00:00:00Z
Valid to:2017-04-19T23:59:59Z
Serial number: 559cb90fd16e9d1ad375f050ab6a6616
Intelligence: 30 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 9a069ab39b6703bad84b3ddf1d3c7f5e98b5e804d45a2b8e447590f6c5f96dc6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5a793b0d7422c599f190d907f38c095e35964b3deb1c9726a413173c2650a621
Verdict:
Malicious activity
Analysis date:
2021-04-05 09:28:31 UTC
Tags:
trojan mimikatz evasion
Link:
https://app.any.run/tasks/170d1368-0ebb-4aba-baaa-929561ad128c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132184/
Detection(s):
Win.Malware.Python-6964011-0
Create hunting rule

Win.Malware.Python-6964012-0
Create hunting rule

PUA.Win.Malware.Generic-6651521-0
Create hunting rule

SecuriteInfo.com.Heur.Veil.6.11070.10230.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Sending a UDP request
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/af4c842d-a114-4860-8107-045633bb0f3a
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/665914
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Detected Hacktool Mimikatz
Found suspicious powershell code related to unpacking or dynamic code loading
Gathers network related connection and port information
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses ipconfig to lookup or modify the Windows network settings
Uses netstat to query active network connections and open ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 381884 Sample: 1QGRzqhVgn Startdate: 05/04/2021 Architecture: WINDOWS Score: 100 52 info.ackng.com 2->52 54 info.abbny.com 2->54 56 2 other IPs or domains 2->56 70 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->70 72 Multi AV Scanner detection for domain / URL 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 5 other signatures 2->76 10 1QGRzqhVgn.exe 34 2->10         started        signatures3 process4 file5 42 C:\Users\user\AppData\Local\...\win32wnet.pyd, PE32 10->42 dropped 44 C:\Users\user\AppData\Local\...\win32pipe.pyd, PE32 10->44 dropped 46 C:\Users\user\AppData\...\win32event.pyd, PE32 10->46 dropped 48 25 other files (none is malicious) 10->48 dropped 82 Uses netstat to query active network connections and open ports 10->82 84 Gathers network related connection and port information 10->84 14 1QGRzqhVgn.exe 3 10->14         started        19 conhost.exe 10->19         started        signatures6 process7 dnsIp8 58 info.abbny.com 173.231.189.15, 49738, 49744, 49996 VOXEL-DOT-NETUS United States 14->58 60 beahh.com 72.52.178.23, 49737, 49743, 49893 LIQUIDWEBUS United States 14->60 62 101 other IPs or domains 14->62 50 C:\Users\user\Desktop\m2.ps1, ASCII 14->50 dropped 64 Connects to many different private IPs via SMB (likely to spread or exploit) 14->64 66 Connects to many different private IPs (likely to spread or exploit) 14->66 68 Gathers network related connection and port information 14->68 21 cmd.exe 1 14->21         started        24 powershell.exe 18 14->24         started        26 cmd.exe 1 14->26         started        28 4 other processes 14->28 file9 signatures10 process11 signatures12 78 Uses ipconfig to lookup or modify the Windows network settings 21->78 30 WMIC.exe 1 21->30         started        80 Found suspicious powershell code related to unpacking or dynamic code loading 24->80 32 net.exe 1 26->32         started        34 net.exe 1 28->34         started        36 ipconfig.exe 28->36         started        process13 process14 38 net1.exe 1 32->38         started        40 net1.exe 1 34->40         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a793b0d7422c599f190d907f38c095e35964b3deb1c9726a413173c2650a621/
Threat name:
Win32.Trojan.InjectPyinc
Create hunting rule
Status:
Malicious
First seen:
2021-03-30 11:39:50 UTC
File Type:
PE (Exe)
Extracted files:
452
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
016a1738c27fb3416ddef3c55af9e6eb19635c61fa92c7095b63b798c105dbae
03bdb2c5cdea7f4b01dd14e5436a26162de5e85b78d67e0600cc27ef5ae57f4a
0f35f9dc61b9619e670fd1e0fd8e4ffe2ebe77bf5edde65b98a14c5a4070d662
14f7650cf7f4846aa683f0cee500d8957ebdbb85b59c6e45b7c56a66ebfd8122
2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436
59a9070703cf67481acab89f7c77d54da976f2922075dd81894b837cca0b1a21
5b29fd421e1874ba8b156dff9494e219c35714ea149865053a88a83108a45ed4
6dcbb7cce5ccc5cef33d439c9ec4c11186292d8ffa8c48e4614c7b43a2ff07e4
a907d33c6b53bb2da7803828fd2070b739ae402babe50099adbb072b0cedd1c3
b52a65b2b1353bbf2354a8a629b7e7105caf2a13827e4e0aaa4dde90b6d30ced
+ 713 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion pyinstaller
Link:
https://tria.ge/reports/210405-98pwwb1egn/
Behaviour
Creates scheduled task(s)
Gathers network information
Modifies data under HKEY_USERS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Grants admin privileges
Unpacked files
SH256 hash:
4e2db219c2f6e9443766e5ca0d6c0b790d764f1ddb65e0ad9b2036feef2743a4
MD5 hash:
824c3c567d78753d1c720fb888d63a9e
SHA1 hash:
d3fe62b11c4c7ea62456be9a7c867f645dd2b48e
Link:
https://www.unpac.me/results/36eeeb9c-ee50-4bfb-974d-115e15753046/
SH256 hash:
edec30653dc56df03eb40fa97c616950fd593c0b90c2950af722e66816eb70e9
MD5 hash:
5b44d0bd38c218445dde8c913736eaac
SHA1 hash:
dc778e6dc62006a5ccd1f206c3000e32b4439592
Link:
https://www.unpac.me/results/36eeeb9c-ee50-4bfb-974d-115e15753046/
SH256 hash:
e3eed66221a6552d4b9ae7350b3dc30de238a6029efae060514d2780c02fedb4
MD5 hash:
f5c5c0d5d9e93d6e8cb66b825cd06230
SHA1 hash:
da7be79dd502a89cf6f23476e5f661eebd89342b
Link:
https://www.unpac.me/results/36eeeb9c-ee50-4bfb-974d-115e15753046/
SH256 hash:
075316c2e6fe471b40d7377d3885fe3f305eaa7d4dc9a36155985acc2cd14f83
MD5 hash:
c02566fd7171036b0b6dfc34a091d051
SHA1 hash:
0f3a9f64b618fc801a77b083684c9b2bffd90198
Link:
https://www.unpac.me/results/36eeeb9c-ee50-4bfb-974d-115e15753046/
SH256 hash:
3ca9c0ff13262379669b6512672f1908d1f0648d5f0e463d94c6ec8169262bd9
MD5 hash:
ea758bd12cc27df5fc5c6ad9e4102c89
SHA1 hash:
833cf9561c4bd271b1643545c33eed869a562856
Link:
https://www.unpac.me/results/36eeeb9c-ee50-4bfb-974d-115e15753046/
SH256 hash:
ea0efcab32e6572f61a3c765356e283bd6a8f75ec2a4c8b12f1fb3db76ca68d4
MD5 hash:
27a7a40b2b83578e0c3bffb5a167d67a
SHA1 hash:
d20a7d3308990ce04839569b66f8639d6ed55848
Link:
https://www.unpac.me/results/36eeeb9c-ee50-4bfb-974d-115e15753046/
SH256 hash:
a8b6cf34029fa3ecef4e116774d717a479e8beeb6ecaa4f8780e1355e54dd930
MD5 hash:
f4409e292071549df74cd7d6d78381c0
SHA1 hash:
a689ebd57b4f289ce5aae47bed2ab3fc45a74419
Link:
https://www.unpac.me/results/36eeeb9c-ee50-4bfb-974d-115e15753046/
SH256 hash:
dac859e631d32a91c38a24870a96dd05bfed30881c7491ad4101b5f47cc35db1
MD5 hash:
e6564a063431a7ec5662c86318a9653c
SHA1 hash:
9ae5589ee43c317134eeb6b129c80efb77b84fbf
Link:
https://www.unpac.me/results/36eeeb9c-ee50-4bfb-974d-115e15753046/
SH256 hash:
3766487b36c3cd4843c62832a7a2cb15a9ed38b5c1c22c5ebf9699d2b190c541
MD5 hash:
bf60014a0ab75184a9a466ba9ff53a38
SHA1 hash:
8d27ad49a6221e2d28c61b7aa77730b6c17f29fa
Link:
https://www.unpac.me/results/36eeeb9c-ee50-4bfb-974d-115e15753046/
SH256 hash:
041db77dde8fbb0c0883cf712c2eacf32173e949e21d75a68c7ef37e1a8cfa92
MD5 hash:
17081b08bbdba9aa50de0d260d0749b3
SHA1 hash:
7c9648da0751e04e0d92b5ee3129ab4071eb57b2
Link:
https://www.unpac.me/results/36eeeb9c-ee50-4bfb-974d-115e15753046/
SH256 hash:
30c86e52f2aafc32feb444736ccace030ba413f7e20f08eeb6b76a9a5cacf1d6
MD5 hash:
0f935b2887edc3caa081ec518609b39b
SHA1 hash:
69dac2012b85970e87293afd65e08e2e9bf04b96
Link:
https://www.unpac.me/results/36eeeb9c-ee50-4bfb-974d-115e15753046/
SH256 hash:
dd792c6869775da817c8bc65b3a039b2a0769dc0e4c42ca1a1528329647ab0fe
MD5 hash:
2e7ac5209a5e8e73a62b0eb5776fae46
SHA1 hash:
552e77ff09f8db98611f792a497d7eff743fd28a
Link:
https://www.unpac.me/results/36eeeb9c-ee50-4bfb-974d-115e15753046/
SH256 hash:
5d3ad0c8a4f2429899a72b6e4f6fc9afc55551c544e7485483e31f140620e358
MD5 hash:
c31ef4dcc3f5a66cc4aed9efdd7925f2
SHA1 hash:
395d514ca5dd84967c5a1422abf87350bca4bab8
Link:
https://www.unpac.me/results/36eeeb9c-ee50-4bfb-974d-115e15753046/
SH256 hash:
98d65ea01d67f93f60696b9e804c3ffbe1e7dd820c690b1b44c54570f6cdfa73
MD5 hash:
52a0fa05d1de1a7a715057b372dee6ff
SHA1 hash:
30f283960ddb0b124cef50d1b6182cdf83fc3917
Link:
https://www.unpac.me/results/36eeeb9c-ee50-4bfb-974d-115e15753046/
SH256 hash:
bd1ec1ed8d8f4d4bd33c5c10fff6e00b60f341c5535a97fc70d76d6473045fe3
MD5 hash:
f7d962510cad9da2766666ad228f1920
SHA1 hash:
123148fd33387c644d786c7f6a09ecc34487f128
Link:
https://www.unpac.me/results/36eeeb9c-ee50-4bfb-974d-115e15753046/
SH256 hash:
f0b20f774c846a494fb6e9501c33be0ca0bcde9ccb5fbb02b2e5add73bf830b9
MD5 hash:
ae5deb3ad76e14f67bb2012cfcbff5c4
SHA1 hash:
045f49b70c33ae211cb3465d6542e3285c8dc16c
Link:
https://www.unpac.me/results/36eeeb9c-ee50-4bfb-974d-115e15753046/
SH256 hash:
5a793b0d7422c599f190d907f38c095e35964b3deb1c9726a413173c2650a621
MD5 hash:
4fd8837d4d61592caed82ac2cda2b773
SHA1 hash:
917143ff4aea20d6b2e94fb2c201cb89fa87f6ba
Link:
https://www.unpac.me/results/36eeeb9c-ee50-4bfb-974d-115e15753046/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a793b0d7422c599f190d907f38c095e35964b3deb1c9726a413173c2650a621

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Impacket
Create hunting rule
Author:@bartblaze
Description:Identifies Impacket, a collection of Python classes for working with network protocols.
Reference:https://github.com/SecureAuthCorp/impacket
Rule name:Impacket_Keyword
Create hunting rule
Author:Florian Roth
Description:Detects Impacket Keyword in Executable
Reference:Internal Research
Rule name:Impacket_Lateral_Movement
Create hunting rule
Author:Markus Neis
Description:Detects Impacket Network Aktivity for Lateral Movement
Reference:https://github.com/CoreSecurity/impacket
Rule name:Impacket_Tools_psexec
Create hunting rule
Author:Florian Roth
Description:Compiled Impacket Tools
Reference:https://github.com/maaaaz/impacket-examples-windows
Rule name:INDICATOR_TOOL_LTM_CompiledImpacket
Create hunting rule
Author:ditekSHen
Description:Detects executables of compiled Impacket's python scripts
Rule name:PE_File_pyinstaller
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Description:Detect PE file produced by pyinstaller
Reference:https://isc.sans.edu/diary/21057
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/132184/

Comments