MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ca0d55d21bb5217a3e65aa8c82517e64dd47f70a5322dee2540a2a7179b8056. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ca0d55d21bb5217a3e65aa8c82517e64dd47f70a5322dee2540a2a7179b8056
SHA3-384 hash: 20b57c1755f76829236a1c7c3e407645e6498b4132d2a0f4c51cb7e0366a2d16fc13f059ece916b265ec94455d82ce3d
SHA1 hash: 591fbed0c7f6174683a6a533e3ce7e33de0f37fd
MD5 hash: e4bec86181d4f9c07ded5fa2ef30b59c
humanhash: papa-papa-seven-edward
File name:e4bec86181d4f9c07ded5fa2ef30b59c.exe
Download: download sample
File size:965'632 bytes
First seen:2020-11-28 11:07:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:WAHnh+eWsN3skA4RV1Hom2KXMmHaTjENyi+35:xh+ZkldoPK8YaTjUyl
Threatray 918 similar samples on MalwareBazaar
TLSH 80259C0273D1C036FFABA2739B6AF60156BD79254123852F13981DB9BD701B2273E663
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105913/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Enabling autorun
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/550082
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Drops PE files with benign system names
Found strings related to Crypto-Mining
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Sigma detected: Xmrig
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 324154 Sample: RZdBNC85Fb.exe Startdate: 28/11/2020 Architecture: WINDOWS Score: 100 72 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->72 74 Sigma detected: Xmrig 2->74 76 Antivirus detection for URL or domain 2->76 78 10 other signatures 2->78 8 RZdBNC85Fb.exe 4 2->8         started        12 svchost.exe 2->12         started        14 svchost.exe 9 1 2->14         started        17 11 other processes 2->17 process3 dnsIp4 62 C:\ProgramData\WindowsDefender\svchost.exe, PE32 8->62 dropped 64 C:\...\svchost.exe:Zone.Identifier, ASCII 8->64 dropped 88 Binary is likely a compiled AutoIt script file 8->88 90 Drops PE files with benign system names 8->90 19 svchost.exe 4 16 8->19         started        24 cmd.exe 1 8->24         started        92 Changes security center settings (notifications, updates, antivirus, firewall) 12->92 70 192.168.2.1 unknown unknown 14->70 file5 signatures6 process7 dnsIp8 68 194.147.115.117, 49701, 80 MIRHOSTINGRU unknown 19->68 58 C:\Users\user\AppData\...\PhoenixMiner[1].exe, PE32+ 19->58 dropped 60 C:\ProgramData\...\PhoenixMiner.exe, PE32+ 19->60 dropped 80 System process connects to network (likely due to code injection or exploit) 19->80 82 Multi AV Scanner detection for dropped file 19->82 84 Creates an undocumented autostart registry key 19->84 26 PhoenixMiner.exe 1 19->26         started        29 PhoenixMiner.exe 1 19->29         started        31 PhoenixMiner.exe 1 19->31         started        40 4 other processes 19->40 86 Uses ping.exe to sleep 24->86 33 PING.EXE 1 24->33         started        36 taskkill.exe 1 24->36         started        38 conhost.exe 24->38         started        42 5 other processes 24->42 file9 signatures10 process11 dnsIp12 94 Antivirus detection for dropped file 26->94 96 Multi AV Scanner detection for dropped file 26->96 98 Hides threads from debuggers 26->98 44 conhost.exe 26->44         started        46 conhost.exe 29->46         started        48 conhost.exe 31->48         started        66 127.0.0.1 unknown unknown 33->66 50 conhost.exe 40->50         started        52 schtasks.exe 1 40->52         started        54 conhost.exe 40->54         started        56 conhost.exe 40->56         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ca0d55d21bb5217a3e65aa8c82517e64dd47f70a5322dee2540a2a7179b8056/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-11-28 00:11:35 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1275be780e28778f4db9b08b70b14d2d2ca9cecac94085c704c9ba4083ec9b6f
1d08ccd9e353e6684b90cef223afd58b740d0b391381c03636b56da17f44e6b9
23585bc9e143c358682c543caf45ca5b58ce758e50c115adb40d58e9b0a893cf
55416c27dc034735dba35002a4c206b05ab35bc197a56584d2ddba5dad588633
62239c71860b849f45e1273d3bfd670f0d93d8f267ff4bac59a96e91d21944b7
690fd66b2d2844fa4bd98c0b1f79fbf7fe9c38c5f187d1ee05757bda9c28984e
88ee51250e47627f9b734c897249cdc14a295d7297494b1ec7aab981370185ba
959fb7ddc21a59316a62816578b2d496497bef2f30674a01b881f810782d4de5
d059e5aa288313feb01ce0763572909d1b587791b4e6668225c44f248997ddaf
f8257ea6068267793a12ae2a1dfd91384664bee14820c51fd8984031ad3047de
+ 908 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201128-beq2wgma6a/
Behaviour
Creates scheduled task(s)
Enumerates processes with tasklist
Kills process with taskkill
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
JavaScript code in executable
Deletes itself
Loads dropped DLL
Adds policy Run key to start application
Executes dropped EXE
Unpacked files
SH256 hash:
5ca0d55d21bb5217a3e65aa8c82517e64dd47f70a5322dee2540a2a7179b8056
MD5 hash:
e4bec86181d4f9c07ded5fa2ef30b59c
SHA1 hash:
591fbed0c7f6174683a6a533e3ce7e33de0f37fd
Link:
https://www.unpac.me/results/29aae4b8-b2f5-4a4c-81a1-c97c1f9a42b8/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 5ca0d55d21bb5217a3e65aa8c82517e64dd47f70a5322dee2540a2a7179b8056

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/842311/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/105913/

Comments