MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f0d6bb3445ed0c410b2dd8874cf7fc7b1c4e06cc2e620790eb782f2c339c796. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Worm.m0yv


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f0d6bb3445ed0c410b2dd8874cf7fc7b1c4e06cc2e620790eb782f2c339c796
SHA3-384 hash: b56049a48d089a4c5c43ff3a09ceb13530730207f7809370d527207e3e0c77ab537fa669adeaeb0417239ff1f1725207
SHA1 hash: 0d499a3a4b044cdd2685c2df7de1c4ebe740703f
MD5 hash: 42080886d61700323e62d2de3a32454d
humanhash: mars-white-mars-illinois
File name:Ziraat_Swift.hta
Download: download sample
Signature Worm.m0yv
Create hunting rule
File size:2'325'905 bytes
First seen:2024-12-02 06:54:48 UTC
Last seen:2024-12-03 09:11:24 UTC
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 24576:CfE7hFTaWOiByiEkv5VKB0sQBKU4lqAzJQ0lOwAmp/wNR/GARRsFPEt592Sx09Hg:GKmUiq0XAmp/CsAUWUt9Yy8dNryaKC
Threatray 31 similar samples on MalwareBazaar
TLSH T181B5F121C6154D9C264BCD2D2D0A0D97511CFFFB958AFA06CA8A7C07A6DBF1E20B971C
Magika vba
Reporter lowmal3
Tags:hta Worm.m0yv

Intelligence

File Origin
# of uploads :
3
# of downloads :
100
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.20792.29594.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=674d5b22e64d1c722d7b3a53
Tags:
autorun autoit emotet
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/5f0d6bb3445ed0c410b2dd8874cf7fc7b1c4e06cc2e620790eb782f2c339c796/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/674d59c7f7c2ff1a12e56daa/reports/a396a715-83b7-4ba4-baf8-16ed42a71fd6/overview
Verdict:
Suspicious
Labled as:
VBS/Agent.BNG
Link:
https://www.hybrid-analysis.com/sample/5f0d6bb3445ed0c410b2dd8874cf7fc7b1c4e06cc2e620790eb782f2c339c796
Result
Threat name:
MassLogger RAT, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1566438
Signature
AI detected suspicious sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to behave differently if execute on a Russian/Kazak computer
Creates files in the system32 config directory
Drops executable to a common third party application directory
Drops VBS files to the startup folder
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Legitimate Application Dropped Executable
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes data at the end of the disk (often used by bootkits to hide malicious code)
Writes to foreign memory regions
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1566438 Sample: Ziraat_Swift.hta Startdate: 02/12/2024 Architecture: WINDOWS Score: 100 69 reallyfreegeoip.org 2->69 71 ww7.przvgke.biz 2->71 73 24 other IPs or domains 2->73 87 Multi AV Scanner detection for domain / URL 2->87 89 Suricata IDS alerts for network traffic 2->89 91 Found malware configuration 2->91 95 14 other signatures 2->95 9 alg.exe 1 2->9         started        14 mshta.exe 2 2->14         started        16 elevation_service.exe 2->16         started        18 14 other processes 2->18 signatures3 93 Tries to detect the country of the analysis system (by using the IP) 69->93 process4 dnsIp5 81 ww99.fwiwk.biz 72.52.179.174, 49740, 49902, 80 LIQUIDWEBUS United States 9->81 83 lpuegx.biz 82.112.184.197, 49753, 49754, 49790 FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU Russian Federation 9->83 85 7 other IPs or domains 9->85 49 C:\Program Files\...\updater.exe, PE32+ 9->49 dropped 51 C:\Program Files\...\private_browsing.exe, PE32+ 9->51 dropped 53 C:\Program Files\...\plugin-container.exe, PE32+ 9->53 dropped 63 120 other malicious files 9->63 dropped 109 Creates files in the system32 config directory 9->109 111 Writes data at the end of the disk (often used by bootkits to hide malicious code) 9->111 113 Drops executable to a common third party application directory 9->113 55 C:\Users\user\AppData\Local\Temp\x.exe, PE32 14->55 dropped 20 x.exe 5 14->20         started        57 C:\Windows\System32\snmptrap.exe, PE32+ 16->57 dropped 59 C:\Windows\System32\msiexec.exe, PE32+ 16->59 dropped 61 C:\Windows\System32\msdtc.exe, PE32+ 16->61 dropped 65 8 other malicious files 16->65 dropped 115 Infects executable files (exe, dll, sys, html) 16->115 117 Found direct / indirect Syscall (likely to bypass EDR) 16->117 119 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->119 121 Contains functionality to behave differently if execute on a Russian/Kazak computer 18->121 25 differences.exe 18->25         started        file6 signatures7 process8 dnsIp9 79 cvgrf.biz 54.244.188.177, 49730, 49731, 49732 AMAZON-02US United States 20->79 41 C:\Windows\System32\alg.exe, PE32+ 20->41 dropped 43 C:\Windows\System32\AppVClient.exe, PE32+ 20->43 dropped 45 C:\Users\user\AppData\...\differences.exe, PE32 20->45 dropped 47 4 other malicious files 20->47 dropped 101 Binary is likely a compiled AutoIt script file 20->101 103 Writes data at the end of the disk (often used by bootkits to hide malicious code) 20->103 105 Drops executable to a common third party application directory 20->105 107 Infects executable files (exe, dll, sys, html) 20->107 27 differences.exe 2 20->27         started        31 differences.exe 25->31         started        33 RegSvcs.exe 25->33         started        file10 signatures11 process12 file13 67 C:\Users\user\AppData\...\differences.vbs, data 27->67 dropped 123 Drops VBS files to the startup folder 27->123 125 Writes to foreign memory regions 27->125 127 Maps a DLL or memory area into another process 27->127 129 Switches to a custom stack to bypass stack traces 27->129 35 RegSvcs.exe 15 2 27->35         started        39 RegSvcs.exe 31->39         started        signatures14 process15 dnsIp16 75 checkip.dyndns.com 193.122.130.0, 49733, 49749, 80 ORACLE-BMC-31898US United States 35->75 77 reallyfreegeoip.org 104.21.67.152, 443, 49736, 49752 CLOUDFLARENETUS United States 35->77 97 Tries to steal Mail credentials (via file / registry access) 39->97 99 Tries to harvest and steal browser information (history, passwords, etc) 39->99 signatures17
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/5f0d6bb3445ed0c410b2dd8874cf7fc7b1c4e06cc2e620790eb782f2c339c796
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f0d6bb3445ed0c410b2dd8874cf7fc7b1c4e06cc2e620790eb782f2c339c796/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-12-02 03:56:49 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
4 of 24 (16.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l4gwxm2el3imiefs3wehjt37y6y4jydmyltca6iow6bpfqzzy6la._file
Verdict:
malicious
Label(s):
unknown_loader_036
Create hunting rule
expiro
Create hunting rule
Similar samples:
3335d593c4a2f7ab94a35fd5a0991026d1800592a18cc842686d3bf6bb66503d
Worm.m0yv
3ca1c11c2d4173581e8007b955c912dd1d6abdb1bafe03924aca8cba437df745
Worm.m0yv
4aa2ea3cc55b48f3f6e54c75d383592a6fd4fa449908adbc019c3fb676dd5285
Worm.m0yv
6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9
Worm.m0yv
829026e0d6a6f73f3328bb4aabd5f0e3f063f000cd9d860c051b307e148395d5
Worm.m0yv
9a759f2ef8ee16b697f30aab51fc726f9697b338e0aba56c063860146bbfc76b
Worm.m0yv
b336830d627101633db934f8d48606639c70d133a5985026bc250c035e887faf
Worm.m0yv
error
Worm.m0yv
ff3bcc4bc70f9e6724fcc0fb36c4f57cc5956136850bd39c9581413f7c4688a9
Worm.m0yv
+ 21 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery spyware stealer
Link:
https://tria.ge/reports/241202-hpsdeatrgv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
outlook_office_path
outlook_win_path
Checks SCSI registry key(s)
Checks processor information in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
AutoIT Executable
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5f0d6bb3445ed0c410b2dd8874cf7fc7b1c4e06cc2e620790eb782f2c339c796

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Worm.m0yv

HTML Application (hta) hta 5f0d6bb3445ed0c410b2dd8874cf7fc7b1c4e06cc2e620790eb782f2c339c796

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments