MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 600c157ddb6d90c409f612a89e5c4259af4a7f724fd23ba85d1879b49c83054b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 600c157ddb6d90c409f612a89e5c4259af4a7f724fd23ba85d1879b49c83054b
SHA3-384 hash: 1fe9b8abbf09ac9d3fabb1d6a22981845c03d10f3aefaf97b340b38046dcdc89fdfaa32f788552e877cfb47460784841
SHA1 hash: de50b3216e1f1fcff992f40cd9bd77c8be1a0d38
MD5 hash: 4d9ba816014d16adb4ad1628fc8e938b
humanhash: undress-nineteen-undress-tango
File name:4d9ba816014d16adb4ad1628fc8e938b
Download: download sample
File size:3'241'472 bytes
First seen:2021-12-23 07:01:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61c3df730291850fea0c9a7171786100 (13 x CoinMiner)
ssdeep 98304:s0jVKaT0M/YQ+O2Fpr71Djo3ZI9YIdlDnq1wbxfY:s6ku0M/D+bTZoApnVbC
Threatray 86 similar samples on MalwareBazaar
TLSH T10FE523A3F5AE5EFAC4420835D605752A8F5E68724FE3849043E9836FB1C3923524FF99
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://vm494369.eurodir.ru/g21ntuss.exe
Verdict:
Malicious activity
Analysis date:
2021-12-22 01:35:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dffdb36d-4133-466c-8a21-4663265217a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/215885/
Detection(s):
Win.Dropper.Enigma-9916985-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Running batch commands
Launching a process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Creating a window
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2977/overview
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
enigma packed
Link:
https://www.filescan.io/uploads/61c41eeeec6c6c14a9ebe773/reports/6a23372f-906a-480a-b6f5-ad6e4a77c85a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/11a751b3-c059-44c1-86ef-094e122d2c3f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/911865
Signature
Detected unpacking (overwrites its own PE header)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Uses the Telegram API (likely for C&C communication)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 544343 Sample: FsJaAzFjuY Startdate: 23/12/2021 Architecture: WINDOWS Score: 84 52 Multi AV Scanner detection for submitted file 2->52 54 Machine Learning detection for sample 2->54 56 Uses the Telegram API (likely for C&C communication) 2->56 58 PE file has nameless sections 2->58 7 RegHost.exe 13 2->7         started        11 FsJaAzFjuY.exe 1 14 2->11         started        process3 dnsIp4 60 Multi AV Scanner detection for dropped file 7->60 62 Detected unpacking (overwrites its own PE header) 7->62 64 Machine Learning detection for dropped file 7->64 14 cmd.exe 1 7->14         started        16 cmd.exe 1 7->16         started        18 WerFault.exe 17 9 7->18         started        20 conhost.exe 7->20         started        50 github.com 140.82.121.4, 443, 49733, 49734 GITHUBUS United States 11->50 46 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 11->46 dropped 66 Hides threads from debuggers 11->66 22 WerFault.exe 20 9 11->22         started        25 cmd.exe 1 11->25         started        27 cmd.exe 1 11->27         started        29 2 other processes 11->29 file5 signatures6 process7 file8 31 conhost.exe 14->31         started        33 conhost.exe 16->33         started        44 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 22->44 dropped 35 curl.exe 1 25->35         started        38 conhost.exe 25->38         started        40 conhost.exe 27->40         started        42 conhost.exe 29->42         started        process9 dnsIp10 48 api.telegram.org 149.154.167.220, 443, 49732 TELEGRAMRU United Kingdom 35->48
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/600c157ddb6d90c409f612a89e5c4259af4a7f724fd23ba85d1879b49c83054b/
Threat name:
Win64.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-12-22 03:00:16 UTC
File Type:
PE+ (Exe)
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1b8dab946d42aa832cfd9df68593c311e979491f2bd7df7f6f1acb9427215b68
3dbd5487b19aa019bade16d9061195230b742a45ddb2e411d0e6b7fac6778e17
64edbaff99fe8c87c2f5f826b0d1741c575295e3ab0c3d16db8bbacd2baebd30
c937ab727bd34bd8c83e2ea01054cd60363ca35bd99fccf46b1f1f1f119715db
e9f1d411e9f40b3050fd6bec3caf316b0986bce3f8185b6529efc6586800fd4a
f3a0806bf7e9030e703483f4469a2292d9595d500a2365336de454a3bf047e26
f3de4ce2a7e7d27e8dcfc9b38b0e55631181393e673a37a57bd97e218a797cfe
feb365d784b06535c3bd3ab5c525e771521f0f7dcc71c8c3e800226fdb117085
+ 76 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/211223-hts6hahbg3/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Modifies Windows Defender Real-time Protection settings
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
600c157ddb6d90c409f612a89e5c4259af4a7f724fd23ba85d1879b49c83054b
MD5 hash:
4d9ba816014d16adb4ad1628fc8e938b
SHA1 hash:
de50b3216e1f1fcff992f40cd9bd77c8be1a0d38
Link:
https://www.unpac.me/results/981832e9-e333-46e3-9b63-721c9f8624ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/600c157ddb6d90c409f612a89e5c4259af4a7f724fd23ba85d1879b49c83054b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 600c157ddb6d90c409f612a89e5c4259af4a7f724fd23ba85d1879b49c83054b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1913286/
Cape
Cape
https://www.capesandbox.com/analysis/215885/

Comments


Avatar
zbet commented on 2021-12-23 07:01:22 UTC

url : hxxp://vm494369.eurodir.ru/g21ntuss.exe