MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60e93179fdc24865d5d06c00a6280a224263def03b1d9b081b0edf972ed95ad1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60e93179fdc24865d5d06c00a6280a224263def03b1d9b081b0edf972ed95ad1
SHA3-384 hash: 00e801b1acbd0fdb9b94fe10f843c65b132dc220015edc0a2d86be816a4dc6af85a992fd7f8d8defc9982270f9b0353b
SHA1 hash: 7452326f93c8dc33695dee74e092aabcac462f3b
MD5 hash: 0b4ab2b8547d9d49b35788f9da74b439
humanhash: stairway-south-robert-carolina
File name:0b4ab2b8547d9d49b35788f9da74b439.exe
Download: download sample
File size:5'165'568 bytes
First seen:2021-06-03 12:47:46 UTC
Last seen:2021-06-03 13:40:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 98304:QbhaIUK+MXPKHfawHXOQTC6gVqAUqxmxlc9c5Pt+Lw1nGosyPS8b3nH0qnQYmrjw:QUIN+6KHfaqUVNfmQe5Pt+Lwa6XHDGrM
Threatray 135 similar samples on MalwareBazaar
TLSH 45362271B22B6DD2E1CD89353F9E932D1BC68AF595E82B6200813010A77F227BD671DD
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0b4ab2b8547d9d49b35788f9da74b439.exe
Verdict:
No threats detected
Analysis date:
2021-06-03 12:52:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4ac5b0a7-dc09-408c-aad5-0404edcf2d12

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164401/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/796672
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 429070 Sample: N5ug1jDzLV.exe Startdate: 03/06/2021 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for submitted file 2->68 70 .NET source code contains potential unpacker 2->70 72 Machine Learning detection for sample 2->72 74 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->74 10 N5ug1jDzLV.exe 1 6 2->10         started        14 InstallAgent.exe 3 2->14         started        16 InstallAgent.exe 2->16         started        process3 file4 52 C:\Users\user\AppData\...\InstallAgent.exe, PE32+ 10->52 dropped 54 C:\Users\user\AppData\...545ug1jDzLV.exe, PE32+ 10->54 dropped 56 C:\Users\...\InstallAgent.exe:Zone.Identifier, ASCII 10->56 dropped 62 2 other malicious files 10->62 dropped 80 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->80 82 Writes to foreign memory regions 10->82 84 Allocates memory in foreign processes 10->84 86 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 10->86 18 N5ug1jDzLV.exe 2 10->18         started        58 C:\Users\user\AppData\...\InstallAgent.exe, PE32+ 14->58 dropped 60 C:\Users\...\InstallAgent.exe:Zone.Identifier, ASCII 14->60 dropped 88 Multi AV Scanner detection for dropped file 14->88 90 Machine Learning detection for dropped file 14->90 92 Modifies the context of a thread in another process (thread injection) 14->92 21 InstallAgent.exe 1 14->21         started        94 Injects a PE file into a foreign processes 16->94 23 InstallAgent.exe 16->23         started        signatures5 process6 dnsIp7 76 Multi AV Scanner detection for dropped file 18->76 78 Machine Learning detection for dropped file 18->78 27 Roamingcliconfg.exe 1 18->27         started        30 WerFault.exe 20 9 18->30         started        66 192.168.2.1 unknown unknown 23->66 50 C:\Users\user\AppData\Roamingcliconfg.exe, PE32+ 23->50 dropped 33 Roamingcliconfg.exe 23->33         started        35 WerFault.exe 23->35         started        37 WerFault.exe 23->37         started        file8 signatures9 process10 file11 96 Antivirus detection for dropped file 27->96 98 Multi AV Scanner detection for dropped file 27->98 100 Hides threads from debuggers 27->100 39 conhost.exe 27->39         started        64 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 30->64 dropped 41 conhost.exe 33->41         started        signatures12 process13 process14 43 Roamingcliconfg.exe 39->43         started        46 WerFault.exe 39->46         started        signatures15 102 Hides threads from debuggers 43->102 48 conhost.exe 43->48         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60e93179fdc24865d5d06c00a6280a224263def03b1d9b081b0edf972ed95ad1/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-05-29 06:30:45 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
41
AV detection:
19 of 29 (65.52%)
Threat level:
  3/5
Verdict:
unknown
Similar samples:
0718648927fe37ba115ab36d5f869bcefb6b274cce2a79e6715961a0bd136237
238b35ec58e7e0da2a84223bbac72df3ad69bbb4b1fe473a6095fccddcebf7fc
32a029c9eeef1d1b39d8ff5c7e11d6c67de049c2d0f5270b14372eae061d41e6
555ef005b76db7d2c8bcd3364b02c0f282fbd5cf1da87524e2f2160a6ff7d642
8906b9ddd4d91aa4090b8895777a3f771a01ca4600228c2deb366b7c25a0ee21
8bb7375d1d8c2236d2a43e413209831ab50f8599eabdc906143ba7742425fb0c
9f59c8c1edf06b3107a9c0bf70130431320d31a00e887bd3eb736433bb9f6acc
b2f7371dbc4fb27739f11a5fbf9aa878f118d1f8659025422bc614e7c5b60ff6
c3bf2dd2d53f2ac2dcf5e59aa8d234efdf24fb7f5eca9e2a9cb1a4536979bed4
ed88adb1fab6005e7c44cb02346bd417aa47a32b0e14ec5c117156dadd37bc79
+ 125 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210603-xb47nb5w2j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
60e93179fdc24865d5d06c00a6280a224263def03b1d9b081b0edf972ed95ad1
MD5 hash:
0b4ab2b8547d9d49b35788f9da74b439
SHA1 hash:
7452326f93c8dc33695dee74e092aabcac462f3b
Link:
https://www.unpac.me/results/d4c11ab4-e7cd-4192-9b0b-b9663b507d17/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.49
Link:
https://yomi.yoroi.company/submissions/60e93179fdc24865d5d06c00a6280a224263def03b1d9b081b0edf972ed95ad1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 60e93179fdc24865d5d06c00a6280a224263def03b1d9b081b0edf972ed95ad1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1319368/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/164401/

Comments