MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60fe4a1f0ed577bfa8d10195a3d1123b0a7ab551d3579686ee6ac6bc18282fe5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60fe4a1f0ed577bfa8d10195a3d1123b0a7ab551d3579686ee6ac6bc18282fe5
SHA3-384 hash: 43e81f4a12664763b33c06729ab877c7215356ecb8208d42140ab0aca4c416eaaa94faade41d137d7f3508dda028a7db
SHA1 hash: 8a49203fa94921fd6eb80710756a1ab6dd917a22
MD5 hash: a9bca0889a464119b345db7b0ecd79a8
humanhash: table-queen-ack-alpha
File name:NoonLight.exe
Download: download sample
File size:32'768 bytes
First seen:2021-05-04 11:30:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 09d0478591d4f788cb3e5ea416c25237 (3 x Blackmoon, 2 x Gh0stRAT, 2 x TeamBot)
ssdeep 384:VmpUto8E6qhIA8ZfiSM+3/marB4djzuf4uFfTlCTZ94GgR01eEe/tfF1XfvgmraJ:wpUt1E/8mS+amkLFRccny45nHguUL
Threatray 5'061 similar samples on MalwareBazaar
TLSH 00E27D563B036817D255C83B8C5287DDA332AF255E133F4E6A583A9A3D360A62F32753
Reporter starsSk87264403
Tags:exe Fakefolder NoonLight

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Worm.VB-556
Create hunting rule

PUA.Win.Packer.PECompact-2
Create hunting rule

PUA.Win.Packer.PecompactHeuris-1
Create hunting rule

PUA.Win.Packer.Pecompact-72
Create hunting rule

PUA.Win.Packer.Pecompact-74
Create hunting rule

PUA.Win.Packer.Pecompact-75
Create hunting rule

PUA.Win.Packer.Pecompact-69
Create hunting rule

Legacy.Trojan.Agent-1388588
Create hunting rule

Win.Worm.Rtyqedgab-9841164-0
Create hunting rule

Win.Worm.Agent-956699
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows subdirectories
Creating a file in the %AppData% subdirectories
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Searching for the window
Creating a file
Creating a file in the Program Files subdirectories
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking a possibility to launch for the Windows registry editor (regedit.exe)
Changing the Windows explorer settings to hide files extension
Enabling autorun for a service
Creating a file in the mass storage device
Enabling autorun by creating a file
Enabling autorun
Enabling a "Do not show hidden files" option
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/709914
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes the view of files in windows explorer (hidden files and folders)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Disables the Windows registry editor (regedit)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Drops script at startup location
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 403879 Sample: NoonLight.exe Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 68 Antivirus detection for dropped file 2->68 70 Antivirus / Scanner detection for submitted sample 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 9 other signatures 2->74 7 NoonLight.exe 16 27 2->7         started        11 sa-754176.exe 7 2->11         started        13 TuxO53635Z.exe 2->13         started        15 2 other processes 2->15 process3 file4 48 C:\Windows\sa-754176.exe, PE32 7->48 dropped 50 C:\Windows\M24727\smss.exe, PE32 7->50 dropped 52 C:\Windows\M24727\Ja745710bLay.com, PE32 7->52 dropped 62 11 other files (8 malicious) 7->62 dropped 82 Detected unpacking (changes PE section rights) 7->82 84 Creates an undocumented autostart registry key 7->84 86 Changes the view of files in windows explorer (hidden files and folders) 7->86 92 4 other signatures 7->92 17 service.exe 17 137 7->17         started        21 winlogon.exe 1 7 7->21         started        23 EmangEloh.exe 1 7 7->23         started        25 smss.exe 15 8 7->25         started        54 C:\Users\user\AppData\Roaming\...\sql.cmd, PE32 11->54 dropped 56 C:\Users\user\...\sql.cmd:Zone.Identifier, ASCII 11->56 dropped 88 Drops PE files to the startup folder 11->88 27 EmangEloh.exe 11->27         started        32 3 other processes 11->32 64 2 other files (none is malicious) 13->64 dropped 90 Drops executables to the windows directory (C:\Windows) and starts them 13->90 34 4 other processes 13->34 58 C:\Users\user\AppData\...\TuxO53635Z.exe, PE32 15->58 dropped 60 C:\Users\...\TuxO53635Z.exe:Zone.Identifier, ASCII 15->60 dropped 29 EmangEloh.exe 15->29         started        36 3 other processes 15->36 signatures5 process6 dnsIp7 40 Gallery           ...               .scr, PE32 17->40 dropped 42 Windows Vista setu...               .scr, PE32 17->42 dropped 44 Love Song         ...               .scr, PE32 17->44 dropped 46 125 other files (64 malicious) 17->46 dropped 76 Detected unpacking (changes PE section rights) 17->76 78 Drops PE files with a suspicious file extension 17->78 80 Tries to harvest and steal browser information (history, passwords, etc) 17->80 38 conhost.exe 27->38         started        66 192.168.2.1 unknown unknown 29->66 file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60fe4a1f0ed577bfa8d10195a3d1123b0a7ab551d3579686ee6ac6bc18282fe5/
Threat name:
Win32.Worm.RontoKbro
Create hunting rule
Status:
Malicious
First seen:
2013-08-11 08:12:00 UTC
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
08e12f6b9796ad1f47062ea86ec73c496028660f61a9917008cce9004fb1d48b
1a085300939d5afedf7de966fc70593f8abdaefad80639cc2153cb93450e1014
6812d44b05455b4503ffa118b62d3810304f3867b528042985dc6ebc834ebdfc
8939f7bfa3b5c5afeeab65dc9958edda8dd67f0c1e54f75e9205f0eaf3f8adcd
98af60250a9e0cedaa66f04fe39c412bd0007855255547df68f5da46686c9ced
9bebd6b8400a02ec36958c8cf06d3abc659b462d482fca3df8a3a64e42b3e234
a0ef9fcda78c9700644ecd5b7f1088a2d3d69402f143c6d597d163ec8ec8f956
a6ab3a1ec39d3a4c0660bbfdbe8cbbdd89d9278cca176d7bff77d7aab00dd7ed
afc0c4fac5a07e2fedcb05e47c0f45572fe4689b403290c8db833cad34fb1a36
ef0df588a56b4c302ebaa1101c7fbe177eb52d2b0d6e762c8a775a031800bb31
+ 5'051 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware stealer
Link:
https://tria.ge/reports/210504-bs3kz84qha/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Disables RegEdit via registry modification
Executes dropped EXE
Sets file execution options in registry
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
Modifies visiblity of hidden/system files in Explorer
Unpacked files
SH256 hash:
4b8dc3b369a11477ac46fb5bb31e2e4c4a49b548e2f43eede7ddc04416f2dcd7
MD5 hash:
0a18f927d2b101b9f3fe6812fdb06075
SHA1 hash:
8907fb5541709fd500a77d71d8129f1ac71a9ca2
Link:
https://www.unpac.me/results/5b403b14-1461-4e54-892b-28b37c348f35/
SH256 hash:
60fe4a1f0ed577bfa8d10195a3d1123b0a7ab551d3579686ee6ac6bc18282fe5
MD5 hash:
a9bca0889a464119b345db7b0ecd79a8
SHA1 hash:
8a49203fa94921fd6eb80710756a1ab6dd917a22
Link:
https://www.unpac.me/results/5b403b14-1461-4e54-892b-28b37c348f35/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Virut
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/60fe4a1f0ed577bfa8d10195a3d1123b0a7ab551d3579686ee6ac6bc18282fe5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-04 11:59:29 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing