MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63cbb3daa3fbb2b799f43c4a7dda4515e65d6a1c56a3009f69d1d1f783e66847. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63cbb3daa3fbb2b799f43c4a7dda4515e65d6a1c56a3009f69d1d1f783e66847
SHA3-384 hash: 702b4238071df1a5a0566931e02e0fd58ab9d22b489bf38a95cb941cb95b0e85e334f1aaee1e61decee3db3af574e45a
SHA1 hash: 8f6ac85599cfb4e0646b43142490848e8efb8976
MD5 hash: 7e4a050bbced902f8eee873ca6c37ada
humanhash: nineteen-vermont-oregon-steak
File name:7e4a050bbced902f8eee873ca6c37ada.exe
Download: download sample
File size:1'249'596 bytes
First seen:2021-03-31 12:50:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 130312efe8892496180179ce46d20b79 (7 x NetWire, 2 x DarkComet, 2 x ModiLoader)
ssdeep 24576:3TQuKl+kq1gYh8KGWuhR1CBY42tvSbLIJ75GH+stTSsjlX7VygJlfM:1wYmKUhF421SbTestTb5VW
Threatray 84 similar samples on MalwareBazaar
TLSH 6645236035D08031E56360316CBDD3A1697AB8395B72894FE7C11B7DBF226A3DB2A713
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://cdn.discordapp.com/attachments/826198252025675816/826537386485612574/china.png
Verdict:
Malicious activity
Analysis date:
2021-03-31 11:26:28 UTC
Tags:
evasion trojan rat asyncrat stealer raccoon loader
Link:
https://app.any.run/tasks/1e9677ec-0618-4a4d-b89f-7845ded14f14

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/129278/
Detection(s):
SecuriteInfo.com.PUA.Tool.BtcMine.1618.231.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Launching a process
Launching cmd.exe command interpreter
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a file
Sending a UDP request
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/660392
Signature
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: MSHTA Spawning Windows Shell
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 379134 Sample: KVd6Mh6PhH.exe Startdate: 31/03/2021 Architecture: WINDOWS Score: 64 38 Multi AV Scanner detection for dropped file 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Machine Learning detection for dropped file 2->42 44 Sigma detected: MSHTA Spawning Windows Shell 2->44 11 KVd6Mh6PhH.exe 7 2->11         started        process3 process4 13 mshta.exe 19 11->13         started        process5 15 cmd.exe 3 13->15         started        file6 36 C:\Users\user\AppData\...\eNQbcs1Lwra.exe, PE32 15->36 dropped 18 eNQbcs1Lwra.exe 8 15->18         started        22 taskkill.exe 1 15->22         started        24 conhost.exe 15->24         started        process7 file8 34 C:\Users\user\AppData\Local\...\fTVodscm.Bpx, PE32 18->34 dropped 46 Multi AV Scanner detection for dropped file 18->46 26 mshta.exe 1 18->26         started        28 regsvr32.exe 18->28         started        signatures9 process10 process11 30 cmd.exe 1 26->30         started        process12 32 conhost.exe 30->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63cbb3daa3fbb2b799f43c4a7dda4515e65d6a1c56a3009f69d1d1f783e66847/
Threat name:
Win32.Trojan.Runner
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 05:53:23 UTC
AV detection:
9 of 29 (31.03%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
28f1bd1e02427a817d05c69884c5d5ccf3455859a2f1c3a6dce5e6da75141bcd
329e8814efa351d1c58c275981a39cf0a9ef0f50d8eb8db9bbb8f70020d75204
78c34698255dc5496f2800fe2438b613929f24b11f10fc361eae4f5ef7b6d804
8747896fc2d331a7dc2f3f216e4af54da9b02fecc3e17172de74ed0b85f9ce09
a502a65ea5e9af77a83922384dac18241694857619a642c1543237be89d1c2da
be0ef76b404286ed958cf94b39682e20feac93c0d89c241a6a2cd95af19c25da
c03f737cb9dc57529e3536275c757f76137b7407bd1ca4fd2f1c7f3029491c13
d0d946651c56c06d9ca14c32608fe26da018ed117f7d196fb4aef17c63e1de6f
e131a045dc4874ee4eed8e75af0faeecaf86a80e18f13b9845a8b6f57686beec
e99107f51a615207824a28411b0355fba67cbda8dbd24d450a84cbe40aa8faf5
+ 74 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210331-mqbfpxk7d6/
Behaviour
Kills process with taskkill
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
63cbb3daa3fbb2b799f43c4a7dda4515e65d6a1c56a3009f69d1d1f783e66847
MD5 hash:
7e4a050bbced902f8eee873ca6c37ada
SHA1 hash:
8f6ac85599cfb4e0646b43142490848e8efb8976
Link:
https://www.unpac.me/results/efb0b466-5810-49de-bd63-7616a63b4e49/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63cbb3daa3fbb2b799f43c4a7dda4515e65d6a1c56a3009f69d1d1f783e66847

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 63cbb3daa3fbb2b799f43c4a7dda4515e65d6a1c56a3009f69d1d1f783e66847

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1099983/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/129278/

Comments