MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 640fee8437e46c9ccd7ffa3b170e2bde1b5f1bcf4b13fdb5a7c67098814ff0cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 640fee8437e46c9ccd7ffa3b170e2bde1b5f1bcf4b13fdb5a7c67098814ff0cb
SHA3-384 hash: 530280066a5cf65c2de6f30dbba4b409eff70007c6a2ae1c47526f38ca001a4d5eb4442379ec872784069c80867c5198
SHA1 hash: a5dfba440ac7a220d9b37992965dce7fec37cc9d
MD5 hash: 18e3a07538404565935f2a3b47de7c19
humanhash: carpet-november-magnesium-london
File name:Enquiry Number TRD-ENQ-54-1204-25-SIS.pif
Download: download sample
File size:622'080 bytes
First seen:2021-12-16 10:49:13 UTC
Last seen:2021-12-16 13:09:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 818fefd508faa2dba213d5a222554a22 (3 x RemcosRAT)
ssdeep 12288:pr979FvACpZmNFHYVidVqxql53FgXJrmv+3R+Z+on1PRlR:lp92CpZmNFHYVidVqA5VgXEv+BCx1PHR
TLSH T1DED48E32F7A08837C123157DAD1B92AC68397E793D24D8477BE52D4C6F38683782A257
File icon (PE):PE icon
dhash icon 63111616171ff7ee (6 x RemcosRAT, 4 x Formbook, 1 x ModiLoader)
Reporter pr0xylife
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/214569/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.8020.2190.25399.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending an HTTP GET request
Creating a file
Unauthorized injection to a recently created process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Running batch commands
Creating a file in the %temp% directory
Launching a process
Launching the process to change network settings
Searching for synchronization primitives
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2251/overview
Behaviour
MalwareBazaar
CheckScreenResolution
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger packed
Link:
https://www.filescan.io/uploads/61bb19e06daa353fa3b50c9b/reports/c6588ead-fa36-4538-ad2c-444d07ff64e2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9c824a23-d1a2-4264-b662-c433f196c662
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/908461
Signature
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd delete
Sigma detected: Capture Wi-Fi password
Sigma detected: Koadic Execution
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 540935 Sample: Enquiry Number TRD-ENQ-54-1... Startdate: 16/12/2021 Architecture: WINDOWS Score: 100 65 Sigma detected: Capture Wi-Fi password 2->65 67 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->67 69 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 2->69 71 9 other signatures 2->71 8 Enquiry Number TRD-ENQ-54-1204-25-SIS.exe 1 18 2->8         started        13 Ryjflyxb.exe 13 2->13         started        15 Ryjflyxb.exe 15 2->15         started        process3 dnsIp4 59 www.serverage.com 58.82.194.128, 49745, 49746, 49765 CLINK-AS-APCommuniLinkInternetLimitedHK Hong Kong 8->59 49 C:\Users\user\Ryjflyxb.exe, PE32 8->49 dropped 51 C:\Users\user\Ryjflyxb.exe:Zone.Identifier, ASCII 8->51 dropped 89 Injects a PE file into a foreign processes 8->89 17 Enquiry Number TRD-ENQ-54-1204-25-SIS.exe 15 4 8->17         started        91 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->91 93 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 13->93 95 Tries to harvest and steal WLAN passwords 13->95 97 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 13->97 21 Ryjflyxb.exe 13->21         started        61 192.168.2.1 unknown unknown 15->61 file5 signatures6 process7 dnsIp8 53 142.11.241.69, 49762, 49767, 49777 HOSTWINDSUS United States 17->53 55 4.179.10.0.in-addr.arpa 17->55 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->73 75 Tries to steal Mail credentials (via file / registry access) 17->75 77 Self deletion via cmd delete 17->77 23 cmd.exe 1 17->23         started        26 cmd.exe 1 17->26         started        28 cmd.exe 17->28         started        57 4.179.10.0.in-addr.arpa 21->57 79 Tries to harvest and steal browser information (history, passwords, etc) 21->79 81 Tries to harvest and steal WLAN passwords 21->81 signatures9 process10 signatures11 83 Uses ping.exe to check the status of other devices and networks 23->83 85 Uses netsh to modify the Windows network and firewall settings 23->85 87 Tries to harvest and steal WLAN passwords 23->87 30 netsh.exe 3 23->30         started        32 conhost.exe 23->32         started        34 chcp.com 1 23->34         started        36 netsh.exe 3 26->36         started        38 conhost.exe 26->38         started        40 findstr.exe 1 26->40         started        42 chcp.com 1 26->42         started        44 PING.EXE 28->44         started        47 2 other processes 28->47 process12 dnsIp13 63 127.0.0.1 unknown unknown 44->63
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/640fee8437e46c9ccd7ffa3b170e2bde1b5f1bcf4b13fdb5a7c67098814ff0cb/
Threat name:
Win32.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-12-16 10:50:13 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mqh65bbx4rwjztl77i5rodrl3ynv6g6pjmj73nnhyzyjrakp6dfq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery persistence spyware stealer
Link:
https://tria.ge/reports/211216-mw9y9acfbn/
Behaviour
Checks processor information in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Deletes itself
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
1b7543f01e0905aad968e37baccbf702cac518496b11deecc3512c205df0dbe6
MD5 hash:
355d5d8a066c9b9296e54b6bbfa25412
SHA1 hash:
839eb5cc659aec1f09779ae374aa941bcb622b66
Detections:
win_temple_loader_w0
Create hunting rule
Link:
https://www.unpac.me/results/2484d69b-f840-45f4-a435-e8b83c8c680a/
Parent samples :
ed1d279d93f8882f951b4e4a072ca919b5d9b42b8f83da74c8ad2ceb4cf0f634
c7a89255767729cc8f5dbd610779baac706af799ccbb1a4945c55a77632e671c
af2a8024939f13bee37b6d3a35aa5df93e2a6b11cede4bea19493c4d704b050f
78900ed7307ae31ad9b74204fd8e4798b01a6b7bc593e70d4a7aaab7ab1b2b95
9936a6bda8c332e2aec071444db5f68e1b34745412158cad8394ceb3c80d36ee
016995a4b65533b314b70ebab42fb3c6dee830dff7a7261080f6e743da562b9a
34c093aa616e9e574f2ae88bc1fe3dd818200b0586ed20945147a7fb6848dfd8
8c9f7973d30b69a406f5169bf847212c11d275a96b348137c447cea3089a58a9
f6d0fdcf620ebd3b483c6dd7e9bc7bea2f9acca8d34eb7b84ebaf457671fd758
9e1f83813953f38ebc2e39ec795b85cc808e6f5cb36ea8b3a25e7eddb3cf429b
db5b52f3949ca7cb29e009535f1d2021b0f24b4e114717a20e86869abae48850
9a63e8c9e7bfb45eb903482e3ba9ed3f3d64db90b62f13355dff1a5ed5d2376d
c3e06052cbfbbf225d9d3052bb3478e1c72111d4cb18240806f32f517be86b3f
baccd3d2cd02286e08b6739dfc786f67bd64b5da6bfca6ba93ddf21f8e9d8359
9685ed86f91fd0a3c20c5badbf361475fa0316f365a35d352e8e1caff333890f
309ca816bed485731d7702c80339e6b5d209618888ea92a972a7189ed1102518
34fcac5d4cf2062249f369fda6ae1932ac41655890da91f02bc304afe3706e86
a78e89ef2769dd705ce27a6b5876ca2fdc5a5aa078ff9a4d86f186d4bb6edce8
85dca30464e5d239a82140c6611e7d9d2e4e8a7400c869c36c3c4999a0b221dc
2cbccb76adf567a82d9d6fcbf7a6c02bce157e1870df149af7391b20b9fdc672
1fc74504d626223335f39e10435bd3366bc5533619e8e7713e2a48eadd4dc26a
7cf3410e13c13eb9cdfb1fa3df95f643bfbf7b55f5de595353205b4c44b84c5d
4afefb73e99678c987858f79095a203a3df18eeeb0fe7b59571325613f4a3dd1
10f5584682c3f5d54ba1e3afd68822c81e8234531c8b1a41e11774b980915c72
b59a94fa3d43aaa64ce137a035dc166ff2226e9113decc5b24b120f0309a6c7d
b7a6d7f4d15e42eb71836dc7372f48654462c7752d015513232346f0af92f81e
1bc95ae62d31b8b9c4a34c80049f693cb31199e768af6ac4a33fe082b34209a7
8b94dbe71305cc3e5a3963757e03e6344402b9f7babb373df3d80a90e0e4d1e2
9e303489b6a886ee967ace328a26749db9664604ab638e544e260918044b21de
47576aba2a25e4b969ccd69eec27646901c41aa4d9efd6127aac9c5016568048
640fee8437e46c9ccd7ffa3b170e2bde1b5f1bcf4b13fdb5a7c67098814ff0cb
e3c4caeafd8e19662239571bd3eee795d2ffb003953ce5eb06026a1be72b32e0
be518dfc7bbd3b6b298897a86dde6242a186f613e9930f2c49f6704de37ac4a3
a90bba267082093022d3ed1685f7a9e91a2f1d384f85dc2883caecd4fd3eb505
ed063e69d7a5b6e0d14d81df38a1ec039788191dea6bd072aa573bfa90594899
764b532b622894b7ec4590c2868e0a3e0b9e58eca72251b012c6ae4c5639971f
3a7a42d1cb828cdb0f1ea382a8859052b7862414cdb3a5e2d623e922d4d00485
0fc54d55d3cb27bf5ec3c09325478deeebc49ff858fd7f413a62fb949b7a9666
2240e1501c44abd572464704dbeab4984f8d9d6811a2401b831a6255f03e6587
ef50c5943a01eb155acc81b7a4de6749ec5e438666bedc6be95f42ad92bb7c36
a3c386096f6c478045ba6190d68a6591322ec9d4e480b900d3e7ef88e1622751
SH256 hash:
640fee8437e46c9ccd7ffa3b170e2bde1b5f1bcf4b13fdb5a7c67098814ff0cb
MD5 hash:
18e3a07538404565935f2a3b47de7c19
SHA1 hash:
a5dfba440ac7a220d9b37992965dce7fec37cc9d
Link:
https://www.unpac.me/results/2484d69b-f840-45f4-a435-e8b83c8c680a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/640fee8437e46c9ccd7ffa3b170e2bde1b5f1bcf4b13fdb5a7c67098814ff0cb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/214569/

Comments