MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68be2ba319d445f1a1d7da73d9ad26b894f55f85f1b943ab5b5251ddfc0bc439. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68be2ba319d445f1a1d7da73d9ad26b894f55f85f1b943ab5b5251ddfc0bc439
SHA3-384 hash: 1dbc571862af43b0d5ae09e06268f864853feb81a4154a20020a079f8eac46d55e4efb947243a333ca49b832bb020bf3
SHA1 hash: a766d7dd2055edb485d72f1f5319e9b2492b1d96
MD5 hash: 1c1d7bf3ad926f3cdf0befbc5205a1fe
humanhash: coffee-double-bulldog-mobile
File name:68be2ba31.exe
Download: download sample
File size:147'456 bytes
First seen:2020-11-20 01:48:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 64b65c597a044869e9c42044ca565b46 (1 x Formbook)
ssdeep 3072:PdwVuKQ/cRRUaA4EHEHaFm1vy7GMTubxHLRdJvPK7Ci3DrMCzzzY0iv/mcs/Hp3:iVQURvrrx1voubxhi0CLjikHp3
Threatray 1 similar samples on MalwareBazaar
TLSH 9EE38E01B6D1C471F576183169B4EAB6AA3EF8B01B1498FF2784876A0F247C29E31D67
Reporter James_inthe_box
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Sending a UDP request
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Connection attempt
Sending an HTTP POST request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/543728
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320960 Sample: 68be2ba31.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 84 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 Machine Learning detection for sample 2->66 14 68be2ba31.exe 2->14         started        process3 signatures4 80 Contains functionality to inject code into remote processes 14->80 82 Injects a PE file into a foreign processes 14->82 17 68be2ba31.exe 14->17         started        19 68be2ba31.exe 14->19         started        process5 signatures6 22 68be2ba31.exe 17->22         started        68 Maps a DLL or memory area into another process 19->68 24 explorer.exe 19->24         started        process7 signatures8 27 68be2ba31.exe 22->27         started        72 Contains functionality to register a low level keyboard hook 24->72 process9 signatures10 78 Injects a PE file into a foreign processes 27->78 30 68be2ba31.exe 27->30         started        32 68be2ba31.exe 27->32         started        process11 signatures12 35 68be2ba31.exe 30->35         started        56 Maps a DLL or memory area into another process 32->56 37 explorer.exe 32->37         started        process13 process14 39 68be2ba31.exe 35->39         started        signatures15 70 Injects a PE file into a foreign processes 39->70 42 68be2ba31.exe 39->42         started        45 68be2ba31.exe 39->45         started        process16 signatures17 74 Injects a PE file into a foreign processes 42->74 47 68be2ba31.exe 42->47         started        49 68be2ba31.exe 42->49         started        76 Maps a DLL or memory area into another process 45->76 52 explorer.exe 45->52         started        process18 signatures19 58 Maps a DLL or memory area into another process 49->58 54 explorer.exe 49->54         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68be2ba319d445f1a1d7da73d9ad26b894f55f85f1b943ab5b5251ddfc0bc439/
Threat name:
Win32.Trojan.MintZard
Create hunting rule
Status:
Malicious
First seen:
2020-11-12 18:44:22 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/201120-4tlxsxj57s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
68be2ba319d445f1a1d7da73d9ad26b894f55f85f1b943ab5b5251ddfc0bc439
MD5 hash:
1c1d7bf3ad926f3cdf0befbc5205a1fe
SHA1 hash:
a766d7dd2055edb485d72f1f5319e9b2492b1d96
Link:
https://www.unpac.me/results/4912e440-aa8c-4966-a696-770b2c152a90/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68be2ba319d445f1a1d7da73d9ad26b894f55f85f1b943ab5b5251ddfc0bc439

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments