MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a9b454b620677ea11f4f69156969468b0f43ebdfe27dabfb0cf16572f9379eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments

SHA256 hash: 6a9b454b620677ea11f4f69156969468b0f43ebdfe27dabfb0cf16572f9379eb
SHA3-384 hash: 2a33d4eb8ef1ac344a31f9bd7d5ac27e32d2d411b5a85c7564095a6298fceca3f139bdc5fcc6d8f18e186af9c9d2587a
SHA1 hash: 6d1eb3583826aa70f437aba38beee8b787c2da7f
MD5 hash: 1b59fc1a89c1bc88ea4e1b26da579120
humanhash: apart-sad-lithium-bacon
File name:1b59fc1a89c1bc88ea4e1b26da579120.exe
Download: download sample
Signature n/a
File size:4'882'440 bytes
First seen:2021-03-07 07:38:19 UTC
Last seen:2021-03-07 09:32:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 67715e556e3a78ea78c756db800102a3
ssdeep 98304:+PyrN2onLMeaojsO6QlbaRof/myjtFjhr/LS:+6hV4eDQO6QlWRoWyjt5hrG
Threatray 15 similar samples on MalwareBazaar
TLSH 603601E55100301BD6A3CDB6E53354112DE8DD0FEEABC0EA7185B4E9777B0412ABEE0A
Reporter @abuse_ch
Tags:exe

Intelligence


File Origin
# of uploads :
2
# of downloads :
174
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
DNS request
Creating a window
Connection attempt
Sending an HTTP POST request
Deleting a recently created file
Adding a root certificate
Sending a UDP request
Creating a process from a recently created file
Running batch commands
Creating a file in the Windows subdirectories
Creating a file
Reading critical registry keys
Changing a file
Moving a recently created file
Replacing files
Creating a file in the %AppData% subdirectories
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Searching for the window
Sending an HTTP GET request
Unauthorized injection to a recently created process
Stealing user critical data
Unauthorized injection to a recently created process by context flags manipulation
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
90 / 100
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Detected unpacking (creates a PE file in dynamic memory)
Hides threads from debuggers
Installs new ROOT certificates
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Registers a new ROOT certificate
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 364295 Sample: IpB8f8qwze.exe Startdate: 07/03/2021 Architecture: WINDOWS Score: 90 106 Multi AV Scanner detection for domain / URL 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 Multi AV Scanner detection for submitted file 2->110 112 3 other signatures 2->112 8 IpB8f8qwze.exe 1 3 2->8         started        13 msiexec.exe 2->13         started        process3 dnsIp4 72 9a3a97f6f45f2c2b.com 104.21.6.78, 49719, 49722, 49725 CLOUDFLARENETUS United States 8->72 74 c41676c07a61a961.com 8->74 76 a36e971e03d9cbf8.com 8->76 68 C:\Users\user\...\83C12B0D0FA88B10.exe, PE32 8->68 dropped 70 C:\...\83C12B0D0FA88B10.exe:Zone.Identifier, ASCII 8->70 dropped 114 Installs new ROOT certificates 8->114 116 Contains functionality to infect the boot sector 8->116 118 Registers a new ROOT certificate 8->118 120 3 other signatures 8->120 15 83C12B0D0FA88B10.exe 26 8->15         started        20 83C12B0D0FA88B10.exe 1 15 8->20         started        22 cmd.exe 1 8->22         started        24 msiexec.exe 4 8->24         started        file5 signatures6 process7 dnsIp8 80 c41676c07a61a961.com 15->80 82 a36e971e03d9cbf8.com 15->82 92 5 other IPs or domains 15->92 54 C:\Users\user\AppData\...\1615173766196.exe, PE32 15->54 dropped 56 C:\Users\user\AppData\Local\Temp\xldl.dll, PE32 15->56 dropped 58 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 15->58 dropped 66 7 other files (none is malicious) 15->66 dropped 94 Multi AV Scanner detection for dropped file 15->94 96 Detected unpacking (creates a PE file in dynamic memory) 15->96 98 Contains functionality to infect the boot sector 15->98 100 Contains functionality to detect sleep reduction / modifications 15->100 26 cmd.exe 15->26         started        29 1615173766196.exe 2 15->29         started        31 ThunderFW.exe 2 15->31         started        84 c41676c07a61a961.com 20->84 86 a36e971e03d9cbf8.com 20->86 88 9a3a97f6f45f2c2b.com 20->88 60 C:\Users\user\AppData\...\Secure Preferences, UTF-8 20->60 dropped 62 C:\Users\user\AppData\Local\...\Preferences, ASCII 20->62 dropped 102 Tries to harvest and steal browser information (history, passwords, etc) 20->102 33 cmd.exe 1 20->33         started        35 cmd.exe 1 20->35         started        90 127.0.0.1 unknown unknown 22->90 104 Uses ping.exe to sleep 22->104 37 conhost.exe 22->37         started        39 PING.EXE 1 22->39         started        64 C:\Users\user\AppData\Local\...\MSI75EE.tmp, PE32 24->64 dropped file9 signatures10 process11 signatures12 41 conhost.exe 26->41         started        43 PING.EXE 26->43         started        122 Uses ping.exe to sleep 33->122 45 PING.EXE 1 33->45         started        48 conhost.exe 33->48         started        50 taskkill.exe 1 35->50         started        52 conhost.exe 35->52         started        process13 dnsIp14 78 192.168.2.1 unknown unknown 45->78
Threat name:
Win32.Trojan.Phonzy
Status:
Malicious
First seen:
2021-03-07 07:39:06 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Result
Malware family:
smokeloader
Score:
  10/10
Tags:
family:plugx family:smokeloader backdoor bootkit discovery macro persistence spyware trojan xlm
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Writes to the Master Boot Record (MBR)
Checks computer location settings
Deletes itself
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Executes dropped EXE
Suspicious Office macro
Nirsoft
PlugX
SmokeLoader
Malware Config
C2 Extraction:
http://naritouzina.net/
http://nukaraguasleep.net/
http://notfortuaj.net/
http://natuturalistic.net/
http://zaniolofusa.net/
Unpacked files
SH256 hash:
c948f55d1fb5f492e726ce561a1836a37840e86d2b3f90050e496dde27b49615
MD5 hash:
48f3e1d2fd8e2faac7b559ae2b5f12aa
SHA1 hash:
b4df98c7efb29eda52e6d90f2c39ae5d97b48dad
SH256 hash:
e2e6b657d2f6567f4e83aba7189f45035720ba830caad112e8d62df6d80b1a65
MD5 hash:
24623ff236deb3cc1909fd35f85cf94f
SHA1 hash:
30ba737f7492c192ade04248e34552dd0bf2bb03
SH256 hash:
55830708fff87877f0a0a901342dbac35842fb6481dffb8e7d7e74de80792c5a
MD5 hash:
7545bd5623e363791d1b039b2123b5b8
SHA1 hash:
fcd1d9889113fe0c86a5b8c60bce90261e0d0936
SH256 hash:
6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9
MD5 hash:
a94dc60a90efd7a35c36d971e3ee7470
SHA1 hash:
f936f612bc779e4ba067f77514b68c329180a380
SH256 hash:
66b2acfb5c526c869a68649d96eb90495226a0c46855a0296f74ce1dae8e966e
MD5 hash:
1e14873c6f50d5094f5aa6f4a3a8e9a1
SHA1 hash:
91a91dea091e3f0ac7ce61cd0cfa1ced98da0846
SH256 hash:
c5546c63e9f72c415143ac85cf32bf48eb9ff8269465282c792f2b17cad59a65
MD5 hash:
3b01e45b211d498bd3745b5e63fd1776
SHA1 hash:
8d80d01e54a1161f04d007b6f6ee36d22450f8b4
SH256 hash:
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb
MD5 hash:
ca2f560921b7b8be1cf555a5a18d54c3
SHA1 hash:
432dbcf54b6f1142058b413a9d52668a2bde011d
SH256 hash:
bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56
MD5 hash:
89f6488524eaa3e5a66c5f34f3b92405
SHA1 hash:
330f9f6da03ae96dfa77dd92aae9a294ead9c7f7
SH256 hash:
a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a
MD5 hash:
79cb6457c81ada9eb7f2087ce799aaa7
SHA1 hash:
322ddde439d9254182f5945be8d97e9d897561ae
SH256 hash:
b00af7b84651725bc4b2ac9a05f78a1913869d09563b20f56fb1536dbeef35d8
MD5 hash:
4f01d45a598ba53a2820bff6ff8e16be
SHA1 hash:
08c72e664d1594a9bc02417e2a01c61b0b876397
SH256 hash:
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444
MD5 hash:
84878b1a26f8544bda4e069320ad8e7d
SHA1 hash:
51c6ee244f5f2fa35b563bffb91e37da848a759c
SH256 hash:
6a9b454b620677ea11f4f69156969468b0f43ebdfe27dabfb0cf16572f9379eb
MD5 hash:
1b59fc1a89c1bc88ea4e1b26da579120
SHA1 hash:
6d1eb3583826aa70f437aba38beee8b787c2da7f

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments