MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c41e394f4f805b8583d8a23bdfaf0b3fac63b61c89ab002a809216e331f69f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c41e394f4f805b8583d8a23bdfaf0b3fac63b61c89ab002a809216e331f69f6
SHA3-384 hash: 30525a9486a1dac94d6d4bced169051b61169ae0ce3b16e99c383398c1475a09a3f35b3b8e5da81b4be00f6e184d6c04
SHA1 hash: 496801ed22e571a9e1ae73d494657126de574f5b
MD5 hash: 264e1b1ce10b1404e56273af311e17bf
humanhash: venus-six-massachusetts-high
File name:264e1b1ce10b1404e56273af311e17bf
Download: download sample
File size:434'688 bytes
First seen:2022-09-13 18:45:09 UTC
Last seen:2022-09-13 20:51:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a490e3ca20f57194cb1f4b473b3242c4 (17 x RedLineStealer, 1 x ArkeiStealer)
ssdeep 12288:HmliCyS7w7+bL6fWQBsFmnYeVu+QvWg/Xg6sF:HiihSkU6fWqnYeVuuqgZF
TLSH T12194493EDDC2DF13C410B1B188ABC375F1A9E649775263472448A0BDF70B32E2B5A669
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
343
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://brandmaxhosting.com/10/data64_5.exe
Verdict:
Malicious activity
Analysis date:
2022-09-14 06:29:57 UTC
Tags:
loader
Link:
https://app.any.run/tasks/2a22c756-36c8-485e-b425-e9b0895fbc6f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309836/
Detection(s):
SecuriteInfo.com.Variant.Mikey.140932.3661.30116.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the Windows subdirectories
Running batch commands
Searching for the window
Creating a process from a recently created file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
mikey packed
Link:
https://www.filescan.io/uploads/6320d0ab11830460749c7d7e/reports/0f60df3a-7473-4ee1-ba55-538bf7fc5f01/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a53c1145-7561-40cb-8788-8fd628885415
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1069790
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 702325 Sample: RJCxYhysYO.exe Startdate: 13/09/2022 Architecture: WINDOWS Score: 80 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 .NET source code contains method to dynamically call methods (often used by packers) 2->53 55 Machine Learning detection for sample 2->55 9 RJCxYhysYO.exe 1 2->9         started        13 Clipper.exe 1 2->13         started        15 Clipper.exe 1 2->15         started        process3 file4 41 C:\Users\user\AppData\...\RJCxYhysYO.exe.log, ASCII 9->41 dropped 57 Contains functionality to inject code into remote processes 9->57 59 Injects a PE file into a foreign processes 9->59 17 RJCxYhysYO.exe 15 4 9->17         started        61 Multi AV Scanner detection for dropped file 13->61 21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        signatures5 process6 dnsIp7 45 cdn.discordapp.com 162.159.130.233, 443, 49720 CLOUDFLARENETUS United States 17->45 39 C:\Windows\Temp\xsv.exe, PE32+ 17->39 dropped 25 cmd.exe 1 17->25         started        27 svchost.exe 17->27         started        29 conhost.exe 17->29         started        file8 process9 process10 31 xsv.exe 1 7 25->31         started        35 conhost.exe 25->35         started        file11 43 C:\Users\user\AppData\Roaming\...\Clipper.exe, PE32+ 31->43 dropped 47 Multi AV Scanner detection for dropped file 31->47 37 conhost.exe 31->37         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c41e394f4f805b8583d8a23bdfaf0b3fac63b61c89ab002a809216e331f69f6/
Threat name:
ByteCode-MSIL.Trojan.Mikey
Create hunting rule
Status:
Malicious
First seen:
2022-09-13 18:46:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nra6hfhu7ac3qwb5rir336xqwp5mmo3bzcnlaavibeqw4my7nh3a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220913-xemgqsgdb9/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Downloads MZ/PE file
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d6057fbe-6198-4d02-8639-b7ff5951de61
Unpacked files
SH256 hash:
11bb034636e1277c40ee6272b5d8478bc42fd0443a4987686461052c68b11c81
MD5 hash:
17fdf18364437fc0166c69da2059a830
SHA1 hash:
01ca006fb1b0c77cca2b3308b60b7d87dc127f3c
Link:
https://www.unpac.me/results/13d8db1c-c7bc-4a43-b124-4efa54f6a2eb/
SH256 hash:
6c41e394f4f805b8583d8a23bdfaf0b3fac63b61c89ab002a809216e331f69f6
MD5 hash:
264e1b1ce10b1404e56273af311e17bf
SHA1 hash:
496801ed22e571a9e1ae73d494657126de574f5b
Link:
https://www.unpac.me/results/13d8db1c-c7bc-4a43-b124-4efa54f6a2eb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c41e394f4f805b8583d8a23bdfaf0b3fac63b61c89ab002a809216e331f69f6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 6c41e394f4f805b8583d8a23bdfaf0b3fac63b61c89ab002a809216e331f69f6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2301799/
Cape
Cape
https://www.capesandbox.com/analysis/309836/

Comments


Avatar
zbet commented on 2022-09-13 18:45:19 UTC

url : hxxp://brandmaxhosting.com/10/data64_5.exe