MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cb53f11cd0977599235f756ad6883050db78dab6936da5113729a61cd93036c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	6cb53f11cd0977599235f756ad6883050db78dab6936da5113729a61cd93036c
SHA3-384 hash:	db1847f67d34e162965b4493a38e9ddb6ff92ed32bcbb78c83195a9e755d5276abbbc9e6ce9b1238e71cfc82c06c8c4d
SHA1 hash:	020d9d391030864ee5edcacf0f419d788874f201
MD5 hash:	a585644a22db39d447d375c8727fd90e
humanhash:	butter-finch-fix-papa
File name:	6cb53f11cd0977599235f756ad6883050db78dab6936da5113729a61cd93036c
Download:	download sample
File size:	1'635'256 bytes
First seen:	2021-03-29 07:08:40 UTC
Last seen:	2021-03-29 07:48:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ba4cc0afb12afe0a3f885ae6696404ed (1 x ArkeiStealer)
ssdeep	24576:qIZg+uicrPO37fzH4A6haDzcUZEIdT9TagtzCNCkyxOQBHk4daI6GPTcRQ:qgkrPO37fzH4A6hanqNCtvBEnI6KAi
Threatray	586 similar samples on MalwareBazaar
TLSH	2575CF22B2A08437D07F1E74DD5FC1855936BD332E28A49736E93F0C1E7568E7A27292
Reporter	JAMESWT_WT
Tags:	LTD SERVICES LIMITED signed

Code Signing Certificate

Organisation:	LTD SERVICES LIMITED
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-03-18T00:00:00Z
Valid to:	2022-03-18T23:59:59Z
Serial number:	7d36cbb64bc9add17ba71737d3ecceca
Intelligence:	9 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	05be3171ca7272803d139ca13b16c24a3dd22917b1b8d6d0fd5401e63a79dd27
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

6cb53f11cd0977599235f756ad6883050db78dab6936da5113729a61cd93036c

Verdict:

Suspicious activity

Analysis date:

2021-03-29 07:17:33 UTC

Tags:

installer

Link:

https://app.any.run/tasks/c03885fb-906b-4d07-b4c9-314075752839

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/127475/

Detection(s):

PUA.Win.Packer.PrivateEXEProtector4-6192998-2

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Sending a custom TCP request

DNS request

Sending a UDP request

Sending an HTTP GET request to an infection source

Sending an HTTP POST request to an infection source

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/27069147-5f1d-4951-bb8f-a1f3a062ae01

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/656515

Signature

Allocates memory in foreign processes

Creates a thread in another existing process (thread injection)

Hijacks the control flow in another process

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file has nameless sections

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6cb53f11cd0977599235f756ad6883050db78dab6936da5113729a61cd93036c/

Threat name:

Win32.Trojan.GenCBL

Status:

Malicious

First seen:

2021-03-25 19:23:23 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Verdict:

suspicious

0953e54968ca9407a172c0a35a00d8b30ec603770809bbd2901a070e1b83b7f8

3d3095586bf72d6b631e44681654c68707a6f07987b02e367e7d88ac9ddab77c

411e56b415d4c23a741958c3f1ada72b3e958c078d27c339678bb690b7a895c3

4ce173da12efcf686dd4a7fec6678fc6c0e2cae352a3dd327bdfa478c18589e4

7e88f1c425154e6fff6d031aaaa4d8bb4c8ff131e429f44310fd936bfc08b357

92ddc88d7c1bde849c18747f4fcd526c240a81efe9c74ee1dcaa4a72ecc9ac3a

aa9692c1769e25297176b847f4274570c56c4d74f4577608bd036e72d82d5bdb

d0b2bc00645de803a4e9df303539995ee8f781631684b04fe67ee7e01bcf9c21

e3670bfc1db6fb7223bb6b231ef4c3afd9d34de1d8f87b7a8e7a4cb27cfaa37d

+ 576 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery persistence spyware stealer upx

Link:

https://tria.ge/reports/210329-7kn6w2rs2n/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Runs ping.exe

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

UPX packed file

Unpacked files

SH256 hash:

ffee418630863c5ba63d37ab65a2617fa8c64f1c5c774e0f2f2c072cab5cb931

MD5 hash:

579b668588c5b873231f697c18aec4d7

SHA1 hash:

d3e322d5b867abed9cc10487e5c14b541b173d65

Link:

https://www.unpac.me/results/84bf478f-8172-4913-9a1b-6ab3ac7097ea/

SH256 hash:

6cb53f11cd0977599235f756ad6883050db78dab6936da5113729a61cd93036c

MD5 hash:

a585644a22db39d447d375c8727fd90e

SHA1 hash:

020d9d391030864ee5edcacf0f419d788874f201

Link:

https://www.unpac.me/results/84bf478f-8172-4913-9a1b-6ab3ac7097ea/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6cb53f11cd0977599235f756ad6883050db78dab6936da5113729a61cd93036c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/127475/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample