MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cf4d60af4e22f92096f64bdc0be0722ba53f589922c1f171c4c4faac0ce711f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cf4d60af4e22f92096f64bdc0be0722ba53f589922c1f171c4c4faac0ce711f
SHA3-384 hash: 65444741344a39269eb369a3f3a0643cdb69d2ef5739df969fa432c950594f321896a605fc697e4dc12e3279e39540e6
SHA1 hash: c0aa8a511b88c2f5526e103439bec1aa17f06f54
MD5 hash: 7b4cdcad8ab6a42017cd93d9639074ae
humanhash: violet-two-cat-stream
File name:7b4cdcad8ab6a42017cd93d9639074ae
Download: download sample
File size:444'360 bytes
First seen:2021-09-21 09:12:20 UTC
Last seen:2021-09-21 10:17:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:QbzGq1s9LZikWf8aW673B/AbbnF2pScvt3v+fD0DRdlYw0s+kb1NMLSs8h:u1eLZifW673B+HRgDRdSBRi1iLSNh
Threatray 833 similar samples on MalwareBazaar
TLSH T16294DFF09FF5B8A4E026207375A4B13C3BD75E0EDC659879F24BF10A36619C221E5A1B
dhash icon 00414f4f4f4f4700 (14 x CoinMiner, 12 x RedLineStealer, 12 x NodeLoader)
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://km.popmonster.ru/1056935770.exe
Verdict:
No threats detected
Analysis date:
2021-09-16 01:03:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dbfc3c93-2059-46bc-92bc-02eea7817409

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189817/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37591896.32708.22781.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b7556953-3cf4-4e8a-a3cb-bbe9ea29d754
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854712
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Encrypted powershell cmdline option found
Hides threads from debuggers
Injects a PE file into a foreign processes
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Encoded PowerShell Command Line
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Writes to foreign memory regions
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 487144 Sample: s3WXPhQaz1 Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 70 Multi AV Scanner detection for dropped file 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Yara detected AntiVM3 2->74 76 6 other signatures 2->76 8 s3WXPhQaz1.exe 6 2->8         started        12 System.exe 2->12         started        process3 file4 44 C:\Users\user\AppData\...\s3WXPhQaz1.exe, PE32+ 8->44 dropped 46 C:\Users\...\s3WXPhQaz1.exe:Zone.Identifier, ASCII 8->46 dropped 48 C:\Users\user\AppData\...\s3WXPhQaz1.exe.log, ASCII 8->48 dropped 86 Encrypted powershell cmdline option found 8->86 88 Writes to foreign memory regions 8->88 90 Modifies the context of a thread in another process (thread injection) 8->90 92 Injects a PE file into a foreign processes 8->92 14 s3WXPhQaz1.exe 38 8->14         started        19 powershell.exe 18 8->19         started        21 powershell.exe 12->21         started        signatures5 process6 dnsIp7 58 iplogger.org 88.99.66.31, 443, 49783, 49784 HETZNER-ASDE Germany 14->58 60 bitbucket.org 104.192.141.1, 443, 49785, 49794 AMAZON-02US United States 14->60 62 3 other IPs or domains 14->62 50 C:\ProgramData\Systemd\SecurityHealth.exe, PE32+ 14->50 dropped 52 C:\ProgramData\Microsoft Network\System.exe, PE32+ 14->52 dropped 54 C:\ProgramData\...\System.exe:Zone.Identifier, ASCII 14->54 dropped 56 2 other files (none is malicious) 14->56 dropped 64 Multi AV Scanner detection for dropped file 14->64 66 May check the online IP address of the machine 14->66 68 Adds a directory exclusion to Windows Defender 14->68 23 SecurityHealth.exe 14->23         started        26 SecurityHealth.exe 14->26         started        28 SecurityHealth.exe 14->28         started        34 15 other processes 14->34 30 conhost.exe 19->30         started        32 conhost.exe 21->32         started        file8 signatures9 process10 signatures11 78 Query firmware table information (likely to detect VMs) 23->78 80 Tries to detect sandboxes and other dynamic analysis tools (window names) 23->80 82 Hides threads from debuggers 23->82 84 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->84 36 conhost.exe 34->36         started        38 conhost.exe 34->38         started        40 taskkill.exe 34->40         started        42 18 other processes 34->42 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6cf4d60af4e22f92096f64bdc0be0722ba53f589922c1f171c4c4faac0ce711f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-16 11:09:10 UTC
AV detection:
16 of 45 (35.56%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a
1e1986cb65365d3c0ce892c8d9edb82f813feb643ad06008f600c674238f4d99
4c89265179f2471e24688ac126c541886173be7773617450b0849cb48a5a293d
7c3b5f1493854daf8b8c4c7385b9e3dcb6e4701b97617efbfa85852a47e3fffa
88f1c469317a8dfaf4c6fd17951a7d218e6a98445fa7ec12cb35ef786d1c2b2f
937636dcc1943a63556e24db2fe6e9922d77f2999e4cd747151f70d5def03d4c
9645193a9c27dda91e226282f95aa9f41b71818cfbae43b8e056a77db19655fb
9f270ac39c512c05aeb9e502738dbbc438a6f95596ec041333b7ae7e334e9c2b
f303ccc5cdf05114cedee459d0f66bf3b428e19054e2e3f1f001d945332ab6c0
fce1d9496dbdcf9505069283bf61e825e76a1c99af5258beae9feb0a34385cd7
+ 823 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/210921-k6qx1shad4/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies security service
Unpacked files
SH256 hash:
6cf4d60af4e22f92096f64bdc0be0722ba53f589922c1f171c4c4faac0ce711f
MD5 hash:
7b4cdcad8ab6a42017cd93d9639074ae
SHA1 hash:
c0aa8a511b88c2f5526e103439bec1aa17f06f54
Link:
https://www.unpac.me/results/b2b83c21-24a3-46cc-b412-92155eebd6d5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6cf4d60af4e22f92096f64bdc0be0722ba53f589922c1f171c4c4faac0ce711f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 6cf4d60af4e22f92096f64bdc0be0722ba53f589922c1f171c4c4faac0ce711f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1638062/
Cape
Cape
https://www.capesandbox.com/analysis/189817/

Comments


Avatar
zbet commented on 2021-09-21 09:12:21 UTC

url : hxxps://km.popmonster.ru/1056935770.exe