MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d5ee8b9ce1f9548ff8cd1198fc7934fe3f9f2034d215f406cca14e533670d3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gootkit

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	6d5ee8b9ce1f9548ff8cd1198fc7934fe3f9f2034d215f406cca14e533670d3d
SHA3-384 hash:	3fb8a408783d376ed0164c51316d2b2332414fc46bd2ddcb07906f2ec96ff68164b52de26ddfcb890c213abf992e293b
SHA1 hash:	ea7136e15fc995dcb91639ebce3f4ba57ab9ad17
MD5 hash:	dc2a08c513b1c8a2474c6a99e1ddc626
humanhash:	jupiter-dakota-neptune-diet
File name:	6d5ee8b9ce1f9548ff8cd1198fc7934fe3f9f2034d215f406cca14e533670d3d
Download:	download sample
Signature	Gootkit Create hunting rule
File size:	284'160 bytes
First seen:	2020-11-11 11:19:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b7c6f05963454ae2f440d4ee64cc8d5e (4 x Gootkit)
ssdeep	3072:rbVuDEsNubLasX3MAHCuFMMeWc/+KcfiT1YeGyk2yL6yhlX5MZnIgmQy:+NuisnnxFi+cxYeGyk2yL6yxamQ
Threatray	2 similar samples on MalwareBazaar
TLSH	3F54CF79F5F22C0FC7A3037096AE6B776A5A5F700A06C9821F46D97AD48AD57C8123C8
Reporter	seifreed
Tags:	Gootkit

Intelligence

File Origin

# of uploads :

# of downloads :

1'413

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a process with a hidden window

DNS request

Sending a custom TCP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6d5ee8b9ce1f9548ff8cd1198fc7934fe3f9f2034d215f406cca14e533670d3d/

Threat name:

Win32.Ransomware.Cerber

Status:

Malicious

First seen:

2020-11-11 11:23:16 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nvporoood6kur74m2emy7r4tj7r7t4qdjuqv6qdmzikokm3hbu6q._file

Verdict:

malicious

Gootkit

bc73cd93e40c3f14501d016a393f95d4a481a5a7d2fbbf99a6dc5e2b88156885

Gootkit

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/201111-eg36l7ek7x/

Behaviour

Modifies data under HKEY_USERS

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Drops file in System32 directory

Unpacked files

SH256 hash:

6d5ee8b9ce1f9548ff8cd1198fc7934fe3f9f2034d215f406cca14e533670d3d

MD5 hash:

dc2a08c513b1c8a2474c6a99e1ddc626

SHA1 hash:

ea7136e15fc995dcb91639ebce3f4ba57ab9ad17

Link:

https://www.unpac.me/results/4a4b60e7-031c-459b-8f25-042ad000ee99/

SH256 hash:

ba4b95f77000470c1fba73e11dbd687241a564e7fce67965fc461d770a6301e6

MD5 hash:

990f891f2b1041f57862795a044033f7

SHA1 hash:

7f5520ba39b04957e3e8c88243a24d053e14fef4

Link:

https://www.unpac.me/results/4a4b60e7-031c-459b-8f25-042ad000ee99/

SH256 hash:

5c4ea4bf3fdcfab0a3bd1d80b7cc43ed3136859798f27448d695833f02aa5d14

MD5 hash:

b606b3518156872bc354a467162b6a30

SHA1 hash:

adffca1b9ab3b9742fcd41b5a7d7850a57514fb3

Detections:

win_gootkit_g0

win_gootkit_auto

Link:

https://www.unpac.me/results/4a4b60e7-031c-459b-8f25-042ad000ee99/

Parent samples :

6d5ee8b9ce1f9548ff8cd1198fc7934fe3f9f2034d215f406cca14e533670d3d
adf5232a1643d236bfc7055c70e5fb3e05671e1fc91bc6178bd59163e8cbaad7
435c71d1697fc65aecf34399586a55e217fffb21f1bb694861974de2822be126
0c2e07c74c6579471657b040a6e069e8a9a88d23227a3fb8b18a985cfd2553e7

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxProductID Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifcats referencing sandbox product IDs

Rule name:	VMware_detection_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	VMWare detection

Rule name:	win_gootkit_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample