MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850
SHA3-384 hash: c483d003a7b08a7387fd448476c01a2b20edab831112d6dad4c3a66bfe5d915635c76f43dad370d4dcc9b55be6bffb5f
SHA1 hash: b7840242393013f2c4c136ac7407e332be075702
MD5 hash: 928e37519022745490d1af1ce6f336f7
humanhash: six-enemy-quiet-whiskey
File name:TestingIndoa.bin
Download: download sample
File size:12'056'150 bytes
First seen:2023-03-07 20:42:59 UTC
Last seen:2023-03-11 16:36:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 196608:JZnMy97vfgla5NX7YaP6uIEJsp+jb4agYSUpHm6g90MrYmhZZoG0tLzr1+W:LnMy9rfma5NrYaVzC0b4vpZZoG0tR+W
TLSH T1B6C63313F5905A31D9522A308D79AD34653DBDA14F255E83AB71780D03290FAEBF83E7
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter petikvx

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PCInstaller Pro.zip
Verdict:
No threats detected
Analysis date:
2023-01-26 21:22:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c285604d-02e1-4924-af5c-dc6c63a364ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372426/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Sending a custom TCP request
Creating a service
Loading a system driver
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Enabling autorun for a service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypren crysis dharma greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6407a1da660450d9feb94eeb/reports/f02fbe00-e8b1-41f7-b103-04b6402eac9d/overview
Verdict:
Malicious
Labled as:
Adware.Generic
Link:
https://www.hybrid-analysis.com/sample/6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850
Result
Verdict:
MALICIOUS
Malware family:
Crysis
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2563c4d-4fac-4922-9f48-056311405137
Result
Threat name:
PCHunter tool, NetTool
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
70 / 100
Link:
https://www.joesandbox.com/analysis/1188937
Signature
Adds a new user with administrator rights
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to hide user accounts
Deletes keys which are related to windows safe boot (disables safe mode boot)
Deletes shadow drive data (may be related to ransomware)
Hides user accounts
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Yara detected NetTool
Yara detected PCHunter tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 821812 Sample: TestingIndoa.bin.exe Startdate: 07/03/2023 Architecture: WINDOWS Score: 70 79 Malicious sample detected (through community Yara rule) 2->79 81 Antivirus detection for dropped file 2->81 83 Antivirus / Scanner detection for submitted sample 2->83 85 9 other signatures 2->85 8 TestingIndoa.bin.exe 1 15 2->8         started        11 rdpvideominiport.sys 2->11         started        13 rdpdr.sys 2->13         started        15 tsusbhub.sys 2->15         started        process3 file4 69 C:\Users\user\Desktop\ac\unlocker.exe, PE32 8->69 dropped 71 C:\Users\user\Desktop\ac\nc123.exe, PE32 8->71 dropped 73 C:\Users\user\Desktop\ac\mssql2.exe, PE32 8->73 dropped 75 4 other files (3 malicious) 8->75 dropped 17 mssql.exe 68 29 8->17         started        22 nc123.exe 1 8->22         started        24 cmd.exe 2 8->24         started        26 3 other processes 8->26 process5 dnsIp6 77 www.epoolsoft.com 38.63.59.228, 80 COGENT-174US United States 17->77 61 C:\Users\user\Desktop\ac\ztcqaxhofvtpou.sys, PE32+ 17->61 dropped 63 C:\Users\user\Desktop\...\zsofszqthwsuxov.sys, PE32+ 17->63 dropped 65 C:\Users\user\Desktop\...\zetpzkhkzafmbik.sys, PE32+ 17->65 dropped 67 14 other malicious files 17->67 dropped 87 Multi AV Scanner detection for dropped file 17->87 89 Machine Learning detection for dropped file 17->89 91 Sample is not signed and drops a device driver 17->91 93 Deletes keys which are related to windows safe boot (disables safe mode boot) 17->93 95 Antivirus detection for dropped file 22->95 28 cmd.exe 1 22->28         started        31 conhost.exe 22->31         started        97 Uses cmd line tools excessively to alter registry or file data 24->97 99 Adds a new user with administrator rights 24->99 33 reg.exe 24->33         started        35 cmd.exe 1 24->35         started        37 cmd.exe 24->37         started        43 11 other processes 24->43 101 Deletes shadow drive data (may be related to ransomware) 26->101 39 conhost.exe 26->39         started        41 vssadmin.exe 1 26->41         started        file7 signatures8 process9 signatures10 103 Uses cmd line tools excessively to alter registry or file data 28->103 105 Deletes shadow drive data (may be related to ransomware) 28->105 107 Uses netsh to modify the Windows network and firewall settings 28->107 111 2 other signatures 28->111 109 Hides user accounts 33->109 45 WMIC.exe 1 35->45         started        47 find.exe 1 35->47         started        49 WMIC.exe 37->49         started        51 find.exe 37->51         started        53 net1.exe 43->53         started        55 net1.exe 43->55         started        57 net1.exe 43->57         started        59 2 other processes 43->59 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850/
Threat name:
Win32.Hacktool.NbtScan
Create hunting rule
Status:
Malicious
First seen:
2020-08-16 16:26:31 UTC
File Type:
PE (Exe)
Extracted files:
594
AV detection:
34 of 39 (87.18%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n6zqhxmlunrydfebe7kexwcudzfbvofpa62gkjvm4ccfr4sjrbia._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence ransomware
Link:
https://tria.ge/reports/230307-zhktesbh83/
Behaviour
Interacts with shadow copies
Runs net.exe
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
Enumerates physical storage devices
Launches sc.exe
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
Sets file to hidden
Sets service image path in registry
Deletes shadow copies
Grants admin privileges
Unpacked files
SH256 hash:
9d223ca9ab98d8d0044852ae908060b62a3832ea00382d94b03f06718a7d7503
MD5 hash:
3581f841f6275bcf5ee7603f28888e36
SHA1 hash:
4a4e46e920b9ead83d82c42e33dcd557ee564b3c
Link:
https://www.unpac.me/results/0e6a41ff-5e58-462a-b5f9-c781c6363ab3/
SH256 hash:
be6720fb234499c743b3e39d5c81827943c9720465bbd4d832c7893f1694ad56
MD5 hash:
a7038374b3a8a964c515b7741c1ff789
SHA1 hash:
bbc35eac27b52af8079fdcbc8a7bc55d3dd61b97
Link:
https://www.unpac.me/results/0e6a41ff-5e58-462a-b5f9-c781c6363ab3/
SH256 hash:
93801b7f412571d14156932da809d1c5d8000c607e05a4ca037aa17141c7b692
MD5 hash:
b8890551dadc3423890d180999f2378e
SHA1 hash:
37499f2270938b95bf84b0dc3e6bd6244ebacbe9
Link:
https://www.unpac.me/results/0e6a41ff-5e58-462a-b5f9-c781c6363ab3/
SH256 hash:
6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850
MD5 hash:
928e37519022745490d1af1ce6f336f7
SHA1 hash:
b7840242393013f2c4c136ac7407e332be075702
Link:
https://www.unpac.me/results/0e6a41ff-5e58-462a-b5f9-c781c6363ab3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6fb303dd8ba3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/372426/

Comments