MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fdb8c9202aaaad7ec6f5590887fe7cacf526943009bef41cacb1d02654ca26e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fdb8c9202aaaad7ec6f5590887fe7cacf526943009bef41cacb1d02654ca26e
SHA3-384 hash: b4c6097991b1f1a5423f1e41fa9410694935192cf1199f8cfbe7624f061f879e1942bd2d9d58f6f46f61f1ce6df5b9d1
SHA1 hash: fcc86275de8372df6ec293ecc4425733a35adec4
MD5 hash: 393e5a7fe1d4a719890fe46e7049301a
humanhash: magazine-nineteen-mango-xray
File name:SecuriteInfo.com.Trojan.PWS.Siggen2.59485.31175.12946
Download: download sample
File size:402'416 bytes
First seen:2020-11-16 22:42:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fec7195c130089e289e9cff57109cfaa
ssdeep 6144:fS+mpM6hwfE0ZhHmGfhobCd7NaaKiV1uWez8N8HjarTJSUWGQaB+79758ZbFu/G+:6KGNijuWez8N8HjarTkUXQabt7swq
Threatray 5 similar samples on MalwareBazaar
TLSH AF848C1737E08837C9B216321419A626A76DFCB049E2E3C72748BB0EDD74561DD38BA7
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.59485.31175.12946.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/538576
Signature
Antivirus detection for dropped file
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6fdb8c9202aaaad7ec6f5590887fe7cacf526943009bef41cacb1d02654ca26e/
Threat name:
Win32.Trojan.Graftor
Create hunting rule
Status:
Malicious
First seen:
2020-11-12 02:30:32 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
028ec268176707aadc2cf8e65a28236cbed214f9fd65fc3346ee34e859e50057
3419cd3aa1836577742af73aefa4d0fd5a198cbc4474af670408e6752f0dd89e
7bfc452162c32f5f4eb41853835d7b9ac565c6c7ca109005b40822f3b055cf97
cca3df47e9579ccc7c35bee02c9ab2c1b55643e50e57528abf840229b5d082a8
e73eb64f139fbfe78f487764bdd6c3a98f2f5383becc3905fbb9ac2a9918a91e
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware
Link:
https://tria.ge/reports/201116-1bqjgy7sgs/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
6fdb8c9202aaaad7ec6f5590887fe7cacf526943009bef41cacb1d02654ca26e
MD5 hash:
393e5a7fe1d4a719890fe46e7049301a
SHA1 hash:
fcc86275de8372df6ec293ecc4425733a35adec4
Link:
https://www.unpac.me/results/09528101-865c-44e1-b7ad-26020afb5245/
SH256 hash:
cd1b4ccf4a06a71af270e13250de71b4bbab3143af0ac54ae8c923dcca27d8c1
MD5 hash:
5316bc2beb07f78ebd9e8b03ed731b9a
SHA1 hash:
b96eb99f0894b72a5bac310b5035287d962f8800
Link:
https://www.unpac.me/results/09528101-865c-44e1-b7ad-26020afb5245/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 6fdb8c9202aaaad7ec6f5590887fe7cacf526943009bef41cacb1d02654ca26e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/824225/
  
Delivery method
Distributed via web download

Comments