MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70bdecf71010c5daefda7581c8126f12340bdc82c1705711bc8fb3c33031d668. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70bdecf71010c5daefda7581c8126f12340bdc82c1705711bc8fb3c33031d668
SHA3-384 hash: 659d23b8f481c10bb3fe6dac004a40b64c42f5b01b20d256b973c4d337229f66d9ac55e74f98206de616a6a2235b6d4c
SHA1 hash: e9e00340024404118479012e0d4584119afa9d5b
MD5 hash: df850a023c4594ece918855a62d1b842
humanhash: sixteen-iowa-music-yankee
File name:smss.exe
Download: download sample
File size:1'443'008 bytes
First seen:2021-01-09 13:36:29 UTC
Last seen:2021-01-10 09:00:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5e5ac8ab7be27ac2d1c548e5589378b6 (11 x GuLoader, 6 x Stealc, 5 x RedLineStealer)
ssdeep 24576:ym6sKjYZqb1ycImmvJFSYRkuK/zy2pNkFcpExvLyPl34HGh:xHKSqbHqJKpzkFcK9A6mh
TLSH 5665330B1D5492F9F31ECDB8207E270B75E247D9E7416E2660354144AC4BFD23BAE2A7
Reporter James_inthe_box
Tags:exe

Code Signing Certificate

Organisation:Symantec Time Stamping Services CA - G2
Issuer:Thawte Timestamping CA
Algorithm:sha1WithRSAEncryption
Valid from:Dec 21 00:00:00 2012 GMT
Valid to:Dec 30 23:59:59 2020 GMT
Serial number: 7E93EBFB7CC64E59EA4B9A77D406FC3B
Intelligence: 85 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0625FEE1A80D7B897A9712249C2F55FF391D6661DBD8B87F9BE6F252D88CED95
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
smss.bin
Verdict:
Malicious activity
Analysis date:
2021-01-09 21:07:29 UTC
Tags:
trojan rat pcrat gh0st
Link:
https://app.any.run/tasks/aceef1e9-4f00-4512-b016-d134d87d794c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.57885.22181.1923.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Creating a file
Enabling the 'hidden' option for recently created files
Creating a service
Launching a service
Creating a process from a recently created file
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Creating a window
Creating a file in the drivers directory
Loading a system driver
Creating a file in the Windows subdirectories
Sending a custom TCP request
Launching a process
Deleting a recently created file
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/577298
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (changes PE section rights)
Drops PE files with benign system names
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sample is not signed and drops a device driver
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337700 Sample: smss.exe Startdate: 09/01/2021 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for dropped file 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected Mimikatz 2->46 48 5 other signatures 2->48 7 svchost.exe 2->7         started        10 smss.exe 1 2 2->10         started        13 svchost.exe 2->13         started        15 10 other processes 2->15 process3 file4 58 Multi AV Scanner detection for dropped file 7->58 60 Detected unpacking (changes PE section rights) 7->60 62 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->62 64 Machine Learning detection for dropped file 7->64 17 svchost.exe 13 1 7->17         started        34 C:\ProgramData\svchost.exe, PE32 10->34 dropped 36 C:\ProgramData\svchost.exe:Zone.Identifier, ASCII 10->36 dropped 66 Hides threads from debuggers 10->66 68 Drops PE files with benign system names 10->68 22 cmd.exe 1 10->22         started        70 Changes security center settings (notifications, updates, antivirus, firewall) 13->70 24 MpCmdRun.exe 1 13->24         started        signatures5 process6 dnsIp7 38 124.132.153.147, 888 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN China 17->38 32 C:\Windows\System32\drivers\QAssist.sys, PE32+ 17->32 dropped 50 System process connects to network (likely due to code injection or exploit) 17->50 52 Sample is not signed and drops a device driver 17->52 54 Hides threads from debuggers 17->54 40 127.0.0.1 unknown unknown 22->40 56 Uses ping.exe to sleep 22->56 26 conhost.exe 22->26         started        28 PING.EXE 1 22->28         started        30 conhost.exe 24->30         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70bdecf71010c5daefda7581c8126f12340bdc82c1705711bc8fb3c33031d668/
Threat name:
Win32.Backdoor.Zegost
Create hunting rule
Status:
Malicious
First seen:
2021-01-09 13:35:40 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210109-h1qnqmsxb2/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates connected drives
Deletes itself
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Sets service image path in registry
UPX packed file
Unpacked files
SH256 hash:
70bdecf71010c5daefda7581c8126f12340bdc82c1705711bc8fb3c33031d668
MD5 hash:
df850a023c4594ece918855a62d1b842
SHA1 hash:
e9e00340024404118479012e0d4584119afa9d5b
Link:
https://www.unpac.me/results/2384747e-2923-4959-a45b-f469a9222f76/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Zegost
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/70bdecf71010c5daefda7581c8126f12340bdc82c1705711bc8fb3c33031d668

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments