MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a
SHA3-384 hash: aa7c7c8795148dd7a42a3eb04bf593ea221feb71b01f68e710b7e138e634134b7f000c42292e65b1ff464526b581d94f
SHA1 hash: 10f0defd98d4e5096fbeb321b28d6559e44d66db
MD5 hash: 38ff71c1dee2a9add67f1edb1a30ff8c
humanhash: november-one-stairway-illinois
File name:BossDaMajor.bin
Download: download sample
File size:2'014'208 bytes
First seen:2020-07-26 07:44:02 UTC
Last seen:2025-01-23 16:40:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d7ee0bec939bda9b20c9cb9dcb985e30
ssdeep 49152:veG3J7FtM9SbJakTiTBMGSARaspyyx979PSxgKFdGlYU:2GZxSoJrTiTBMGtRa8t7EFddU
Threatray 22 similar samples on MalwareBazaar
TLSH E0952336F7697951D14202B148A26BA0AA304C36E7205CDB7AE57B0FFC722FD563326C
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32592/
Detection(s):
PUA.Win.Packer.Purebasic-2
Create hunting rule

Win.Trojan.Generic-6584387-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the Program Files subdirectories
Launching a process
Setting a global event handler
Deleting a recently created file
Creating a file
Launching a service
Searching for the window
Modifying an executable file
Changing a file
Windows shutdown
Running batch commands
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Blocking a possibility to launch for the Windows registry editor (regedit.exe)
Enabling autorun
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/398036
Signature
Antivirus detection for dropped file
Benign windows process drops PE files
Creates an undocumented autostart registry key
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Sigma detected: WScript or CScript Dropper
Uses shutdown.exe to shutdown or reboot the system
Windows Shell Script Host drops VBS files
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 251197 Sample: BossDaMajor.bin Startdate: 26/07/2020 Architecture: WINDOWS Score: 100 70 Antivirus detection for dropped file 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 4 other signatures 2->76 10 BossDaMajor.exe 25 2->10         started        14 AcroRd32.exe 36 2->14         started        process3 file4 58 C:\Users\user\AppData\Local\...\MrsMjrGui.exe, PE32 10->58 dropped 60 C:\Users\user\AppData\Local\Temp\...\C20.vbs, ASCII 10->60 dropped 84 Potential malicious VBS script found (suspicious strings) 10->84 16 wscript.exe 18 10->16         started        20 RdrCEF.exe 14->20         started        22 AcroRd32.exe 6 14->22         started        24 AdobeARM.exe 14->24         started        signatures5 process6 file7 50 C:\Program Files\mrsmajor\MrsMjrGui.exe, PE32 16->50 dropped 52 C:\Program Files\mrsmajor\reStart.vbs, ASCII 16->52 dropped 54 C:\Program Files\...\mrsmajorlauncher.vbs, ASCII 16->54 dropped 56 2 other malicious files 16->56 dropped 64 Benign windows process drops PE files 16->64 66 Potential malicious VBS script found (suspicious strings) 16->66 68 Windows Shell Script Host drops VBS files 16->68 26 wscript.exe 6 53 16->26         started        29 notepad.exe 16->29         started        31 RdrCEF.exe 20->31         started        33 RdrCEF.exe 20->33         started        35 RdrCEF.exe 20->35         started        37 2 other processes 20->37 signatures8 process9 signatures10 78 Creates an undocumented autostart registry key 26->78 80 Disables the Windows task manager (taskmgr) 26->80 82 Disables the Windows registry editor (regedit) 26->82 39 wmplayer.exe 57 43 26->39         started        42 shutdown.exe 26->42         started        process11 dnsIp12 62 images.windowsmedia.com 39->62 44 unregmp2.exe 39->44         started        46 conhost.exe 42->46         started        process13 process14 48 unregmp2.exe 44->48         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a/
Threat name:
Win32.Trojan.CryptInject
Create hunting rule
Status:
Malicious
First seen:
2017-07-09 21:28:20 UTC
File Type:
PE (Exe)
Extracted files:
29
AV detection:
38 of 48 (79.17%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0a48a4027eb05b188d2cdb83f220a3160c9b5c9006df53306bbf5e4ad9ec55c2
1acd132956421229e7c8fabb1001381956ff135d042b339f2871763498896d9e
2bfcc18ff3157d5b800d7d8f3d2ca77a131f228a7e37c64632977073efa9d279
4ae56999b52479b1985ad4dc0234d26ac7954a4cf54255874f859f3cd91fc45d
5ef0b6ab46bb6853ddf281a6b12ca1b6c9d77a6b25a8db00e5f0771e793357a5
6cf91b93dd7a3a6aca9878a5cf252af90000628486161243a086d6477d5d1f04
6dcf4557563343e881daf4b7d7b01e372457cee637ac001a1102a2e67a69cbf8
6fae048e4ff41fdf6b3183d0a6f3fbe5b07d42544694c4b6ff5b76be292a1615
82732e47492148243ee3fb338c93d43b9a9984f39e3409327600cffc5766af1b
f9452ba1966aee0e4c1713a6293c9551b3ff97d4fbf065696d4691ad339878b8
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan ransomware bootkit
Link:
https://tria.ge/reports/200726-87srxls71s/
Behaviour
Modifies Control Panel
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
System policy modification
Modifies registry class
System policy modification
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Modifies Control Panel
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Drops file in Program Files directory
Drops file in Program Files directory
Enumerates connected drives
Disables Task Manager via registry modification
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Disables RegEdit via registry modification
Modifies WinLogon to allow AutoLogon
Modifies system executable filetype association
Modifies WinLogon for persistence
UAC bypass
Modifies WinLogon for persistence
Modifies system executable filetype association
UAC bypass
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/730a41a7656f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Diztakun
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/32592/

Comments