MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7bfc452162c32f5f4eb41853835d7b9ac565c6c7ca109005b40822f3b055cf97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SchoolBoy

Vendor detections: 7

Intelligence 7 IOCs YARA 7 File information Comments

SHA256 hash:	7bfc452162c32f5f4eb41853835d7b9ac565c6c7ca109005b40822f3b055cf97
SHA3-384 hash:	ba6c57ab571e80c1c469fe8f4a3b5185bb1867e492f2c53d8ec243a30829a18d8017d8d842bf0dd382317c7014d38b0e
SHA1 hash:	6af1e1d43e2f75a274ffa84137f2838c7437f0f1
MD5 hash:	40bcd63dd5bbab850dcf79a0d4e06dda
humanhash:	delta-missouri-video-spaghetti
File name:	7bfc452162c32f5f4eb41853835d7b9ac565c6c7ca109005b40822f3b055cf97.bin
Download:	download sample
Signature	SchoolBoy Create hunting rule
File size:	183'808 bytes
First seen:	2020-10-17 21:29:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	33caf5c4e3bb937ac780bc37656c2475 (1 x SchoolBoy)
ssdeep	3072:ihuNxDt4ZeazdzQScN+tnUVPSJFSZV9v+uJVci1Y1LL9c/3gcqGX77:kuNxGZeazd/cN+6PSJFQV9v3GdL9c/3P
Threatray	3 similar samples on MalwareBazaar
TLSH	C3043A37B2B1A036C16B4433769A1677276B6B310179585BDFC826416BB4B86FF302B3
Reporter	Arkbird_SOLG
Tags:	KPOT SchoolBoy

Intelligence

File Origin

# of uploads :

# of downloads :

1'889

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/72585/

Detection(s):

Win.Dropper.KpotStealer-9322564-1

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a UDP request

Reading critical registry keys

Creating a window

Sending a custom TCP request

Running batch commands

Creating a process with a hidden window

Launching a process

Sending a TCP request to an infection source

Stealing user critical data

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.spyw

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/494515

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses ping.exe to check the status of other devices and networks

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7bfc452162c32f5f4eb41853835d7b9ac565c6c7ca109005b40822f3b055cf97/

Threat name:

Win32.Trojan.Malrep

Status:

Malicious

First seen:

2020-10-13 09:54:00 UTC

File Type:

PE (Exe)

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pp6ekilcymxv6tvudbjygxl3tlcwlrwhziijabnubarphmcvz6lq._file

Verdict:

unknown

SchoolBoy

3419cd3aa1836577742af73aefa4d0fd5a198cbc4474af670408e6752f0dd89e

SchoolBoy

e73eb64f139fbfe78f487764bdd6c3a98f2f5383becc3905fbb9ac2a9918a91e

SchoolBoy

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery spyware

Link:

https://tria.ge/reports/201017-cz1et9q8x2/

Behaviour

Modifies data under HKEY_USERS

Modifies system certificate store

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in System32 directory

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Deletes itself

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

7bfc452162c32f5f4eb41853835d7b9ac565c6c7ca109005b40822f3b055cf97

MD5 hash:

40bcd63dd5bbab850dcf79a0d4e06dda

SHA1 hash:

6af1e1d43e2f75a274ffa84137f2838c7437f0f1

Detections:

win_sinowal_w1

Link:

https://www.unpac.me/results/20973f50-991f-4a7c-bee2-a33657d9ff90/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Tinba

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7bfc452162c32f5f4eb41853835d7b9ac565c6c7ca109005b40822f3b055cf97

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	Quarian Create hunting rule
Author:	Seth Hardy
Description:	Quarian

Rule name:	QuarianCode Create hunting rule
Author:	Seth Hardy
Description:	Quarian code features

Rule name:	Steam_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Steam in files like avemaria

Rule name:	Telegram_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Telegram in files like avemaria

Rule name:	win_sinowal_w1 Create hunting rule
Author:	Seth Hardy
Description:	Quarian code features

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

https://github.com/StrangerealIntel/DailyIOC/blob/master/2020-10-17/MAL_KPot_Oct_2020_1.yar

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/72585/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample