MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ca01cb68c03434dd6a45bd79206370dc69b8787825c5d26ec75dcc4a3b14f81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 18


Intelligence 18 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ca01cb68c03434dd6a45bd79206370dc69b8787825c5d26ec75dcc4a3b14f81
SHA3-384 hash: 658d1c7055a8bd9bdd042091fbf693c9563a82184522a95db1570aafc68e7316b8755db7db2ac9d75c3f6765cf79adaf
SHA1 hash: 62a5953f5092810669b1fdf1fd0e5918b4527174
MD5 hash: e5aa445a4f523de1b08d0efdd47c1fac
humanhash: winter-friend-wisconsin-high
File name:exe4.bin.bak
Download: download sample
Signature CoinMiner
Create hunting rule
File size:12'244'992 bytes
First seen:2024-07-06 12:09:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3222c3f44785a4ac7520003a95ac4f46 (1 x CoinMiner, 1 x Blackmoon)
ssdeep 196608:cqhN84at0H7AaaxZwi54HMfWxCd1tS9Q/ZrMXpQa/wcFCZK2zrQKrj7JCf6e1hzv:nE4RH7AZwimxEdr0TXpx/wc0ZbfQK/7k
Threatray 3 similar samples on MalwareBazaar
TLSH T13EC63307894A78B2F0412EB063AEF9D0410170A72A6776316D4BDEED4939AD3F6E3753
TrID 44.2% (.EXE) UPX compressed Win32 Executable (27066/9/6)
26.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.3% (.EXE) Win32 Executable (generic) (4504/4/1)
3.3% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Reedus0
Tags:32 Blackmoon CoinMiner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
419
Origin country :
RU RU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7ca01cb68c03434dd6a45bd79206370dc69b8787825c5d26ec75dcc4a3b14f81.exe
Verdict:
Suspicious activity
Analysis date:
2024-07-06 12:14:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e02041c1-c282-4278-a52e-911b7a146c1c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Malware.PDB-629.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Malware.PDB-643.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Malware.PDB-630.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Malware.PDB-632.UNOFFICIAL
Create hunting rule

Win.Virus.Gh0stRAT-6997801-0
Create hunting rule

Win.Dropper.Gh0stRAT-7480052-0
Create hunting rule

Win.Dropper.Gh0stRAT-7777113-0
Create hunting rule

Win.Trojan.Farfli-9763835-0
Create hunting rule

Win.Malware.Sdld-9819320-0
Create hunting rule

Win.Dropper.Tiggre-9845940-0
Create hunting rule

Win.Dropper.Gh0stRAT-9856137-0
Create hunting rule

Win.Malware.Staser-9938521-0
Create hunting rule

Win.Trojan.Gh0stRAT-9971270-1
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.Nitol.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=668935dd3b2ddaaafa498e6cwin10vpnfull_triage
Tags:
Execution Generic Network Stealth Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Launching the process to change the firewall settings
Сreating synchronization primitives
Connection attempt to an infection source
Possible injection to a system process
Searching for the window
Creating a file in the %AppData% directory
Creating a service
Launching a service
Launching a process
Searching for synchronization primitives
Enabling autorun for a service
Query of malicious DNS domain
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
hook iceid keylogger lolbin masquerade microsoft_visual_cc monero packed packed packed powershell rat shell32 upx
Link:
https://www.filescan.io/uploads/6689341f21581a9281a1bc25/reports/351b29ac-9d7b-4307-9f66-13d7da5a5546/overview
Verdict:
Malicious
Labled as:
Trojan.CoinMiner
Link:
https://www.hybrid-analysis.com/sample/7ca01cb68c03434dd6a45bd79206370dc69b8787825c5d26ec75dcc4a3b14f81
Result
Verdict:
MALICIOUS
Malware family:
KRBanker
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f12956cf-9ad0-493d-89f7-e3dd3b742c23
Result
Threat name:
BlackMoon, GhostRat
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1468522
Signature
.NET source code contains very large array initializations
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to modify windows services which are used for security filtering and protection
Creates files in the system32 config directory
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of sandbox detection
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Uses netsh to modify the Windows network and firewall settings
Yara detected BlackMoon Ransomware
Yara detected Generic Downloader
Yara detected GhostRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1468522 Sample: exe4.bin.bak.exe Startdate: 06/07/2024 Architecture: WINDOWS Score: 100 61 www.4i7i.com 2->61 63 www.362-com.com 2->63 65 15 other IPs or domains 2->65 87 Snort IDS alert for network traffic 2->87 89 Multi AV Scanner detection for domain / URL 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 13 other signatures 2->93 9 svchost.exe 119 2->9         started        14 exe4.bin.bak.exe 6 1 2->14         started        16 svchost.exe 2->16         started        signatures3 process4 dnsIp5 81 hook.ftp21.cc 211.108.60.155, 49705, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 9->81 83 down.ftp21.cc 198.98.56.44, 49746, 80 PONYNETUS United States 9->83 51 C:\Windows\Temp\ctfmoon.exe, PE32 9->51 dropped 53 C:\Windows\...\Traffmonetizer.exe, PE32 9->53 dropped 55 C:\...\System.Threading.Tasks.Extensions.dll, PE32 9->55 dropped 59 110 other files (12 malicious) 9->59 dropped 107 System process connects to network (likely due to code injection or exploit) 9->107 109 Creates files in the system32 config directory 9->109 111 Found stalling execution ending in API Sleep call 9->111 113 8 other signatures 9->113 18 Traffmonetizer.exe 9->18         started        23 ctfmoon.exe 9->23         started        25 svchost.exe 9->25         started        29 14 other processes 9->29 57 C:\Users\user\...behaviorgraphraphicsPerfSvcs.dll, PE32 14->57 dropped 27 powershell.exe 17 14->27         started        85 127.0.0.1 unknown unknown 16->85 file6 signatures7 process8 dnsIp9 67 blnc.traffmonetizer.com 168.119.91.41, 443, 49726, 49727 HETZNER-ASDE Germany 18->67 69 srv-us10.traffmonetizer.com 5.78.46.166, 49843, 769 PARSONLINETehran-IRANIR Iran (ISLAMIC Republic Of) 18->69 77 6 other IPs or domains 18->77 49 C:\Windows\System32\config\...\Installer.exe, PE32 18->49 dropped 95 Creates files in the system32 config directory 18->95 97 Drops executables to the windows directory (C:\Windows) and starts them 18->97 31 Installer.exe 18->31         started        71 api.iproyal.com 93.189.62.83, 443, 49706 MELBICOM-EU-ASMelbikomasUABNL Lithuania 23->71 99 Antivirus detection for dropped file 23->99 101 Multi AV Scanner detection for dropped file 23->101 34 conhost.exe 23->34         started        103 System process connects to network (likely due to code injection or exploit) 25->103 105 Deletes itself after installation 27->105 36 conhost.exe 27->36         started        73 worldtimeapi.org 213.188.196.246, 443, 50754 TELIA-NORWAY-ASTeliaNorwayCoreNetworksNO Italy 29->73 75 43.198.152.240, 50647, 50650, 8080 LILLY-ASUS Japan 29->75 79 5 other IPs or domains 29->79 38 conhost.exe 29->38         started        40 conhost.exe 29->40         started        42 conhost.exe 29->42         started        44 10 other processes 29->44 file10 signatures11 process12 signatures13 117 Creates files in the system32 config directory 31->117 119 Drops executables to the windows directory (C:\Windows) and starts them 31->119 46 Traffmonetizer.exe 31->46         started        process14 signatures15 115 Creates files in the system32 config directory 46->115
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7ca01cb68c03434dd6a45bd79206370dc69b8787825c5d26ec75dcc4a3b14f81
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ca01cb68c03434dd6a45bd79206370dc69b8787825c5d26ec75dcc4a3b14f81/
Threat name:
Win32.Trojan.BlackMoon
Create hunting rule
Status:
Malicious
First seen:
2024-06-13 10:41:53 UTC
File Type:
PE (Exe)
Extracted files:
174
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=psqbznumanbu3vvelplzebrxbxdjxb4hqjof2jxmoxomji5rj6aq._file
Verdict:
malicious
Similar samples:
5d87bd723f8267c3c0bef75f2b502321c518ac6a09696f3971ace53d0ba505cd
CoinMiner
Result
Malware family:
gh0strat
Create hunting rule
Score:
  10/10
Tags:
family:blackmoon family:gh0strat banker evasion persistence privilege_escalation rat trojan upx
Link:
https://tria.ge/reports/240706-pb17qa1bka/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Deletes itself
Executes dropped EXE
Loads dropped DLL
UPX packed file
Unexpected DNS network traffic destination
Downloads MZ/PE file
Modifies Windows Firewall
Server Software Component: Terminal Services DLL
Blackmoon, KrBanker
Detect Blackmoon payload
Gh0st RAT payload
Gh0strat
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/86e1bf22-d9ba-433a-a11f-e4a0c1ad2233
Unpacked files
SH256 hash:
7735ad9b8eeec4d4f18fc44f0120ea0bf5f5296a99caeaed65478cd1fac33183
MD5 hash:
251792b503c1376eda3f97c5d0a8b432
SHA1 hash:
edaa083e936cc20f6cbc5b3dca330ac40e706c87
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
d838c40848daf87743e96d42f8db18bb66a0b27cff5a48926a85a61c2d3e05b9
MD5 hash:
0bfef61b203054f6fbf08419ffe3f018
SHA1 hash:
ed9d0418507630996eb2c473ec5daf11d185c2c6
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
ba2b07142468da55384d6b87466ae0146e610cb89e93f2436c2efe064cb3a5c6
MD5 hash:
2f899d0d4b2026c5a283bf64c522d470
SHA1 hash:
e28b489ba3a5816ed900ac67c5a657d58b8b4d00
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
0b120ee62f9ae12acd9c9994d43579141c5e4ae8ec84acbf227dd57afacc42e4
MD5 hash:
6d94f52bd532c57995a6b011f8b14f50
SHA1 hash:
e0047e9a014405b63aaa05336ec3b9bd173d60e6
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
4a14fa56abb39e63e25d380a17c32714f1a064b7c90ec3fb2f5fe7e0a07d0f05
MD5 hash:
70afd43f46a101e1666732dcf7cac48b
SHA1 hash:
dbfb1190ec2b799a5f1ae54bbaac28ec0a4a3419
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
77a5d1619f9f07262e8ce98bb235ff961fafcecd3335922372de65cdd8877c4d
MD5 hash:
2e71c6394a6ab152139e2977c48440ff
SHA1 hash:
d4557ed90d8ac11606e0f36aea100bffcb5b3540
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
e384aa8ff68e9b60156aad3d1238ce1ae9579ed9138f10da6e252dd897bf42c5
MD5 hash:
ce9f5a3c7f39736f53c981c67950f3c1
SHA1 hash:
c6fe39426268b5d5b5e5c0d64e7d4ccaacc905de
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
2dc754845d02d1d9e3757f1b9d0023bede2893e80fdf75d016ebbc008c910ff9
MD5 hash:
070c358598e30c4300caef33ec7fdda3
SHA1 hash:
76b1d2b6cd781e1f0bb8cd601ea740d1602fc096
Detections:
BlackmoonBanker
Create hunting rule
MALWARE_Win_BlackMoon
Create hunting rule
MALWARE_Win_Nitol
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
e1452fa0899efd91ce5f884ba3dff00711b3a92b372000b79f0a7ab52365af4b
MD5 hash:
9a21d1513e4eb50675e17e176da2607f
SHA1 hash:
6fe88de7d2d4383b7af9adf7d3239fe001d6d99e
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
6d8642223fb62912989013eed93e3cba402b630dff4a2d4ff4089f9c0c34ce7c
MD5 hash:
d9936a7d83cb5f45884d98c47f4794f6
SHA1 hash:
4b73f4f5a99a5e20a65c2c96b336e67257d99e0b
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
4d9e8ea2d3654fa271e7fd274b01a89025ba1d96db2f2e509ee2a0a77959cc51
MD5 hash:
1a461e34e7418a62eb0de58eeb2ced99
SHA1 hash:
47214dcecf6e49f65375d518bdeb1792b6ae75f9
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
21fce19e94bfcf0c5aa0afc0e541a92b11302e93a02b53fc1fe896ab6d0f52ba
MD5 hash:
667c946aef3c436abddc7908eb0ffa40
SHA1 hash:
309d6a6141eb1d82abbaed3d3ca139f45582c2f9
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
07e317b3dfd5d1f37f22aa85a2caf5a830315e770d8bcf6c97b10eb121106002
MD5 hash:
5629cdcfd62971c2ea8f104210a2a0e8
SHA1 hash:
0fb4b58d2e6319a479801802dab845c6cc53ee62
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
ed122af466684d5c3bcf36bb3937498468a627deb34707038023f1a2a2e404a4
MD5 hash:
1e95d33882b605c4c9fa282c04bfd5b9
SHA1 hash:
0b48df38e6d1d7355b62c8bdabf094cecfa1f431
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
8e3b0b1ca9338ede77abfd7ceddbe9427fef69cc70e3698a52b87b3e70270dce
MD5 hash:
dd92138cbcccc7008e8fffc806c8cc9c
SHA1 hash:
056af811010e290980bf991aecda27705160a4fb
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
4f5db9345f517648f9f743e03ee52d4d76ca70169577ffb07c4f686794d3d716
MD5 hash:
25fd27121058e8aaa75b028efbf265b1
SHA1 hash:
038eca387c8d6003140983c5e6e1c312c618276a
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
5504071ab8c7c8e1e9322bbeb2aac6338096466aed618b00dac241cf5f2b1e49
MD5 hash:
8cb9bbe4da53b41c190aba76622604ea
SHA1 hash:
5c2735698bf1da3fcd291b49e0d31af9e71bf1e8
Detections:
BlackmoonBanker
Create hunting rule
MALWARE_Win_BlackMoon
Create hunting rule
MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
MALWARE_Win_Nitol
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
d2ea6d20b31cba4bbfaadca61230747c688215d30e00bf5ecbdbf60575d61804
MD5 hash:
e9adf68bc51b7393ba0595ce304387a2
SHA1 hash:
14df2ae477ba7ae7660f5f99e13ba61f9b47f539
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
803c46864a0788088057cc2ca2c017ec397640d1d235566385124b075a5e0503
MD5 hash:
5db6670a8c428f9f633c996d1b447e17
SHA1 hash:
4793feef62e78f26476673c83a05147801c5eb7f
Detections:
Backdoor_Nitol_Jun17
Create hunting rule
GhostDragon_Gh0stRAT
Create hunting rule
MAL_Nitol_Malware_Jan19_1
Create hunting rule
MALWARE_Win_Nitol
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
Parent samples :
7ca01cb68c03434dd6a45bd79206370dc69b8787825c5d26ec75dcc4a3b14f81
a35b7570b7818fb47837073b594b4581049edaa087a9e854b5b395abdc7b6773
SH256 hash:
cbd8385e4636f7345b5ae24e0a8b77c30ae6f55b641c5e60f4c73a5bda558e9c
MD5 hash:
d316e3266e7035b5d655bc7237891393
SHA1 hash:
9f0acba571669980018854c62ea47cb14c615beb
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
ac08f8c28ecb33685e9ea9d1c55839fcba1085275952c5a6724293dac4480d13
MD5 hash:
cae5d1c601523b5f5251d93dc66e7ae5
SHA1 hash:
aa89e7933489eaf0a594c254c5a380ef44f845f3
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
e654a1fa3594871c214f51e3a413e5850dad941baab062b2030aebd0c966adf2
MD5 hash:
0396e190e8c245932c10ce34e7a28d52
SHA1 hash:
a906c0ac6c8f67802d5e88a145c4f31fd343c5a8
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
3835e10c4fd61402dd8b6e5e69146c42310db1c04cbb1bb7b8b627fc263071d0
MD5 hash:
0129857631af9333d3a01a55200e8933
SHA1 hash:
64f9c6cb0f4c591bad2c33ecede2321b6d48fef3
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
4f81ffd0dc7204db75afc35ea4291769b07c440592f28894260eea76626a23c6
MD5 hash:
e1e9d7d46e5cd9525c5927dc98d9ecc7
SHA1 hash:
2242627282f9e07e37b274ea36fac2d3cd9c9110
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
3b4e123dd6ad90287496405fab4d44b736792c0c3f4ffbf0626e6a78c6cc6b2d
MD5 hash:
5f1adaa6e4f61f662a58d810deecd38c
SHA1 hash:
68639af40905f3cfc0975b7060fd7fd9df39ad0b
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
2c7435257690ac95dc03b45a236005124097f08519adf3134b1d1ece4190e64c
MD5 hash:
38470ca21414a8827c24d8fe0438e84b
SHA1 hash:
1c394a150c5693c69f85403f201caa501594b7ab
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
edf13ebf2d45152e26a16b947cd953aeb7a42602fa48e53fd7673934e5acea30
MD5 hash:
e8cdacfd2ef2f4b3d1a8e6d59b6e3027
SHA1 hash:
9a85d938d8430a73255a65ea002a7709c81a4cf3
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
0cd7784abf24f622d5a602bb558f2a732381cb8f6f0434293cfb8f62bf673c8c
MD5 hash:
50b31b125f89f1bf1c35e62be60163eb
SHA1 hash:
5f387de3fb46ebce5fe8382d9fe0b4f53d9e438b
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
e72254cd64e957daba137d027faab9df40412aea1696f5f2fa42e4d954c6d815
MD5 hash:
f137e1701f8d7ad7155ef9f27eb71bc4
SHA1 hash:
d116bd67874175b2b890b941743d54421e96b7e7
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
5f5f8783fafb5f2372c84e3b11324d773109cb1c0721fed6aeebe7d8aff5e4fd
MD5 hash:
472754b5aafbefb8b2cf02f8612f1b9a
SHA1 hash:
82a85de00b09a78ef02a4de84cced96fe6a54065
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
fff382f996ab2d34b895a3c7ed24bd5e581fcbc11d3d356f6cf0b2416a9a2edf
MD5 hash:
a7e5f3f4d4362c5ed7d27144536c874e
SHA1 hash:
28dee6276ca4ae150557150abaa3c819186d4715
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
f9b8513f35beb0aee22507455da63bfebd9973734256b5a72dab37c9b9f1d836
MD5 hash:
02e06a61281bd3082e31e4099e04d403
SHA1 hash:
3ebe20d71bfb4eed250fad3175c11578d5dc8105
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
3cadcb6b8a7335141c7c357a1d77af1ff49b59b872df494f5025580191d1c0d5
MD5 hash:
9a341540899dcc5630886f2d921be78f
SHA1 hash:
bab44612721c3dc91ac3d9dfca7c961a3a511508
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
46451e1168dd11d450aa9b6119f17cec9a70928a40ac3c752abf61ce809cba6f
MD5 hash:
c4ea65bd802f1ccd3ea2ad1841fd85c2
SHA1 hash:
2364d6dd5dd3b566e06e6b1dc960533d2b3017b7
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
1e02248fc226f1813f9a473aaf8dc9bd264101a6e371ddb73e145c0949834d47
MD5 hash:
4b874a3043d5e3c133f4c35863159638
SHA1 hash:
3a7d21700497d81c41193544b7ea913032d0aa82
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
582f376e8448d01a0ed433906e09e51c4aacbfbcba07099b7538f545c8e85cd5
MD5 hash:
104468bb5797de3adb52ac66d6a751d3
SHA1 hash:
39b712989e78c180d3d1f683b8367feaaed7e034
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
86c1b142e3ca539692304177744e2a29e0681b324461ce138540cf50c391e65d
MD5 hash:
f752a14cbfc71f7080a7c7285ac4bfc7
SHA1 hash:
0ce074adfbbb6b4e0fd228d4908ce8434dff5077
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
Parent samples :
a35b7570b7818fb47837073b594b4581049edaa087a9e854b5b395abdc7b6773
cf4ecdd070a6b6806a0ee42b6367ff474077b35f493f75477327888f2fd6a905
b16be5d71f0bfd28ed7356bd84c3b61d1c7b2590bd2c485530060f8900182789
34a87671d9a7225ad9aafdca0bdff858b9ae1c8fcdf834c505268507052a7a80
8fc47c0972e855f0866d9cf9cba29d56210fc709f13214e6ae6687ca40ca51b8
0259075adca93861dd02c548ece119844d3a790548e892be43d5a526690725cd
899cb424a250e13191b2d85de9a380c9a2e1ce316c4f46ad0db88d46a01aa8ab
SH256 hash:
670ba8e6da90faf8422185488ce5a4f0cbb1cd4cd7cf91e1d66c89f05fb361e0
MD5 hash:
f4d23be9ee635bd293d02475f75a5e4c
SHA1 hash:
241447d9807a5d1644afff6aecf00a22e16f659c
Detections:
BlackmoonBanker
Create hunting rule
MALWARE_Win_BlackMoon
Create hunting rule
MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
MALWARE_Win_Nitol
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
SH256 hash:
7ca01cb68c03434dd6a45bd79206370dc69b8787825c5d26ec75dcc4a3b14f81
MD5 hash:
e5aa445a4f523de1b08d0efdd47c1fac
SHA1 hash:
62a5953f5092810669b1fdf1fd0e5918b4527174
Link:
https://www.unpac.me/results/ebc655b9-6733-43a4-865b-732ee7986161/
Malware family:
Gh0stRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7ca01cb68c03/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eternalblue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ca01cb68c03434dd6a45bd79206370dc69b8787825c5d26ec75dcc4a3b14f81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyA

Comments