MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81d9143600e38e058a53b635574f2b8e64f5cb69c0832497ce13b98a26f0293f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81d9143600e38e058a53b635574f2b8e64f5cb69c0832497ce13b98a26f0293f
SHA3-384 hash: 2c771bd0b6e4a948d2f231c3c97fce9da2cb272f85f00d1f08e8f85fc13b77cb6e3162ea5f390e7c4129400182ca1476
SHA1 hash: fb1c2c074619efe1030c59e8ee5038540af870a2
MD5 hash: eee8b6b36e877d7294ca94dc10d7f53a
humanhash: batman-uniform-seventeen-cup
File name:eee8b6b36e877d7294ca94dc10d7f53a.exe
Download: download sample
File size:1'262'296 bytes
First seen:2021-04-08 06:49:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 24576:cqMi1HtYYnZGqoAON2HzClSto0nRwAJINjST5pU6M:r1+iLoAON2HLY/N+FpU6M
Threatray 111 similar samples on MalwareBazaar
TLSH 2145232AF9B0D946C89B1DB52EFDD8B5B45B3DCAE119C325170C3B4D68B20248ED42E7
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SetupFile-v16.2.9.exe
Verdict:
Malicious activity
Analysis date:
2021-04-07 17:19:50 UTC
Tags:
autoit trojan stealer loader evasion opendir danabot
Link:
https://app.any.run/tasks/2a6f0993-9af1-4135-a0e6-a6732bc65e16

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133031/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Jacard.184087.14432.10100.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
DNS request
Sending a UDP request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/669623
Signature
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383737 Sample: V7UnYc7CCN.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 75 Multi AV Scanner detection for dropped file 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 Detected unpacking (changes PE section rights) 2->79 81 5 other signatures 2->81 11 V7UnYc7CCN.exe 19 2->11         started        14 SmartClock.exe 2->14         started        16 SmartClock.exe 2->16         started        process3 file4 55 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 11->55 dropped 57 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 11->57 dropped 59 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 11->59 dropped 18 vpn.exe 7 11->18         started        20 4.exe 4 11->20         started        process5 file6 23 cmd.exe 1 18->23         started        26 dllhost.exe 18->26         started        51 C:\Users\user\AppData\...\SmartClock.exe, PE32 20->51 dropped 28 SmartClock.exe 20->28         started        process7 signatures8 85 Submitted sample is a known malware sample 23->85 87 Obfuscated command line found 23->87 89 Uses ping.exe to sleep 23->89 91 Uses ping.exe to check the status of other devices and networks 23->91 30 cmd.exe 3 23->30         started        33 conhost.exe 23->33         started        process9 signatures10 93 Obfuscated command line found 30->93 95 Uses ping.exe to sleep 30->95 35 Campeggia.exe.com 30->35         started        38 PING.EXE 1 30->38         started        41 findstr.exe 1 30->41         started        process11 dnsIp12 83 May check the online IP address of the machine 35->83 44 Campeggia.exe.com 3 19 35->44         started        61 127.0.0.1 unknown unknown 38->61 63 192.168.2.1 unknown unknown 38->63 53 C:\Users\user\AppData\...\Campeggia.exe.com, Targa 41->53 dropped file13 signatures14 process15 dnsIp16 65 ip-api.com 208.95.112.1, 49718, 80 TUT-ASUS United States 44->65 67 UrWMLAOliBgtBDBqNA.UrWMLAOliBgtBDBqNA 44->67 47 wscript.exe 12 44->47         started        process17 dnsIp18 69 iplogger.org 88.99.66.31, 443, 49724 HETZNER-ASDE Germany 47->69 71 System process connects to network (likely due to code injection or exploit) 47->71 73 May check the online IP address of the machine 47->73 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81d9143600e38e058a53b635574f2b8e64f5cb69c0832497ce13b98a26f0293f/
Threat name:
Win32.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 16:00:06 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1594c8ccc3e4145a47e5693155770eac845975054e811b115d00cb0209c1553f
388d18b98704bff34ac1cb0a6603e68ba300205ee2f14e4bf482f1012d933231
743f92678d29a5338b7b276226b0d8f60749589f1b11789f40b292d4f2ce7854
8cec146d7a7b594cf7748b35c63ea1fed2c994ef2cdbb5731f1b15d9c9fa1ee3
941d3312f126a5104966af87ce58d9be63bbaf63216723508d9dd2d2f241fea7
948fb39f8d7058b029ea1b36937c544ccaefab83d03fe6e7f609289c1f46dba8
980e27f0cf3ceda9a21d8651765a6eeedb513b7a169e31a4108ca6ce209de34f
b0e796694c790548cf9553a6ed536b21e8471064c4ae887304137ffcafbe257f
b31544541ebcdaeb7746d400b534e0ce49abb44d5922acacaa1653c492cbd650
bced04a0ef9306f81abe9dcd2bf613802076f1d2012f23bcc42a208acabf25dd
+ 101 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210408-t4rxrhkc5s/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Unpacked files
SH256 hash:
5738e0be39acb0a0feb37aa34b58b622c9aa8f49befd357e4bab7ef6ab7be4f1
MD5 hash:
12cdeb0c9f9949671711f481ae1e9766
SHA1 hash:
ba3cb595e4d669b4eb1c535622a590282ea0a66e
Link:
https://www.unpac.me/results/7253b29f-09c5-4d9e-8d08-5802a4bbc4d7/
SH256 hash:
20db94ddd1b59c1372b0bdea4deedb3ebacdf5ae67c0f4727ce70c578e39d25d
MD5 hash:
95c30d325c64494b49b52138f7c8c85b
SHA1 hash:
b9d7cd5d692ea1280ee5425d46c42d8f992d330a
Link:
https://www.unpac.me/results/7253b29f-09c5-4d9e-8d08-5802a4bbc4d7/
SH256 hash:
cae2af36f866fed9753ecc423bf1cfb3d1b5f2c3179dddc1715d6c896812d669
MD5 hash:
0fcc3d7408dfb7b31d8e36982dab298c
SHA1 hash:
6ebe13e8565ab5cfc7f8eac8973c156531b2a1e2
Link:
https://www.unpac.me/results/7253b29f-09c5-4d9e-8d08-5802a4bbc4d7/
SH256 hash:
81d9143600e38e058a53b635574f2b8e64f5cb69c0832497ce13b98a26f0293f
MD5 hash:
eee8b6b36e877d7294ca94dc10d7f53a
SHA1 hash:
fb1c2c074619efe1030c59e8ee5038540af870a2
Link:
https://www.unpac.me/results/7253b29f-09c5-4d9e-8d08-5802a4bbc4d7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/81d9143600e38e058a53b635574f2b8e64f5cb69c0832497ce13b98a26f0293f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 81d9143600e38e058a53b635574f2b8e64f5cb69c0832497ce13b98a26f0293f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/133031/
  
URLhaus
https://urlhaus.abuse.ch/url/1103978/
  
Delivery method
Distributed via web download

Comments