MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81daafd1fe82aa9bd555418f56f8330bbd4c204160bdbe99400e8238ee574335. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81daafd1fe82aa9bd555418f56f8330bbd4c204160bdbe99400e8238ee574335
SHA3-384 hash: 2c112373c9310cb7fd4f18a32407cc2a43b813dba0f5fea10aff6195ebe4da7ac5d4230efd4e4aed9cb89e176564db16
SHA1 hash: 0484e827962508d0e1a879ec73fe9c70a28d4823
MD5 hash: a6683ff2e8a71fd6c45806d9734731b0
humanhash: item-table-jig-eight
File name:a6683ff2e8a71fd6c45806d9734731b0.exe
Download: download sample
File size:1'404'813 bytes
First seen:2021-01-01 07:36:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e823c8f6c49006ac4577e3063113dfa
ssdeep 24576:1BjmGKyoj/pd55O6w4yvO7WxYwzFGDNZbYRDnD7mB9wQhqUiFv9fuHyo:GGXoj/nNWswkDZwqxov9fuHl
TLSH 5655226CDA030377D33618B0205FAC5EF91D55A6D538B45932A6038A12253FEF937BAE
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a6683ff2e8a71fd6c45806d9734731b0.exe
Verdict:
Malicious activity
Analysis date:
2021-01-01 07:37:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5d5ab166-3b02-432b-a7d8-d25908cebba7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110256/
Detection(s):
Win.Malware.Gh0stRAT-9807704-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Creating a process from a recently created file
Creating a file in the drivers directory
Creating a window
DNS request
Loading a system driver
Running batch commands
Creating a process with a hidden window
Searching for the window
Sending a custom TCP request
Launching a process
Creating a file
Sending a UDP request
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/572738
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if browser processes are running
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 335432 Sample: dTCaJ7tQjT.exe Startdate: 01/01/2021 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for domain / URL 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 8 other signatures 2->48 7 Windows32.exe 2->7         started        10 dTCaJ7tQjT.exe 1 2 2->10         started        13 svchost.exe 2->13         started        15 9 other processes 2->15 process3 file4 54 Antivirus detection for dropped file 7->54 56 Multi AV Scanner detection for dropped file 7->56 58 Detected unpacking (changes PE section rights) 7->58 68 5 other signatures 7->68 17 Windows32.exe 13 1 7->17         started        34 C:\Windows\SysWOW64\Windows32.exe, PE32 10->34 dropped 36 C:\Windows\...\Windows32.exe:Zone.Identifier, ASCII 10->36 dropped 60 Contains functionality to automate explorer (e.g. start an application) 10->60 62 Contains functionality to access PhysicalDrive, possible boot sector overwrite 10->62 64 Contains functionality to infect the boot sector 10->64 22 cmd.exe 1 10->22         started        66 Changes security center settings (notifications, updates, antivirus, firewall) 13->66 24 MpCmdRun.exe 1 13->24         started        signatures5 process6 dnsIp7 38 holl.f3322.net 27.185.14.143, 8088 CHINANET-BACKBONENo31Jin-rongStreetCN China 17->38 32 C:\Windows\System32\drivers\QAssist.sys, PE32+ 17->32 dropped 50 Sample is not signed and drops a device driver 17->50 40 127.0.0.1 unknown unknown 22->40 52 Uses ping.exe to sleep 22->52 26 conhost.exe 22->26         started        28 PING.EXE 1 22->28         started        30 conhost.exe 24->30         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81daafd1fe82aa9bd555418f56f8330bbd4c204160bdbe99400e8238ee574335/
Threat name:
Win32.Packed.NoobyProtect
Create hunting rule
Status:
Malicious
First seen:
2020-12-29 03:08:00 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  1/5
Verdict:
unknown
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210101-y9c47qw97e/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Enumerates connected drives
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Sets service image path in registry
Unpacked files
SH256 hash:
81daafd1fe82aa9bd555418f56f8330bbd4c204160bdbe99400e8238ee574335
MD5 hash:
a6683ff2e8a71fd6c45806d9734731b0
SHA1 hash:
0484e827962508d0e1a879ec73fe9c70a28d4823
Link:
https://www.unpac.me/results/990ebe17-7dfe-4e46-a104-33b39f28d3f4/
SH256 hash:
2a6c1875e71a992b013e05d5ba6fc890a582c4c9525150b5a556a7121bd31f79
MD5 hash:
95415b2e4c3b64b4e091324973bc2c7c
SHA1 hash:
1100a5131e40b9173173b66f7c969e05931cb154
Link:
https://www.unpac.me/results/990ebe17-7dfe-4e46-a104-33b39f28d3f4/
SH256 hash:
32159d27c53f0b3288e41b3582cf13457c39a42d15922a7cd29c583a4470a477
MD5 hash:
e7437ebb9c2b20d9813a765b7fbfb3e9
SHA1 hash:
d36c6e44ca99138674d9349be837bf6b789d2901
Link:
https://www.unpac.me/results/990ebe17-7dfe-4e46-a104-33b39f28d3f4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/81daafd1fe82aa9bd555418f56f8330bbd4c204160bdbe99400e8238ee574335

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/110256/

Comments