MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8524ec166f99c15c47d3498db31df912b9f735ab341737421cf12032d00acaa7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8524ec166f99c15c47d3498db31df912b9f735ab341737421cf12032d00acaa7
SHA3-384 hash: f18a6d55ca401b83101716dd7eab99283d810210eb6b0ae049b6c8be04320d55ca818beb31c811fcbac7d04e6a70e280
SHA1 hash: b949bc31a4f3e591c1d85fc09625ebdea173a825
MD5 hash: c446014d0baa4568dda0014bd5ad073f
humanhash: december-beryllium-massachusetts-fix
File name:c446014d0baa4568dda0014bd5ad073f.exe
Download: download sample
File size:2'405'746 bytes
First seen:2021-02-11 11:07:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a1496c94d52a035fe47259ee6587b7 (5 x RemoteManipulator, 2 x CoinMiner, 1 x WSHRAT)
ssdeep 49152:fUclPhp9vH1VrnMy2TedHuHxexaiVf3O95Z2YU7KSct/T/hMyXgC:R1dnf3EHxMaaBYUGFZn
Threatray 5 similar samples on MalwareBazaar
TLSH 43B5234AA3F444E8E573D679DD05050AE6B63C156B75CBBF12A4462F2F133E0893EB22
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c446014d0baa4568dda0014bd5ad073f.exe
Verdict:
No threats detected
Analysis date:
2021-02-11 11:16:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6cf07f17-9c68-4828-96f7-03fb23ccb960

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116810/
Detection(s):
SecuriteInfo.com.PowerShell.Siggen.1892.20578.25871.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PowerShell.Siggen.1892.18387.2827.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a file
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Sending a UDP request
Deleting a recently created file
Forced system process termination
Creating a file in the Windows subdirectories
Launching the process to interact with network services
Launching a service
Loading a system driver
DNS request
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/605750
Signature
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Creates a Windows Service pointing to an executable in C:\Windows
Creates files in alternative data streams (ADS)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: Dot net compiler compiles file from suspicious location
Uses cmd line tools excessively to alter registry or file data
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 351912 Sample: e2zKsu2fjB.exe Startdate: 11/02/2021 Architecture: WINDOWS Score: 96 78 Antivirus detection for dropped file 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 Sigma detected: Dot net compiler compiles file from suspicious location 2->82 84 Bypasses PowerShell execution policy 2->84 11 e2zKsu2fjB.exe 12 2->11         started        process3 file4 62 C:\Users\user\AppData\...\Readme.txt:meta, Microsoft 11->62 dropped 64 C:\Users\user\AppData\Local\...\Readme.txt, ASCII 11->64 dropped 90 Creates files in alternative data streams (ADS) 11->90 15 wscript.exe 1 11->15         started        signatures5 process6 signatures7 92 Wscript starts Powershell (via cmd or directly) 15->92 94 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 15->94 18 cmd.exe 1 15->18         started        process8 process9 20 wscript.exe 1 18->20         started        23 cmd.exe 1 18->23         started        25 conhost.exe 18->25         started        27 more.com 1 18->27         started        signatures10 86 Wscript starts Powershell (via cmd or directly) 20->86 29 powershell.exe 58 20->29         started        34 extrac32.exe 10 23->34         started        process11 dnsIp12 76 192.168.2.1 unknown unknown 29->76 66 C:\Windows\Branding\mediasvc.png, PE32+ 29->66 dropped 68 C:\Windows\Branding\mediasrv.png, PE32+ 29->68 dropped 70 C:\Users\user\AppData\...\zofvb22l.cmdline, UTF-8 29->70 dropped 96 Uses cmd line tools excessively to alter registry or file data 29->96 98 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 29->98 100 Powershell drops PE file 29->100 36 reg.exe 29->36         started        39 csc.exe 29->39         started        42 csc.exe 29->42         started        44 7 other processes 29->44 72 C:\Users\user\AppData\Local\Temp\start.vbs, ASCII 34->72 dropped 74 C:\Users\user\AppData\Local\Temp\ready.ps1, ASCII 34->74 dropped file13 signatures14 process15 file16 88 Creates a Windows Service pointing to an executable in C:\Windows 36->88 58 C:\Users\user\AppData\Local\...\zofvb22l.dll, PE32 39->58 dropped 46 cvtres.exe 39->46         started        60 C:\Users\user\AppData\Local\...\vlbywl55.dll, PE32 42->60 dropped 48 cvtres.exe 42->48         started        50 conhost.exe 44->50         started        52 conhost.exe 44->52         started        54 conhost.exe 44->54         started        56 net1.exe 44->56         started        signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8524ec166f99c15c47d3498db31df912b9f735ab341737421cf12032d00acaa7/
Threat name:
Win64.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-02-11 10:05:43 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
2c8ea0f991d74146f056e4ed453e92ad1798daf2878f5520f54cf3d70d607613
4bc8c57bc1c743b7607ba2e15670591551241fd3b129c266c5894159e72d1c72
72239d0cba7a80895957b43d854680fb2fefbaa8b1f68b001ce5905c32ddcde1
b42b33ffa4b45bc81b71f13d89dc1283b155204913aa8362e99e9aa44366bfb2
ba483bee9e68e055952e71255eb24bd6ca52c1238d3efe96bcb66506e80e6792
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210211-jscf5m4266/
Behaviour
NTFS ADS
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
8524ec166f99c15c47d3498db31df912b9f735ab341737421cf12032d00acaa7
MD5 hash:
c446014d0baa4568dda0014bd5ad073f
SHA1 hash:
b949bc31a4f3e591c1d85fc09625ebdea173a825
Link:
https://www.unpac.me/results/c5be5ef5-7bce-4b76-ad26-82b70dd59ba0/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8524ec166f99c15c47d3498db31df912b9f735ab341737421cf12032d00acaa7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1000821/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/116810/

Comments