MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 863853bdbdb6ed3d644305d866286c1fa25255e62851f3d7bee5f3e2bcefaa98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mimikatz


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 863853bdbdb6ed3d644305d866286c1fa25255e62851f3d7bee5f3e2bcefaa98
SHA3-384 hash: c385bd3a8dbcbc7aa82e5176d5f860f4252a70455257a6bf0924dceab807b0a9614fdd0a5ef848ef4f515cec91ae0fc4
SHA1 hash: 5d17945ebbb46e1f73ce15a8a110e0e1b6c165da
MD5 hash: 5f6a74e286c98bbe45a6a667026813bc
humanhash: minnesota-sink-california-comet
File name:NFgODbNY.exe
Download: download sample
Signature Mimikatz
Create hunting rule
File size:6'967'083 bytes
First seen:2021-05-05 03:08:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4df47bd79d7fe79953651a03293f0e8f (4 x Mimikatz, 3 x Beapy, 1 x Quakbot)
ssdeep 196608:eAqjTpnhXlmyWCZNulPKQ8hY/Bkr/fOIT/+VdlBFKazy:kfauN/HYOSIT/EVF9G
Threatray 754 similar samples on MalwareBazaar
TLSH F4663381F0928CBAE8F611371AB6D1353E7AF5230B0585AF63AC5A9779303D1A77C61C
Reporter vm001cn
Tags:mimikatz miner Python

Intelligence

File Origin
# of uploads :
1
# of downloads :
474
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NFgODbNY.exe
Verdict:
Malicious activity
Analysis date:
2021-05-05 03:01:19 UTC
Tags:
trojan mimikatz evasion sinkhole
Link:
https://app.any.run/tasks/0209f8a5-4946-4957-84f8-0d6cfbabf765

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/149881/
Detection(s):
Win.Malware.Python-6964011-0
Create hunting rule

Win.Malware.Python-6964012-0
Create hunting rule

PUA.Win.Malware.Generic-6651521-0
Create hunting rule

SecuriteInfo.com.Heur.Veil.6.11070.10230.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
Running batch commands
Launching a process
Creating a file
Launching the process to interact with network services
Creating a process from a recently created file
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/711266
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Found suspicious powershell code related to unpacking or dynamic code loading
Gathers network related connection and port information
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses ipconfig to lookup or modify the Windows network settings
Uses netstat to query active network connections and open ports
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404561 Sample: NFgODbNY.exe Startdate: 05/05/2021 Architecture: WINDOWS Score: 100 65 info.ackng.com 2->65 67 info.abbny.com 2->67 69 4 other IPs or domains 2->69 77 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->77 79 Multi AV Scanner detection for domain / URL 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 5 other signatures 2->83 10 NFgODbNY.exe 34 2->10         started        14 cdd.dll 2->14         started        signatures3 process4 file5 51 C:\Users\user\AppData\Local\...\win32wnet.pyd, PE32 10->51 dropped 53 C:\Users\user\AppData\Local\...\win32pipe.pyd, PE32 10->53 dropped 55 C:\Users\user\AppData\...\win32event.pyd, PE32 10->55 dropped 57 25 other files (none is malicious) 10->57 dropped 89 Uses netstat to query active network connections and open ports 10->89 91 Gathers network related connection and port information 10->91 16 NFgODbNY.exe 3 10->16         started        21 conhost.exe 10->21         started        signatures6 process7 dnsIp8 59 info.abbny.com 173.231.189.15, 49878, 51141, 52591 VOXEL-DOT-NETUS United States 16->59 61 info.ackng.com 127.0.0.1 unknown unknown 16->61 63 101 other IPs or domains 16->63 45 C:\Users\user\Desktop\mkatz.ini, ASCII 16->45 dropped 47 C:\Users\user\Desktop\m2.ps1, ASCII 16->47 dropped 71 Connects to many different private IPs via SMB (likely to spread or exploit) 16->71 73 Connects to many different private IPs (likely to spread or exploit) 16->73 75 Gathers network related connection and port information 16->75 23 powershell.exe 18 16->23         started        27 cmd.exe 1 16->27         started        29 cmd.exe 1 16->29         started        31 4 other processes 16->31 file9 signatures10 process11 file12 49 PowerShell_transcr....20210505052122.txt, UTF-8 23->49 dropped 85 Found suspicious powershell code related to unpacking or dynamic code loading 23->85 87 Uses ipconfig to lookup or modify the Windows network settings 27->87 33 WMIC.exe 1 27->33         started        35 net.exe 1 29->35         started        37 net.exe 1 31->37         started        39 ipconfig.exe 31->39         started        signatures13 process14 process15 41 net1.exe 1 35->41         started        43 net1.exe 1 37->43         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/863853bdbdb6ed3d644305d866286c1fa25255e62851f3d7bee5f3e2bcefaa98/
Threat name:
Win32.Trojan.InjectPyinc
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 03:09:09 UTC
AV detection:
40 of 47 (85.11%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
03bdb2c5cdea7f4b01dd14e5436a26162de5e85b78d67e0600cc27ef5ae57f4a
Mimikatz
0bc20b98a473491219885cc68d0f0944563260ae12add1b1199e64255e92c40d
Mimikatz
0f35f9dc61b9619e670fd1e0fd8e4ffe2ebe77bf5edde65b98a14c5a4070d662
Mimikatz
14f7650cf7f4846aa683f0cee500d8957ebdbb85b59c6e45b7c56a66ebfd8122
Mimikatz
1bd69aefd9677aead533b2db9010dd5c2b9a262170554e41af90f12c361c640f
Mimikatz
2ad506baf005089e45769c6a7f6a37319d47834bad6375e3e3107cd263142436
Mimikatz
46d9c3c7fbc8fec248998ec585e59602ed884122ff2f158eefb9d127f6ff7b1d
Mimikatz
4f1053c6311fbf24153eab86e7307ec6455aaf768c87064f32ceb984f4474dd1
Mimikatz
6d2925506326a2e97da6d7b904e2547d2a2143923d63e5b840705e7c5c1fbf83
Mimikatz
6dcbb7cce5ccc5cef33d439c9ec4c11186292d8ffa8c48e4614c7b43a2ff07e4
Mimikatz
+ 744 additional samples on MalwareBazaar
Result
Malware family:
beapy
Create hunting rule
Score:
  10/10
Tags:
family:beapy evasion miner pyinstaller worm
Link:
https://tria.ge/reports/210505-h5wxdl1ltn/
Behaviour
Creates scheduled task(s)
Gathers network information
Modifies data under HKEY_USERS
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Loads dropped DLL
Modifies Windows Firewall
Grants admin privileges
Beapy
Unpacked files
SH256 hash:
8ea868f6f5b21d0ebf9caaab1c62c31d3ae1a37a855e55bbd4b388552a8bae8c
MD5 hash:
d99a3fc53482ccb4db943ce90f87fdc9
SHA1 hash:
9283ab7706b31843756f077fe698844d879e6214
Link:
https://www.unpac.me/results/7c730469-e8ad-41f6-af3f-c14c2ab23390/
SH256 hash:
edec30653dc56df03eb40fa97c616950fd593c0b90c2950af722e66816eb70e9
MD5 hash:
5b44d0bd38c218445dde8c913736eaac
SHA1 hash:
dc778e6dc62006a5ccd1f206c3000e32b4439592
Link:
https://www.unpac.me/results/7c730469-e8ad-41f6-af3f-c14c2ab23390/
SH256 hash:
e3eed66221a6552d4b9ae7350b3dc30de238a6029efae060514d2780c02fedb4
MD5 hash:
f5c5c0d5d9e93d6e8cb66b825cd06230
SHA1 hash:
da7be79dd502a89cf6f23476e5f661eebd89342b
Link:
https://www.unpac.me/results/7c730469-e8ad-41f6-af3f-c14c2ab23390/
SH256 hash:
075316c2e6fe471b40d7377d3885fe3f305eaa7d4dc9a36155985acc2cd14f83
MD5 hash:
c02566fd7171036b0b6dfc34a091d051
SHA1 hash:
0f3a9f64b618fc801a77b083684c9b2bffd90198
Link:
https://www.unpac.me/results/7c730469-e8ad-41f6-af3f-c14c2ab23390/
SH256 hash:
3ca9c0ff13262379669b6512672f1908d1f0648d5f0e463d94c6ec8169262bd9
MD5 hash:
ea758bd12cc27df5fc5c6ad9e4102c89
SHA1 hash:
833cf9561c4bd271b1643545c33eed869a562856
Link:
https://www.unpac.me/results/7c730469-e8ad-41f6-af3f-c14c2ab23390/
SH256 hash:
ea0efcab32e6572f61a3c765356e283bd6a8f75ec2a4c8b12f1fb3db76ca68d4
MD5 hash:
27a7a40b2b83578e0c3bffb5a167d67a
SHA1 hash:
d20a7d3308990ce04839569b66f8639d6ed55848
Link:
https://www.unpac.me/results/7c730469-e8ad-41f6-af3f-c14c2ab23390/
SH256 hash:
f222cd8c042ac3830cb2f85339d4c4756dd1a2dd92e56aa355d34661a99fb4af
MD5 hash:
44cd04af2f8135defee820e97d42226c
SHA1 hash:
fa5b171e5130173b37207e93e7bd45d06d47585b
Link:
https://www.unpac.me/results/7c730469-e8ad-41f6-af3f-c14c2ab23390/
SH256 hash:
4f30ff39bf4e0daaea8f03907156c876d0496cf3dfe1a57fe5c470bf7d410d7b
MD5 hash:
8c5da93710d9d2e6d03090dcd7d4dafd
SHA1 hash:
dcb9c74a54cd52df95e4461d210791a214495bbe
Link:
https://www.unpac.me/results/7c730469-e8ad-41f6-af3f-c14c2ab23390/
SH256 hash:
df9cdab70ddbb9042d1afcee3910fae847b2c2dd68f2e4e070a65ce1dd7a59f9
MD5 hash:
ef9bcfe06d3f831ae72ee058a6d2d2ed
SHA1 hash:
cb6a138913afb75372f57ff5727ddd6be72ef7e9
Link:
https://www.unpac.me/results/7c730469-e8ad-41f6-af3f-c14c2ab23390/
SH256 hash:
ef9c438f72114a1ec6619aa6bf4f8c5cb8f45c9bef8ca0c8821213112112ac43
MD5 hash:
df43f10e4719ed3e39df142f25a72bf4
SHA1 hash:
ab2fffe3040b406cdfe970e10f2bf0607b592d44
Link:
https://www.unpac.me/results/7c730469-e8ad-41f6-af3f-c14c2ab23390/
SH256 hash:
55465fc6721b1c97b45e1d0ffbe0a00bf76d9b9d0eb2357fa219ea068e15c5b1
MD5 hash:
ed42c763b9f9a51003a3495ddc09e5db
SHA1 hash:
9706a8fe74e9369f33b5b38279c2d0516b3f650c
Link:
https://www.unpac.me/results/7c730469-e8ad-41f6-af3f-c14c2ab23390/
SH256 hash:
92bc22ffc49bc5f0a866afac9df2e58c33cf4c45886696862efe52124fe7de87
MD5 hash:
696f13ac34f42d8e8be870b832eec120
SHA1 hash:
82ba1e9bc9defe0b8a845e25e41c81543f8f9af9
Link:
https://www.unpac.me/results/7c730469-e8ad-41f6-af3f-c14c2ab23390/
SH256 hash:
55bf6c2335099dc6f9a159be27c3016a9c160e6e4150270c52eb371791c448bf
MD5 hash:
206e4ff4cbcc321ebb40fc86f2c84fd7
SHA1 hash:
3e412faefacbb1f88a9288981a509600a01c52e3
Link:
https://www.unpac.me/results/7c730469-e8ad-41f6-af3f-c14c2ab23390/
SH256 hash:
f3679d8b9d2a760438458348e2f6ac13519b79ebd1cac915af17c0408108effa
MD5 hash:
4045545b0bce380d4a21a51c269d8eb8
SHA1 hash:
29309383b1f85e152ed54ba6eadb90d504b667f6
Link:
https://www.unpac.me/results/7c730469-e8ad-41f6-af3f-c14c2ab23390/
SH256 hash:
78cdc6a6956aad5e7e1c5bcfe436863d2c3da1640ebd81d30bb1b050fb9ebc4b
MD5 hash:
c51270362287a1329d2a7be6151969d9
SHA1 hash:
28a7e869b39cfbf03718b7cb3d758cf5bb965942
Link:
https://www.unpac.me/results/7c730469-e8ad-41f6-af3f-c14c2ab23390/
SH256 hash:
8cad083cb23826f244ee98308dd2bd706496d4e4e11c10d0745970b78cd1c259
MD5 hash:
5c03f400a37974e633cf61521472733a
SHA1 hash:
10dda4978ad411333e733a913793a04e02bd9f06
Link:
https://www.unpac.me/results/7c730469-e8ad-41f6-af3f-c14c2ab23390/
SH256 hash:
863853bdbdb6ed3d644305d866286c1fa25255e62851f3d7bee5f3e2bcefaa98
MD5 hash:
5f6a74e286c98bbe45a6a667026813bc
SHA1 hash:
5d17945ebbb46e1f73ce15a8a110e0e1b6c165da
Link:
https://www.unpac.me/results/7c730469-e8ad-41f6-af3f-c14c2ab23390/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/863853bdbdb6ed3d644305d866286c1fa25255e62851f3d7bee5f3e2bcefaa98

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Impacket
Create hunting rule
Author:@bartblaze
Description:Identifies Impacket, a collection of Python classes for working with network protocols.
Reference:https://github.com/SecureAuthCorp/impacket
Rule name:Impacket_Keyword
Create hunting rule
Author:Florian Roth
Description:Detects Impacket Keyword in Executable
Reference:Internal Research
Rule name:Impacket_Lateral_Movement
Create hunting rule
Author:Markus Neis
Description:Detects Impacket Network Aktivity for Lateral Movement
Reference:https://github.com/CoreSecurity/impacket
Rule name:Impacket_Tools_psexec
Create hunting rule
Author:Florian Roth
Description:Compiled Impacket Tools
Reference:https://github.com/maaaaz/impacket-examples-windows
Rule name:INDICATOR_TOOL_LTM_CompiledImpacket
Create hunting rule
Author:ditekSHen
Description:Detects executables of compiled Impacket's python scripts
Rule name:PE_File_pyinstaller
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Description:Detect PE file produced by pyinstaller
Reference:https://isc.sans.edu/diary/21057
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/149881/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-05 04:01:48 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
1) [C0032.005] Data Micro-objective::Adler::Checksum
2) [C0060] Data Micro-objective::Compression Library
3) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0046] File System Micro-objective::Create Directory
6) [C0048] File System Micro-objective::Delete Directory
7) [C0047] File System Micro-objective::Delete File
8) [C0051] File System Micro-objective::Read File
9) [C0052] File System Micro-objective::Writes File
10) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
11) [C0040] Process Micro-objective::Allocate Thread Local Storage
12) [C0017] Process Micro-objective::Create Process
13) [C0041] Process Micro-objective::Set Thread Local Storage Value
14) [C0018] Process Micro-objective::Terminate Process