MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87b5a1f79a2be17401d8b2d354c61619ce6195b57e8a5183f78b98e233036062. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Kimsuky


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87b5a1f79a2be17401d8b2d354c61619ce6195b57e8a5183f78b98e233036062
SHA3-384 hash: a16bf2755aa002fc42143d739bd0fcf6dec9a209e8543bfe05362b21ff5daf5de510e76b273aea76445965242980434f
SHA1 hash: fd23177a4481f39fe53a306e2d7fe282cb30a87d
MD5 hash: c81ed44799aefb540123159618f7507c
humanhash: equal-charlie-oven-don
File name:Client.ps1
Download: download sample
Signature Kimsuky
Create hunting rule
File size:33'984 bytes
First seen:2024-02-29 13:08:14 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 384:QgyBM3KBnoQqmujEyj1eiUbxAnGXinaKG2GpgOXOKQzARM:QHqQoQqmujEyj1eiOAGBtXOKQzAG
TLSH T17BE283453F45991118B362645B29CC0DFB2A01BB12D84F44B6FCD6C8AFBA848E978FDD
Reporter smica83
Tags:apt Kimsuky ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
263
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive fingerprint ipconfig stealer
Link:
https://www.filescan.io/uploads/65e081f106f9ec0811a8f381/reports/110222a5-c7b7-4785-8ed8-84470fdc021e/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/87b5a1f79a2be17401d8b2d354c61619ce6195b57e8a5183f78b98e233036062
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1400878
Signature
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Sigma detected: Dot net compiler compiles file from suspicious location
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1400878 Sample: Client.ps1 Startdate: 29/02/2024 Architecture: WINDOWS Score: 60 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus detection for URL or domain 2->32 34 Sigma detected: Dot net compiler compiles file from suspicious location 2->34 7 powershell.exe 32 2->7         started        process3 dnsIp4 28 127.0.0.1 unknown unknown 7->28 22 C:\Users\user\AppData\...\od3eunbk.cmdline, Unicode 7->22 dropped 11 csc.exe 3 7->11         started        14 csc.exe 3 7->14         started        16 conhost.exe 7->16         started        file5 process6 file7 24 C:\Users\user\AppData\Local\...\dd3nwr1d.dll, PE32 11->24 dropped 18 cvtres.exe 1 11->18         started        26 C:\Users\user\AppData\Local\...\od3eunbk.dll, PE32 14->26 dropped 20 cvtres.exe 1 14->20         started        process8
Score:
1%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/87b5a1f79a2be17401d8b2d354c61619ce6195b57e8a5183f78b98e233036062
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87b5a1f79a2be17401d8b2d354c61619ce6195b57e8a5183f78b98e233036062/
Threat name:
Script-PowerShell.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2024-02-29 08:07:28 UTC
File Type:
Text (PowerShell)
AV detection:
4 of 24 (16.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q622d542fpqxiaoywljvjrqwdhhgdfnvp2ffda7xromoemydmbra._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/240229-qdr79saa4y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/87b5a1f79a2be17401d8b2d354c61619ce6195b57e8a5183f78b98e233036062

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments