MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88fcc7a3828eb28655cc8f5996036e7bec372459895c133c5ab76294270789e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88fcc7a3828eb28655cc8f5996036e7bec372459895c133c5ab76294270789e0
SHA3-384 hash: 40f1ebda58a32c38e6096f6da669d0b2624a3b8c593a53f5b68c691f275c1b7b50dbe95a8d403d056c6eeea6439aed77
SHA1 hash: b4fb6e53acd4e7584880add29cc39d9e58d3a8b5
MD5 hash: fc8554b367a08696ba85d412cdd182d7
humanhash: cola-south-helium-gee
File name:fc8554b367a08696ba85d412cdd182d7
Download: download sample
File size:6'024'192 bytes
First seen:2021-09-20 14:45:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep 49152:IL5Q0pU2rb/T/vO90dL3BmAFd4A64nsfJdoHrV5P4XVwQvDl2QmBlwLHIXRlbXaZ:ILPMMrQmAQQQQQQQQQQQQQ
Threatray 113 similar samples on MalwareBazaar
TLSH T16B56F103BCA164B9C5A9C232C9B592513731B889073577D32F46A6FA2F777C42E39368
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189487/
Detection(s):
Win.Malware.Bulz-9847817-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8cf52e31-6dc9-4d8e-bcfb-6a69791fc9ac
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854146
Signature
Adds a new user with administrator rights
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to start a terminal service
Creates a Windows Service pointing to an executable in C:\Windows
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Hurricane Panda Activity
Sigma detected: Suspicious Csc.exe Source File Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Uses cmd line tools excessively to alter registry or file data
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 486582 Sample: XGYiud4T6T Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 89 zuvujvhuaif.xyz 2->89 91 zd.map.fastly.net 2->91 93 8 other IPs or domains 2->93 97 Antivirus detection for dropped file 2->97 99 Multi AV Scanner detection for dropped file 2->99 101 Multi AV Scanner detection for submitted file 2->101 103 6 other signatures 2->103 11 XGYiud4T6T.exe 4 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 signatures5 117 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->117 119 Bypasses PowerShell execution policy 11->119 121 Queries memory information (via WMI often done to detect virtual machines) 11->121 20 powershell.exe 65 11->20         started        123 Adds a new user with administrator rights 14->123 25 net.exe 14->25         started        27 conhost.exe 14->27         started        29 net.exe 16->29         started        31 conhost.exe 16->31         started        33 net.exe 18->33         started        35 net.exe 18->35         started        37 net.exe 18->37         started        39 3 other processes 18->39 process6 dnsIp7 95 asbza.cn 206.188.197.227, 49852, 80 DEFENSE-NETUS United States 20->95 81 C:\Windows\Branding\mediasvc.png, PE32+ 20->81 dropped 83 C:\Windows\Branding\mediasrv.png, PE32+ 20->83 dropped 85 C:\Users\user\AppData\...\1ari1f3v.cmdline, UTF-8 20->85 dropped 105 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->105 107 Uses cmd line tools excessively to alter registry or file data 20->107 109 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 20->109 111 2 other signatures 20->111 41 cmd.exe 20->41         started        44 reg.exe 20->44         started        46 cmd.exe 20->46         started        58 8 other processes 20->58 48 net1.exe 25->48         started        50 net1.exe 29->50         started        52 net1.exe 33->52         started        54 net1.exe 35->54         started        56 net1.exe 37->56         started        file8 signatures9 process10 file11 113 Adds a new user with administrator rights 41->113 61 cmd.exe 41->61         started        115 Creates a Windows Service pointing to an executable in C:\Windows 44->115 63 cmd.exe 46->63         started        87 C:\Users\user\AppData\Local\...\1ari1f3v.dll, PE32 58->87 dropped 65 conhost.exe 58->65         started        67 conhost.exe 58->67         started        69 cvtres.exe 1 58->69         started        71 2 other processes 58->71 signatures12 process13 process14 73 net.exe 61->73         started        75 net.exe 63->75         started        process15 77 net1.exe 73->77         started        79 net1.exe 75->79         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88fcc7a3828eb28655cc8f5996036e7bec372459895c133c5ab76294270789e0/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-09-10 12:32:45 UTC
AV detection:
22 of 45 (48.89%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
004f12ff7cee3102e02d5ddbd1f429c9f934976c1e4c196d6366eef0920ba147
255141a430ed2bbda653b5ab18acdd8dcca5a39cf8c2d1fa938445e31ecf38e5
3f4af8c0a06563d9f4d959d5065c02b83140c0fea19924dbd39984087ace54f8
5911ad0a2f2f76cbe6e83b58b95ac820aee88b7fb37e017275bd3984b3b92bfa
ae1c9d454905ed43654f99b1ea1e8ecc3ae08eb75c3860f46b285ce724ae5e4d
b3748a0976c91a7310d0d38d42c91b1d7ba37364d58c5bed902cc6641d31cadc
f60f32ec899bcb92fd50491a8c32f0548afbd4dc02462dfa373d484b4b161a86
ff257a7b22badf7948f21dd5dfaf008dd72895aa63bc6a1c5838cbe26036bbe7
+ 103 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210920-r5ayqshafp/
Unpacked files
SH256 hash:
88fcc7a3828eb28655cc8f5996036e7bec372459895c133c5ab76294270789e0
MD5 hash:
fc8554b367a08696ba85d412cdd182d7
SHA1 hash:
b4fb6e53acd4e7584880add29cc39d9e58d3a8b5
Link:
https://www.unpac.me/results/c190dace-f8f6-4c15-bd3e-1ce6b56e5e6b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/88fcc7a3828eb28655cc8f5996036e7bec372459895c133c5ab76294270789e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:GoBinTest
Create hunting rule
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_TOOL_GoCLR
Create hunting rule
Author:ditekSHen
Description:Detects binaries utilizing Go-CLR for hosting the CLR in a Go process and using it to execute a DLL from disk or an assembly from memory

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 88fcc7a3828eb28655cc8f5996036e7bec372459895c133c5ab76294270789e0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1635826/
Cape
Cape
https://www.capesandbox.com/analysis/189487/

Comments


Avatar
zbet commented on 2021-09-20 14:45:25 UTC

url : hxxp://103.253.43.132/gh78iu6t/hj7895t/68yhrfd.exe