MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b3a8268efe41220e294e6cad1055c46041d11c59ba37672709401aaefe5ae47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b3a8268efe41220e294e6cad1055c46041d11c59ba37672709401aaefe5ae47
SHA3-384 hash: e4a3639bcb8b05ec5e09117d06717c015837eb2048e15b9b8320ee61fffbbb4d6ab349ebd9c31888be5c29509550faee
SHA1 hash: 949a30cc29ebf345ffbb988118bb6eae50769759
MD5 hash: c7af1f6747d5c61e97d556dec9aec85c
humanhash: illinois-mountain-washington-paris
File name:c7af1f6747d5c61e97d556dec9aec85c
Download: download sample
File size:552'960 bytes
First seen:2021-06-24 09:10:10 UTC
Last seen:2021-06-24 09:45:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b60386455aa2ccf1911ea96d6e3edcd6
ssdeep 12288:S2vcfzbyNUJO5FNg6QQCnoZeHn12N2+/tr4Kn2Ghn4:SxXyNU4gACosHed/tdn2GR
Threatray 2'099 similar samples on MalwareBazaar
TLSH 04C47C113AD0E032D16231F14A1AD7747AFAA4305D36964B6BD40B7C2F349D2AA2E77F
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c7af1f6747d5c61e97d556dec9aec85c
Verdict:
No threats detected
Analysis date:
2021-06-24 09:17:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e155ffdf-8323-4bcc-8f69-137132b1d7ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167950/
Detection(s):
SecuriteInfo.com.Variant.Doina.17475.8194.1437.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/153f60b5-279d-4b66-b984-6a291d88b38c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807324
Signature
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Disables security and backup related services
Disables UAC (registry)
Disables Windows Defender (via service or powershell)
Drops batch files with force delete cmd (self deletion)
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Potentially malicious time measurement code found
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439735 Sample: VhKa9ebVyn Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 113 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->113 115 Multi AV Scanner detection for dropped file 2->115 117 Multi AV Scanner detection for submitted file 2->117 119 3 other signatures 2->119 10 VhKa9ebVyn.exe 17 2->10         started        15 qjfnkhzmab.exe 1 27 2->15         started        process3 dnsIp4 103 worldzone.kro.kr 15.164.192.168, 49713, 80 AMAZON-02US United States 10->103 85 C:\Windows\pp.exe, PE32+ 10->85 dropped 87 C:\Users\user\AppData\...\pcad164[1].exe, PE32+ 10->87 dropped 89 C:\Users\user\Desktop\mkill.bat, ASCII 10->89 dropped 135 Drops batch files with force delete cmd (self deletion) 10->135 137 Drops executables to the windows directory (C:\Windows) and starts them 10->137 17 pp.exe 19 10->17         started        22 cmd.exe 1 10->22         started        105 checkip.dyndns.org 15->105 107 checkip.dyndns.com 15->107 91 C:\Windows\PLA\userfsp.exe, PE32+ 15->91 dropped 93 C:\Windows\System32\hpis.dll, PE32+ 15->93 dropped 95 C:\Windows\System32\hpim.dll, PE32+ 15->95 dropped 139 Disables security and backup related services 15->139 141 Hides threads from debuggers 15->141 143 Disables Windows Defender (via service or powershell) 15->143 145 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->145 24 cmd.exe 15->24         started        26 net.exe 1 15->26         started        28 cmd.exe 15->28         started        30 3 other processes 15->30 file5 signatures6 process7 dnsIp8 97 13.209.83.196, 49719, 49721, 49727 AMAZON-02US United States 17->97 81 C:\Windows\bsujfyzd\qjfnkhzmab.exe, PE32 17->81 dropped 83 C:\Windows\mokill.bat, ASCII 17->83 dropped 121 Multi AV Scanner detection for dropped file 17->121 123 Drops batch files with force delete cmd (self deletion) 17->123 32 cmd.exe 1 17->32         started        35 cmd.exe 1 17->35         started        37 msiexec.exe 17->37         started        39 conhost.exe 22->39         started        125 Drops executables to the windows directory (C:\Windows) and starts them 24->125 41 userfsp.exe 24->41         started        43 conhost.exe 24->43         started        45 2 other processes 26->45 47 2 other processes 28->47 49 3 other processes 30->49 file9 signatures10 process11 signatures12 109 Drops executables to the windows directory (C:\Windows) and starts them 32->109 51 qjfnkhzmab.exe 5 29 32->51         started        55 conhost.exe 32->55         started        57 conhost.exe 35->57         started        111 Machine Learning detection for dropped file 41->111 process13 dnsIp14 99 checkip.dyndns.org 51->99 101 checkip.dyndns.com 216.146.43.70, 49720, 49726, 80 DYNDNSUS United States 51->101 127 Antivirus detection for dropped file 51->127 129 Multi AV Scanner detection for dropped file 51->129 131 Detected unpacking (changes PE section rights) 51->131 133 11 other signatures 51->133 59 net.exe 1 51->59         started        61 sc.exe 1 51->61         started        63 cmd.exe 51->63         started        65 4 other processes 51->65 signatures15 process16 process17 67 conhost.exe 59->67         started        69 net1.exe 1 59->69         started        71 conhost.exe 61->71         started        73 conhost.exe 63->73         started        75 conhost.exe 65->75         started        77 conhost.exe 65->77         started        79 conhost.exe 65->79         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b3a8268efe41220e294e6cad1055c46041d11c59ba37672709401aaefe5ae47/
Threat name:
Win32.Trojan.Barys
Create hunting rule
Status:
Malicious
First seen:
2021-06-15 19:12:13 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
16bf40060a0544cf49bda85272b976265fb56248c6068d7d95296937af664ecc
2d7099e54db4d0617fcd725de09e05cdd23479b87540b98c4fb90f517efb012e
4dd51b22d5ee046670f8b082ff67450740dd0825f0f544e243313fe07f8400bd
5a2f819b56fc962aa6f4e34d59eea86956299b3ff809ca166e404440b9af7ca6
69fac4fe77b6da550498724f01e6db66d5c18a19c185d824bf62afdaccb0a7d6
714a30085b93988295ea7b732d24384db7bb3be843e20acd447ae8dd258db7a8
8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248
cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
ccf0e52e21388ebfab406f10061864daf9bca0232a7eb09f1cd5b2a036853dbe
+ 2'089 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/210624-5amzxtl89e/
Behaviour
Checks processor information in registry
Modifies Internet Explorer Phishing Filter
Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Deletes itself
Identifies Wine through registry keys
Loads dropped DLL
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
UAC bypass
Unpacked files
SH256 hash:
8b3a8268efe41220e294e6cad1055c46041d11c59ba37672709401aaefe5ae47
MD5 hash:
c7af1f6747d5c61e97d556dec9aec85c
SHA1 hash:
949a30cc29ebf345ffbb988118bb6eae50769759
Link:
https://www.unpac.me/results/df92abb5-8205-4115-bb64-fd46c8ad93f9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b3a8268efe41220e294e6cad1055c46041d11c59ba37672709401aaefe5ae47

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8b3a8268efe41220e294e6cad1055c46041d11c59ba37672709401aaefe5ae47

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/167950/
  
URLhaus
https://urlhaus.abuse.ch/url/1394215/

Comments