MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ca51ea9c184a9158e890bdefc538f7c49cfbbd33c19f3fadca0c03490a5b707. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ca51ea9c184a9158e890bdefc538f7c49cfbbd33c19f3fadca0c03490a5b707
SHA3-384 hash: 44adab510f5a5258f9c65935f0cc2ee0d21e344a4bd4e93b477776ea215165d97705f3d95e6878ca42a2505f64a7723f
SHA1 hash: 7c8c4b0c8d344271e25e25338cfebdc3a16cb44a
MD5 hash: 7b8a4accc7c4ad127e37ea7a75a28b16
humanhash: island-missouri-seven-august
File name:t.exe
Download: download sample
File size:2'906'111 bytes
First seen:2023-01-12 13:11:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (38 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 49152:wgwRcifu1DBgutBPNeYPrql/5Pm4CSAJgOkvBhUJlUTkg8fMbd4J9zIeenn8:wgwRcvguPPIYPrqvPm5SjvfUJKTkcJ4T
Threatray 10 similar samples on MalwareBazaar
TLSH T154D5335276C3C6B4D6852FF7A38573A319A4F7682F1C89D317E4123C2EE46C1267A326
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter AykutBasi
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
TR TR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
t.exe
Verdict:
Malicious activity
Analysis date:
2023-01-12 13:12:25 UTC
Tags:
stealer ransomware
Link:
https://app.any.run/tasks/ecef6599-59f4-44a0-ab17-73b25da019b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/352256/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Running batch commands
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun with the shell\open\command registry branches
Disabling the operating system update service
Verdict:
No Threat
Threat level:
  2/10
Confidence:
75%
Tags:
keylogger overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63c00725a8d8c7dd0320327d/reports/ecba0b4a-6226-46df-9b3d-a3d7158c234b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
N3ww4v3 Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd472356-d368-4dd1-8783-34b7edd10539
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1150297
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Contains functionality to register a low level keyboard hook
Creates an undocumented autostart registry key
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Uses 7zip to decompress a password protected archive
Uses powercfg.exe to modify the power settings
Writes many files with high entropy
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 783029 Sample: t.exe Startdate: 12/01/2023 Architecture: WINDOWS Score: 100 125 Malicious sample detected (through community Yara rule) 2->125 127 Antivirus / Scanner detection for submitted sample 2->127 129 Multi AV Scanner detection for submitted file 2->129 131 Yara detected UAC Bypass using CMSTP 2->131 11 t.exe 8 2->11         started        15 22T.exe 2->15         started        17 22T.exe 1 2->17         started        process3 file4 103 C:\Users\user\AppData\...verything32.dll, PE32 11->103 dropped 105 C:\Users\user\AppData\...verything.exe, PE32 11->105 dropped 107 C:\Users\user\AppData\Local\Temp\...\7za.exe, PE32 11->107 dropped 109 C:\Users\user\AppData\...verything64.dll, 7-zip 11->109 dropped 153 Contains functionality to register a low level keyboard hook 11->153 155 Writes many files with high entropy 11->155 157 Uses 7zip to decompress a password protected archive 11->157 19 22T.exe 2 13 11->19         started        23 7za.exe 6 11->23         started        25 cmd.exe 1 11->25         started        27 7za.exe 1 11->27         started        111 {7C5A40EF-A0FB-4BF...exe_x64_exe.hicrypt, SYMMETRY 15->111 dropped 113 C:\Users\user\...\Trusted Vault.hicrypt, DOS 15->113 dropped 115 C:\Users\user\AppData\Local\...\LOG.hicrypt, DOS 15->115 dropped 117 65 other malicious files 15->117 dropped 159 Connects to many different private IPs via SMB (likely to spread or exploit) 15->159 161 Connects to many different private IPs (likely to spread or exploit) 15->161 163 Tries to harvest and steal browser information (history, passwords, etc) 15->163 165 Modifies existing user documents (likely ransomware behavior) 15->165 29 powercfg.exe 15->29         started        31 powercfg.exe 15->31         started        33 22T.exe 15->33         started        35 4 other processes 15->35 signatures5 process6 file7 81 C:\Users\user\AppData\...verything32.dll, PE32 19->81 dropped 83 C:\Users\user\AppData\...verything.exe, PE32 19->83 dropped 85 C:\Users\user\AppData\Local\22T\7za.exe, PE32 19->85 dropped 93 4 other files (2 malicious) 19->93 dropped 133 Antivirus detection for dropped file 19->133 135 Multi AV Scanner detection for dropped file 19->135 137 Creates an undocumented autostart registry key 19->137 139 Writes many files with high entropy 19->139 37 22T.exe 1 19->37         started        87 C:\Users\user\AppData\Local\Temp\...\22T.exe, PE32 23->87 dropped 89 C:\Users\user\AppData\Local\...\sdel64.exe, PE32+ 23->89 dropped 91 C:\Users\user\AppData\Local\Temp\...\sdel.exe, PE32 23->91 dropped 40 conhost.exe 23->40         started        42 conhost.exe 25->42         started        44 conhost.exe 27->44         started        46 conhost.exe 29->46         started        48 conhost.exe 31->48         started        signatures8 process9 signatures10 141 Antivirus detection for dropped file 37->141 143 Multi AV Scanner detection for dropped file 37->143 145 Uses powercfg.exe to modify the power settings 37->145 147 Writes many files with high entropy 37->147 50 22T.exe 1 37->50         started        process11 process12 52 22T.exe 82 11 50->52         started        57 conhost.exe 50->57         started        dnsIp13 119 192.168.2.100 unknown unknown 52->119 121 192.168.2.101 unknown unknown 52->121 123 98 other IPs or domains 52->123 95 C:\Users\user\...S_session_storek.hicrypt, DOS 52->95 dropped 97 Microsoft_WindowsS...3d8bbwe!App.hicrypt, COM 52->97 dropped 99 C:\Users\user\AppData\Local\...\index.hicrypt, DOS 52->99 dropped 101 124 other malicious files 52->101 dropped 149 Tries to harvest and steal browser information (history, passwords, etc) 52->149 151 Modifies existing user documents (likely ransomware behavior) 52->151 59 powercfg.exe 52->59         started        61 powercfg.exe 52->61         started        63 powercfg.exe 52->63         started        65 16 other processes 52->65 file14 signatures15 process16 process17 67 conhost.exe 59->67         started        69 conhost.exe 61->69         started        71 conhost.exe 63->71         started        73 conhost.exe 65->73         started        75 conhost.exe 65->75         started        77 conhost.exe 65->77         started        79 8 other processes 65->79
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8ca51ea9c184a9158e890bdefc538f7c49cfbbd33c19f3fadca0c03490a5b707/
Threat name:
Win32.Ransomware.Mimic
Create hunting rule
Status:
Malicious
First seen:
2022-07-26 08:51:52 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
15 of 41 (36.59%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rssr5kobqsurldujbpppyu4ppre47o6thqm7h6w4udadjeffw4dq._file
Verdict:
malicious
Similar samples:
01f0d390a77a44725b7028d92d8a332eadcb10fa1a2761226b2e6a2e5650beb6
26f22547e17e37af41e6fca415a9fffb43c951c8c3d7129b1d4f8f358cf24ccd
57edb17976437e8a4d8ccfa21d83fdfcc3ccfb6077482bf2138b4553f6922afc
7a2c9b3eec66b62858a6775f00e4c5c76fb0abf01ef2cb8c9a94133faa199db3
7ae4c5caf6cda7fa8862f64a74bd7f821b50d855d6403bde7bcbd7398b2c7d99
a9a4843ea9af569ab5ffd213ac4910898019083eb74ff8f36678092daca92f2e
ba82cdc4db591f35dc0371faf051f1ace9f8e0151b01cc8d0568102351ee8cdf
e1612e3d774b3ebd2559eb3ec8b59890d64712386563bee84da82e7b7dfbebe7
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware spyware stealer
Link:
https://tria.ge/reports/230112-qfhrlsga63/
Behaviour
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Deletes System State backups
Deletes backup catalog
Executes dropped EXE
Modifies extensions of user files
Sets file execution options in registry
Modifies boot configuration data using bcdedit
Modifies security service
Modifies system executable filetype association
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cbabe3b9-a901-4ea0-a85e-78bbc7376315
Unpacked files
SH256 hash:
5623031a5f8e8e46005c3f536b5df23d82c7fce5f8df1aa90d7103b049b93d3b
MD5 hash:
c546017ee7dd93bc207cad68a91d2116
SHA1 hash:
85669c59229b8858e7359701fee53db7823d2521
Link:
https://www.unpac.me/results/5cd7446f-117b-4b39-835a-90683b392b21/
SH256 hash:
e23965c27b60880ab8c1d552161b55c0922e058100172fe95380ed37547c5d10
MD5 hash:
7619530559981307f1b999fe50f34417
SHA1 hash:
f5e19ff5267cdf11cf6ef0705f748383268fa723
Link:
https://www.unpac.me/results/5cd7446f-117b-4b39-835a-90683b392b21/
SH256 hash:
c617839ae8670ee04b9f8829a49b880fe5d46c2aaa83cdedb29b651dc5a30dcf
MD5 hash:
e104d1e76c416c96c471e4b1a4b2b6c2
SHA1 hash:
d53a94c064c7c2c5ded4dba3046034a4c6f3c979
Link:
https://www.unpac.me/results/5cd7446f-117b-4b39-835a-90683b392b21/
SH256 hash:
91059b88b1ef536836dd70853c7de88639f5220fe0438416a72cee7d86ecd871
MD5 hash:
a7d38b39dc40fd2f545c49e8f02bcc31
SHA1 hash:
dab67f863986a2532a296d7a2649612121b371a3
Link:
https://www.unpac.me/results/5cd7446f-117b-4b39-835a-90683b392b21/
SH256 hash:
124e7a5b74b4c213fcf7115b98b382c98ad9a46c4f04b4a273b2a58c644dffd8
MD5 hash:
6d1eaaef5e00b3151d1d757093a22201
SHA1 hash:
5af79717807a0542ae53d0e2924524a84c8f743d
Link:
https://www.unpac.me/results/5cd7446f-117b-4b39-835a-90683b392b21/
SH256 hash:
c8d02db5074d0254e7a2d1cd284e45ae6005c2f3769a2a5789c2c7183e776ded
MD5 hash:
e9912fd00bb830bda5ad8499e25b4ab3
SHA1 hash:
056728896ccc782baa477c3c7aba43cf690f3d87
Link:
https://www.unpac.me/results/5cd7446f-117b-4b39-835a-90683b392b21/
SH256 hash:
53f2ffde18a53c3ff0abe88456ae2b38c29bc10c5638151479c1c2014dc1bfac
MD5 hash:
612a5d77adcf5ee86103e275f1390e1b
SHA1 hash:
1bcd3667f80edfb063a517ec570a560d097941b2
Link:
https://www.unpac.me/results/5cd7446f-117b-4b39-835a-90683b392b21/
SH256 hash:
2dcfdc6c161d5c79964841cd394d12164e8602d003599bddbf4437129a368bd8
MD5 hash:
b2acbecad71043264f785f7197308ca1
SHA1 hash:
4e8145ec68c71c9a0c2ea2e08e340cfa2bec209c
Link:
https://www.unpac.me/results/5cd7446f-117b-4b39-835a-90683b392b21/
SH256 hash:
8ca51ea9c184a9158e890bdefc538f7c49cfbbd33c19f3fadca0c03490a5b707
MD5 hash:
7b8a4accc7c4ad127e37ea7a75a28b16
SHA1 hash:
7c8c4b0c8d344271e25e25338cfebdc3a16cb44a
Link:
https://www.unpac.me/results/5cd7446f-117b-4b39-835a-90683b392b21/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8ca51ea9c184/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8ca51ea9c184a9158e890bdefc538f7c49cfbbd33c19f3fadca0c03490a5b707

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/352256/

Comments