MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d1d36a7ad23626341f658815bfd21a6274f703aca2126bddfad63fa749041be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d1d36a7ad23626341f658815bfd21a6274f703aca2126bddfad63fa749041be
SHA3-384 hash: 668400824b59e5f04f069ae14ca23636715845d9a69287248a6689b654496bf35d8bdf0b11babe80a7613de59888ae20
SHA1 hash: d3abc06d50f8fa4069e232ce41296802f217e47a
MD5 hash: 8f4f3d4a198b6af8230bb94d41bd25e0
humanhash: missouri-freddie-gee-virginia
File name:Tsuchigumo.bat
Download: download sample
File size:9'626 bytes
First seen:2023-08-25 22:04:24 UTC
Last seen:2023-10-17 08:12:23 UTC
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 192:9pRjeNekmespRje4CHjeNeXpRjeRmeSweXpLeZpOje4k5nH5ZVxooNjR:9pFkApNCHXpG2JXp2pEk5nR+oNF
TLSH T150121ED9CE3096B789AE2939062B751A630FE3D52360F50D12D26DC5CF0DA839A13CD9
Reporter 5KidRo0t
Tags:bat Locker Tsuchigumo worm


Avatar
hR0m454
It is a simple and own development, only for entertainment, if I upload it to Malware Bazaar I do it with the intention of avoiding its misuse.

Intelligence

File Origin
# of uploads :
2
# of downloads :
438
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Tsuchigumo.bat
Verdict:
Suspicious activity
Analysis date:
2023-08-25 22:05:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5dc36710-611e-4a10-9020-ca7077d9fc7e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444801/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Searching for the window
Modifying a system executable file
Launching the process to interact with network services
Launching a process
Creating a file in the system32 directory
Creating a file
Launching a tool to kill processes
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
explorer lolbin
Link:
https://www.filescan.io/uploads/64e9258fb3b7d7c782cfe0ef/reports/0c218054-c0de-437c-bc59-8b1c0f9825d7/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8d1d36a7ad23626341f658815bfd21a6274f703aca2126bddfad63fa749041be
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
phis
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1297664
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Drops script or batch files to the startup folder
Overwrites the password of the administrator account
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 1297664 Sample: Tsuchigumo.bat Startdate: 26/08/2023 Architecture: WINDOWS Score: 56 6 cmd.exe 502 2->6         started        file3 21 C:\ProgramData\Microsoft\...\Tsuchigumo.bat, Unknown 6->21 dropped 23 Drops script or batch files to the startup folder 6->23 25 Uses cmd line tools excessively to alter registry or file data 6->25 27 Overwrites the password of the administrator account 6->27 10 net.exe 1 6->10         started        13 reg.exe 1 1 6->13         started        15 taskkill.exe 1 6->15         started        17 2 other processes 6->17 signatures4 process5 signatures6 29 Overwrites the password of the administrator account 10->29 19 net1.exe 1 10->19         started        31 Creates an autostart registry key pointing to binary in C:\Windows 13->31 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d1d36a7ad23626341f658815bfd21a6274f703aca2126bddfad63fa749041be/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ruotnj5nenrggqpwlcavx7jbuytu64b2ziqsnpo7vvr7u5eqig7a._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/230825-1zgnrsfa38/
Behaviour
Kills process with taskkill
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Adds Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8d1d36a7ad23626341f658815bfd21a6274f703aca2126bddfad63fa749041be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAT_Chunked_Payload_SetEnv
Create hunting rule
Author:marcin@ulikowski.pl
Description:Detects batch script storing chunks of payload in random environment variables

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/444801/

Comments