MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e0eb0d36bfd4e28ec6a10acccf899740df7048451229b84715e475e3c91347b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Kimsuky


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash: 8e0eb0d36bfd4e28ec6a10acccf899740df7048451229b84715e475e3c91347b
SHA3-384 hash: 45dd207c50fc3b58342960e1d40a17c724792c48fbe161e8ce992f3db1c893de5317fc952018f8ffe51e77d5e498a802
SHA1 hash: fd02470c6cc4ceb5fad3589d02e5148a8c738b83
MD5 hash: b262ac518c0114f414aaedbb4ef7c728
humanhash: beer-twenty-black-steak
File name:pay.bat
Download: download sample
Signature Kimsuky
File size:1'687 bytes
First seen:2024-11-27 07:28:00 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 48:sLH6+590/x5NtibxMDIKQ858Ff92B6sNY1cOU:A0/Wx0ZQ858FRfcL
TLSH T13531B84856FA33159DA7DC917254C696232630B6147B1EACC347E5F45FC0135F0697CB
Magika powershell
Reporter 1ZRR4H
Tags:bat Kimsuky

Intelligence


File Origin
# of uploads :
1
# of downloads :
160
Origin country :
CL CL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
pay.bat
Verdict:
Malicious activity
Analysis date:
2024-11-27 07:30:25 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Tags:
ransomware xtreme gumen shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated powershell
Result
Threat name:
Kimsuky
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Signature
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Yara detected Kimsuky
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1563601 Sample: pay.bat Startdate: 27/11/2024 Architecture: WINDOWS Score: 96 26 edge-block-www-env.dropbox-dns.com 2->26 28 edge-block-api-env.dropbox-dns.com 2->28 30 5 other IPs or domains 2->30 38 Malicious sample detected (through community Yara rule) 2->38 40 Yara detected Kimsuky 2->40 42 Suspicious powershell command line found 2->42 44 5 other signatures 2->44 7 cmd.exe 1 2->7         started        10 powershell.exe 23 2->10         started        signatures3 process4 file5 46 Suspicious powershell command line found 7->46 48 Bypasses PowerShell execution policy 7->48 13 powershell.exe 14 40 7->13         started        18 conhost.exe 7->18         started        22 C:\Users\user\AppData\Roaming\temp.ps1, ASCII 10->22 dropped 50 Loading BitLocker PowerShell Module 10->50 20 conhost.exe 10->20         started        signatures6 process7 dnsIp8 32 edge-block-www-env.dropbox-dns.com 162.125.65.15, 443, 49730, 49731 DROPBOXUS United States 13->32 34 edge-block-api-env.dropbox-dns.com 162.125.69.14, 443, 49734, 49735 DROPBOXUS United States 13->34 36 api-env.dropbox-dns.com 162.125.69.19, 443, 49732, 49733 DROPBOXUS United States 13->36 24 C:\Users\user\AppData\...\system_first.ps1, ASCII 13->24 dropped 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->52 54 Found suspicious powershell code related to unpacking or dynamic code loading 13->54 56 Loading BitLocker PowerShell Module 13->56 file9 signatures10
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments