MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94dc4632159764895ff15118dacc7c5b4c3f84722b4ae5c89b9b120adeec92bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94dc4632159764895ff15118dacc7c5b4c3f84722b4ae5c89b9b120adeec92bf
SHA3-384 hash: 7cb14d085b67a6b237f808bf968080b7f1fedb9b136870fb5d48b41abef3a6658d7bc6e5ff03488f6d4618815ff2ebe6
SHA1 hash: bd85538e16afe3ddd158f7df4827998bda68b967
MD5 hash: 9ffc2712d5e355651081f5cca3b41a6c
humanhash: georgia-summer-sixteen-april
File name:94dc4632159764895ff15118dacc7c5b4c3f84722b4ae5c89b9b120adeec92bf
Download: download sample
File size:1'038'066 bytes
First seen:2020-09-03 14:59:35 UTC
Last seen:2020-09-03 15:57:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 24576:+53uhFmTsfN+t69VZ2rLC64mwm58H8uneMre:+5+hFt+EzyLCtmCDeMre
Threatray 11 similar samples on MalwareBazaar
TLSH 372590802B85C85EC68666744F32E66035AFEEB0A2F3DF874E8CCF041B537568BE5549
Reporter JAMESWT_WT

Code Signing Certificate

Organisation:Symantec Time Stamping Services CA - G2
Issuer:Thawte Timestamping CA
Algorithm:sha1WithRSAEncryption
Valid from:Dec 21 00:00:00 2012 GMT
Valid to:Dec 30 23:59:59 2020 GMT
Serial number: 7E93EBFB7CC64E59EA4B9A77D406FC3B
Intelligence: 85 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0625FEE1A80D7B897A9712249C2F55FF391D6661DBD8B87F9BE6F252D88CED95
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54833/
Detection(s):
PUA.Win.Trojan.Generic-6843329-0
Create hunting rule

PUA.Win.Dropper.Driverpack-6931197-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.File.Generic-7135455-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
DNS request
Delayed writing of the file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling the 'hidden' option for recently created files
Forced shutdown of a system process
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/458522
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Certutil Command
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 281667 Sample: I3Th9zQOxM Startdate: 03/09/2020 Architecture: WINDOWS Score: 92 56 Antivirus / Scanner detection for submitted sample 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 4 other signatures 2->62 9 I3Th9zQOxM.exe 7 2->9         started        process3 file4 46 C:\Users\user\AppData\Local\...\pxZfT.com, COM 9->46 dropped 66 Contains functionality to register a low level keyboard hook 9->66 13 cmd.exe 1 9->13         started        15 cmd.exe 1 9->15         started        signatures5 process6 signatures7 18 cmd.exe 2 13->18         started        22 conhost.exe 13->22         started        72 Drops PE files with a suspicious file extension 15->72 24 conhost.exe 15->24         started        process8 file9 40 C:\Users\user\AppData\Local\...\svchost.com, PE32 18->40 dropped 64 Uses ping.exe to sleep 18->64 26 svchost.com 18->26         started        29 PING.EXE 1 18->29         started        32 PING.EXE 1 18->32         started        34 certutil.exe 2 18->34         started        signatures10 process11 dnsIp12 68 Multi AV Scanner detection for dropped file 26->68 70 Drops PE files with a suspicious file extension 26->70 36 svchost.com 6 26->36         started        50 127.0.0.1 unknown unknown 29->50 52 192.168.2.1 unknown unknown 29->52 54 VkB.vtWmUk 32->54 signatures13 process14 dnsIp15 48 erBXssFbgDuYqCdotC.erBXssFbgDuYqCdotC 36->48 42 C:\Users\user\AppData\...\vigiTools.com, PE32 36->42 dropped 44 C:\Users\user\AppData\...\vigiTools.url, MS 36->44 dropped file16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94dc4632159764895ff15118dacc7c5b4c3f84722b4ae5c89b9b120adeec92bf/
Threat name:
Win32.Trojan.CryptInject
Create hunting rule
Status:
Malicious
First seen:
2020-08-28 23:58:42 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
23 of 27 (85.19%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
0cd84bfd6c8c5f61e644286675ece0013aafea6a538f899afc544bcbc0c00f75
1630f3fabf80e99d1990176b5736835496bdbd74610d1e43eefd7088e2529a6e
23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928
637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868
77867995d1e8388230c9f71fee5e835b346bfcfef3fde418c6a773eea11b4afd
ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42
cb04bfdeb1a12eaab0a0442ecdf62ce49d2c1daa5b4345412cf3462b9ab26803
ce2644d2d9973ab0a3004942cef2d74d210882bea29d8b698c7af02d308b289e
e832fe2b9251b58442d1c9e380ae5f5d338af57a43329f79786e333c15507ec4
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200903-7354nbznqj/
Behaviour
Gathers network information
Runs ping.exe
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Gathers network information
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Drops startup file
Executes dropped EXE
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Barys
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94dc4632159764895ff15118dacc7c5b4c3f84722b4ae5c89b9b120adeec92bf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/54833/

Comments