MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 993afa5ca786935ff44f01d5495e0583034008d30d93eaac100e6d4325dfb89d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 993afa5ca786935ff44f01d5495e0583034008d30d93eaac100e6d4325dfb89d
SHA3-384 hash: 60675f5f084cfb7f1160c5dbd198a5383c0f2c538ea2e6d478452a5789c7593c2254ef7c0a962fea055bb686d13a85bc
SHA1 hash: a042692fdfb66396b030db8eeb62ed9661c291e0
MD5 hash: 1ca8921a54b9e0b83898b465bcb825ec
humanhash: uranus-zebra-equal-violet
File name:1.exe
Download: download sample
File size:91'648 bytes
First seen:2022-02-15 16:10:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 1536:L7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfGwJOc:H7DhdC6kzWypvaQ0FxyNTBfGo
Threatray 1'277 similar samples on MalwareBazaar
TLSH T19E936D41F3E202F7E6F2053100A6726F973663389764A8EBC74C2D529913AD5A63D3F9
Reporter r3dbU7z
Tags:backdoor exe rdp

Intelligence

File Origin
# of uploads :
1
# of downloads :
484
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1ca8921a54b9e0b83898b465bcb825ec.exe.vir
Verdict:
Suspicious activity
Analysis date:
2022-02-16 01:47:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bb109ec6-7e1a-4be3-8649-3ae42b1bf6b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241661/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34587420.17402.2208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Launching a process
Launching a service
Launching the process to change the firewall settings
Loading a system driver
Сreating synchronization primitives
Creating a file in the system32 subdirectories
Searching for synchronization primitives
Creating a file
Launching the process to interact with network services
Creating a file in the Windows subdirectories
Forced system process termination
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/620bd099875593a3ccd1036b/reports/03754fd5-1017-44f5-8658-d8781cc10e53/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a0c81136-d0e5-4fd5-841b-717077f14711
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/940230
Signature
Contains functionality to hide user accounts
Machine Learning detection for sample
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Sigma detected: Active Directory User Backdoors
Sigma detected: Netsh RDP Port Opening
Sigma detected: RDP Sensitive Settings Changed
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 572708 Sample: 1.exe Startdate: 15/02/2022 Architecture: WINDOWS Score: 72 36 Multi AV Scanner detection for submitted file 2->36 38 Contains functionality to hide user accounts 2->38 40 Machine Learning detection for sample 2->40 42 3 other signatures 2->42 8 1.exe 8 2->8         started        11 tsusbhub.sys 3 2->11         started        13 rdpdr.sys 8 2->13         started        15 rdpvideominiport.sys 4 2->15         started        process3 file4 30 C:\Users\user\AppData\Local\Temp\...\C184.bat, ASCII 8->30 dropped 17 cmd.exe 1 8->17         started        20 conhost.exe 8->20         started        process5 signatures6 32 Uses netsh to modify the Windows network and firewall settings 17->32 34 Modifies the windows firewall 17->34 22 net.exe 1 17->22         started        24 netsh.exe 3 17->24         started        26 reg.exe 1 17->26         started        process7 process8 28 net1.exe 1 22->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/993afa5ca786935ff44f01d5495e0583034008d30d93eaac100e6d4325dfb89d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-02-12 19:43:25 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
21 of 43 (48.84%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3b6cbb6fde5051e6ec3ad23789968670c68f3ef82d8febe258e223c1487f42c4
4da864854d368ab640245f8174d247e0b9947045712d2d7449e25e7074b8587c
504ff4e37ac526cdb49cca15b1b769cf152889ba32fe9440e16974505d885130
590e531489556cfb9de022bc52bce2489c3609e693209c59fdce5698c6fc0be3
6fc704900ddda4e22fd10ae2bf066c403a2567ce830d1b8fe7721231414382b7
83ae57bdc0f817111ab909f54ec0f33b84f6504596d2a55adf39a16c5cf1afc0
972d533e4df0786799c0e7c914aa6c04870753c10757c5d58cd874b92a7f4739
e7587776adecf859e137e7af3da4b9b6fd9428e6f89cc48d3a63886d490baaca
f3622af9e9478d97008e6a7d3f97449148f2cc6fc03420d47020f7b33dbd47cb
+ 1'267 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/220215-tmycesggh8/
Behaviour
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Modifies Windows Firewall
Grants admin privileges
Unpacked files
SH256 hash:
993afa5ca786935ff44f01d5495e0583034008d30d93eaac100e6d4325dfb89d
MD5 hash:
1ca8921a54b9e0b83898b465bcb825ec
SHA1 hash:
a042692fdfb66396b030db8eeb62ed9661c291e0
Link:
https://www.unpac.me/results/0c5f3c2e-775d-4ba9-8464-126ac74edfa4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/993afa5ca786935ff44f01d5495e0583034008d30d93eaac100e6d4325dfb89d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 993afa5ca786935ff44f01d5495e0583034008d30d93eaac100e6d4325dfb89d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/241661/

Comments