MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 995b8ffae8a66e17203565b09cbc2dc46d3e9ae0e61c31de29a3653430f4eda5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 995b8ffae8a66e17203565b09cbc2dc46d3e9ae0e61c31de29a3653430f4eda5
SHA3-384 hash: f249c07b94791709ad9174237914385bce73755b94eea70973748a0b7c1eb1178a7af9d0e2895c42176b0664d4190180
SHA1 hash: 0c7626b07395abc315751908c136df4808589b3b
MD5 hash: a612d9e64a7b3d2836390adb8dd22866
humanhash: magnesium-arkansas-eighteen-grey
File name:a612d9e64a7b3d2836390adb8dd22866
Download: download sample
File size:4'096 bytes
First seen:2021-10-26 11:35:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4bfde1223391e32fec766cd1d41fa3e7 (7 x CoinMiner, 1 x BitRAT, 1 x QuasarRAT)
ssdeep 48:6Dt+Z0Wk7Jbm7YVS+f3PALUI0U9cnpZv8B13aLlzUR:/Z0R7xm7QS+vo+xkv3aLlYR
Threatray 32 similar samples on MalwareBazaar
TLSH T1FA8175ABBA29DD3AC14315763A63422637B683A32581469BFE9854F8DF02D56A40F34C
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/200172/
Detection(s):
SecuriteInfo.com.Variant.Zusy.401118.16171.21783.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Running batch commands
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
nitol tiny wacatac zusy
Link:
https://www.filescan.io/uploads/6177e824db358dd15edc5de6/reports/a7d6c5c6-9c99-4e1f-ab7a-96f7df320f2c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/11840cf2-a809-4c87-a816-7de24c7519cb
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/876941
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 509374 Sample: JJJRKgSaqv Startdate: 26/10/2021 Architecture: WINDOWS Score: 100 75 Antivirus detection for URL or domain 2->75 77 Sigma detected: Powershell download and execute file 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 2 other signatures 2->81 11 JJJRKgSaqv.exe 2->11         started        14 services32.exe 2->14         started        process3 signatures4 97 Adds a directory exclusion to Windows Defender 11->97 16 cmd.exe 1 11->16         started        99 Writes to foreign memory regions 14->99 101 Allocates memory in foreign processes 14->101 103 Creates a thread in another existing process (thread injection) 14->103 19 conhost.exe 14->19         started        process5 file6 67 Suspicious powershell command line found 16->67 69 Tries to download and execute files (via powershell) 16->69 71 Adds a directory exclusion to Windows Defender 16->71 22 powershell.exe 13 16->22         started        24 powershell.exe 15 17 16->24         started        28 powershell.exe 24 16->28         started        33 2 other processes 16->33 59 C:\Windows\System32\...\sihost32.exe, PE32+ 19->59 dropped 73 Drops executables to the windows directory (C:\Windows) and starts them 19->73 31 sihost32.exe 19->31         started        signatures7 process8 dnsIp9 35 sold.exe 22->35         started        65 gtarpstore.ru 81.177.135.61, 443, 49767 RTCOMM-ASRU Russian Federation 24->65 61 C:\Users\user\AppData\Roaming\sold.exe, PE32+ 24->61 dropped 105 Powershell drops PE file 28->105 38 conhost.exe 28->38         started        107 Writes to foreign memory regions 31->107 109 Allocates memory in foreign processes 31->109 111 Creates a thread in another existing process (thread injection) 31->111 40 conhost.exe 31->40         started        file10 signatures11 process12 signatures13 89 Multi AV Scanner detection for dropped file 35->89 91 Writes to foreign memory regions 35->91 93 Allocates memory in foreign processes 35->93 95 Creates a thread in another existing process (thread injection) 35->95 42 conhost.exe 35->42         started        process14 file15 63 C:\Windows\System32\services32.exe, PE32+ 42->63 dropped 45 cmd.exe 42->45         started        48 cmd.exe 42->48         started        process16 signatures17 113 Drops executables to the windows directory (C:\Windows) and starts them 45->113 50 services32.exe 45->50         started        53 conhost.exe 45->53         started        115 Uses schtasks.exe or at.exe to add and modify task schedules 48->115 55 conhost.exe 48->55         started        57 schtasks.exe 48->57         started        process18 signatures19 83 Writes to foreign memory regions 50->83 85 Allocates memory in foreign processes 50->85 87 Creates a thread in another existing process (thread injection) 50->87
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/995b8ffae8a66e17203565b09cbc2dc46d3e9ae0e61c31de29a3653430f4eda5/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-10-25 23:23:59 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3493f8a91b2cd6485a72869c482cda93cab716bd9dd0540aaff978760b6d01ad
42506f9e15ffdab6fce67556b602075ff779e2e84c6a40058a3941f0f71071b2
5f5650987c9810c4cc59a467650844179c1349ded7b2fa0f1b00edbbf648612c
71bbaf19229855f0bfdebbe93d12b5f5fac6c0b542b5ca3b5a00d4b088ccdadc
88d8cfc5408b886989697c951a26e10c7ecd605bdebf3a4218dda7053002b926
a5f1a6838313c358cc27880b1f4340460a08fbbe263df952b22d163d338bbbe7
dc9787f1ca396af3c6a84f52c1f4a1969b7d33999507f2093480071fc22e9d63
+ 22 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/211026-nqkylshcd8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Malware Config
Dropper Extraction:
https://gtarpstore.ru/sold.exe
Unpacked files
SH256 hash:
995b8ffae8a66e17203565b09cbc2dc46d3e9ae0e61c31de29a3653430f4eda5
MD5 hash:
a612d9e64a7b3d2836390adb8dd22866
SHA1 hash:
0c7626b07395abc315751908c136df4808589b3b
Link:
https://www.unpac.me/results/9e04f19a-8d77-439e-bb4f-2186d733e84f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/995b8ffae8a66e17203565b09cbc2dc46d3e9ae0e61c31de29a3653430f4eda5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 995b8ffae8a66e17203565b09cbc2dc46d3e9ae0e61c31de29a3653430f4eda5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1715396/
Cape
Cape
https://www.capesandbox.com/analysis/200172/

Comments


Avatar
zbet commented on 2021-10-26 11:35:52 UTC

url : hxxps://gtarpstore.ru/soldbum.exe