MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99612e143d65598f830df1494e16eace445f0904218f3d6335f3cbd29d0378b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99612e143d65598f830df1494e16eace445f0904218f3d6335f3cbd29d0378b5
SHA3-384 hash: 10c0e4a8976e8fcc0db9232a8838882b629909cd669f1c7e203d646cdbc6061a3d07b0ca5fd4adc238a100e176c431f4
SHA1 hash: f1d5793db4c3e788126930e0f5ad535e8406249b
MD5 hash: ac6686ab0d5c145bbcfddec99c143f62
humanhash: four-florida-undress-mirror
File name:notepader.exe
Download: download sample
File size:1'150'070 bytes
First seen:2021-01-14 12:18:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:rHLmCiIh/PTmv8uuSfeMiAF1LicyEb3Fs3V7KyhX:8xzukX/7iqb3Fs3pK0X
Threatray 373 similar samples on MalwareBazaar
TLSH 81351213F8D194B2C82359301A29B752767D74200F288AEBA3E94D2DEB751E17735BB3
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
98c261fc578802232657c1bec8befeff60ec897a1aebfd87f0658b9d694bf7f5
Verdict:
Malicious activity
Analysis date:
2021-01-14 12:04:52 UTC
Tags:
trojan adware
Link:
https://app.any.run/tasks/86f8d77a-15b8-44b3-90e3-418b5145d679

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111995/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Launching a process
Creating a file in the %AppData% subdirectories
Windows shutdown
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/581255
Signature
Contains functionality to infect the boot sector
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses shutdown.exe to shutdown or reboot the system
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339661 Sample: notepader.exe Startdate: 14/01/2021 Architecture: WINDOWS Score: 76 28 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->28 30 Machine Learning detection for sample 2->30 32 Uses shutdown.exe to shutdown or reboot the system 2->32 7 QwikMark.exe 2->7         started        11 QwikMark.exe 2->11         started        13 notepader.exe 8 2->13         started        process3 dnsIp4 26 185.224.219.25, 49740, 83 AZCUSTOMERSDE Netherlands 7->26 34 Multi AV Scanner detection for dropped file 7->34 36 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->36 38 Machine Learning detection for dropped file 7->38 40 Contains functionality to infect the boot sector 7->40 24 C:\Users\user\AppData\...\QwikMark.exe, PE32 13->24 dropped 16 reg.exe 1 1 13->16         started        18 shutdown.exe 1 13->18         started        file5 signatures6 process7 process8 20 conhost.exe 16->20         started        22 conhost.exe 18->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99612e143d65598f830df1494e16eace445f0904218f3d6335f3cbd29d0378b5/
Threat name:
Win32.Infostealer.BestaFera
Create hunting rule
Status:
Malicious
First seen:
2021-01-14 12:10:32 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
0fa5f308271acceabd13e15871b230e030550825e17bdd0b3b1e53724ca5abd6
34f907b9f543ecf0f4f99adb7e55963ab5bc1c8e6e64081a8fef9a06043828b7
4873869d22df0e7fcec173e490e31f14e42b55bf594bf5c722d08ed43a9e5292
6624ce134dd16a37d6615483002f24b74c74c55b45259bc5408b7ae804d0fe22
7c5296a628df511b5a1cee6f32910c80afb607b2bc8412e6741f7feb2d93b0c5
86b0b53349b935048562758a34e08ae6190c67fa522e8742f60702b334625d36
91a63868ca56bae97b954c0ece75ed4f66e18bf2c258a9ed5712e376bae7220c
bcee5b3f4acfc85f500a2edd23402b92b87bca11263ffc3ef31f8c0a6c31f6a6
ee2e84f75b0b6043c2a2e3b84bdeabc0be4a4a1e4c6ec6a3ff255963b545425d
fd59571b52f8bfc7244a8ecf6cc057f1690964091b7141227ddd8315bba4d93a
+ 363 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
bootkit persistence ransomware
Link:
https://tria.ge/reports/210114-3p6genel5n/
Behaviour
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Adds Run key to start application
Modifies WinLogon to allow AutoLogon
Unpacked files
SH256 hash:
99612e143d65598f830df1494e16eace445f0904218f3d6335f3cbd29d0378b5
MD5 hash:
ac6686ab0d5c145bbcfddec99c143f62
SHA1 hash:
f1d5793db4c3e788126930e0f5ad535e8406249b
Link:
https://www.unpac.me/results/aed92559-e27d-49a8-8188-86cd87f71f82/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99612e143d65598f830df1494e16eace445f0904218f3d6335f3cbd29d0378b5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/111995/

Comments