MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99c1b2c7ec27b36fbc1978048266d739f8efc003af325fd9a00d0399d7d16b48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99c1b2c7ec27b36fbc1978048266d739f8efc003af325fd9a00d0399d7d16b48
SHA3-384 hash: 1277dfe2917c2b9e02a5fc6594d6bb32865209e8b37d12d8c861b852b31745a118ef1d5bf2ae5caeaded4c29fe961994
SHA1 hash: 0e53adf45cb616182c55c6e35ba68efe55aeaa9f
MD5 hash: d99f154e6358b247baf32a58b1d6f595
humanhash: edward-stairway-south-batman
File name:ORGANICUP ApS
Download: download sample
File size:656'584 bytes
First seen:2020-11-20 10:11:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:3JzepFx4zzf5pGNbgISZGREwpmSCb50T30m6S8:3BepbWz58JUGRfp7Cb+E28
Threatray 5 similar samples on MalwareBazaar
TLSH 3FD4D075EB899931CC78953A79FBC033076B2D2A9451C91B34C87F4B29BBBD2A415E03
Reporter JAMESWT_WT
Tags:ORGANICUP ApS signed VKeylogger

Code Signing Certificate

Organisation:AAA Certificate Services
Issuer:AAA Certificate Services
Algorithm:sha1WithRSAEncryption
Valid from:Jan 1 00:00:00 2004 GMT
Valid to:Dec 31 23:59:59 2028 GMT
Serial number: 01
Intelligence: 384 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Result
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/544026
Signature
.NET source code contains potential unpacker
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Detected unpacking (creates a PE file in dynamic memory)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321111 Sample: ORGANICUP ApS Startdate: 20/11/2020 Architecture: WINDOWS Score: 88 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Detected unpacking (creates a PE file in dynamic memory) 2->54 56 3 other signatures 2->56 12 ORGANICUP ApS.exe 1 2->12         started        process3 file4 46 C:\Users\user\...\ORGANICUP ApS.exe.log, ASCII 12->46 dropped 70 Injects a PE file into a foreign processes 12->70 16 ORGANICUP ApS.exe 12->16         started        signatures5 process6 signatures7 48 Injects a PE file into a foreign processes 16->48 19 ORGANICUP ApS.exe 16->19         started        22 ORGANICUP ApS.exe 16->22         started        process8 signatures9 60 Injects a PE file into a foreign processes 19->60 24 ORGANICUP ApS.exe 19->24         started        62 Maps a DLL or memory area into another process 22->62 27 explorer.exe 22->27         started        process10 signatures11 66 Injects a PE file into a foreign processes 24->66 29 ORGANICUP ApS.exe 24->29         started        32 ORGANICUP ApS.exe 24->32         started        68 Contains functionality to register a low level keyboard hook 27->68 process12 signatures13 72 Injects a PE file into a foreign processes 29->72 34 ORGANICUP ApS.exe 29->34         started        74 Maps a DLL or memory area into another process 32->74 37 explorer.exe 32->37         started        process14 signatures15 58 Injects a PE file into a foreign processes 34->58 39 ORGANICUP ApS.exe 34->39         started        42 ORGANICUP ApS.exe 34->42         started        process16 signatures17 64 Maps a DLL or memory area into another process 39->64 44 explorer.exe 39->44         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99c1b2c7ec27b36fbc1978048266d739f8efc003af325fd9a00d0399d7d16b48/
Threat name:
ByteCode-MSIL.Infostealer.Maslog
Create hunting rule
Status:
Malicious
First seen:
2020-11-20 10:11:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae
3fd662d7caf82ecc8b61b4fa261bc51510851aa36099a85f66c2689c507e11d7
68be2ba319d445f1a1d7da73d9ad26b894f55f85f1b943ab5b5251ddfc0bc439
82b3bc554c3ed5e698153da5badfd3973e337c49ee8477847b2ca0fdda98b895
fe6e78fc04cc85915c056447a608233c7094caf911cc8de0e0491184cdaf056b
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201120-bx1zcvysxa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
99c1b2c7ec27b36fbc1978048266d739f8efc003af325fd9a00d0399d7d16b48
MD5 hash:
d99f154e6358b247baf32a58b1d6f595
SHA1 hash:
0e53adf45cb616182c55c6e35ba68efe55aeaa9f
Link:
https://www.unpac.me/results/8c19ba04-be64-4eca-b658-86cb8933c9ac/
SH256 hash:
021ba5b5bc586ce048a37d7ad194d2a4ab595715c4b13a482021596626c3771f
MD5 hash:
60dd0421475f06baf65664916bb73754
SHA1 hash:
5e55bd9f3be7c40e857b19dc3b58f3f9021d7663
Link:
https://www.unpac.me/results/8c19ba04-be64-4eca-b658-86cb8933c9ac/
SH256 hash:
bad0a38e860e110bebcca980bf40c33233544e580a7fa95b140fb5da80b19de9
MD5 hash:
f0b4260e4fa7e0d2fe68687b993e2e93
SHA1 hash:
65a46cdbc57e3a693239c9b4f71dd676a4c6f498
Link:
https://www.unpac.me/results/8c19ba04-be64-4eca-b658-86cb8933c9ac/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/8c19ba04-be64-4eca-b658-86cb8933c9ac/
SH256 hash:
d88cb891d36dc09bb88fcef9fcb8ba6efe6f5034ae76e5b630ab86e54afff1cc
MD5 hash:
094312be0a71a292a4670bcda23b2500
SHA1 hash:
b2b465baee22889403ba48c0745d5d9643a45555
Link:
https://www.unpac.me/results/8c19ba04-be64-4eca-b658-86cb8933c9ac/
SH256 hash:
9de8acff211426ae944ba0d6e9ef54f3aa3f329c60dde1e3a96f87d5a255bdc8
MD5 hash:
e85443791beaf04a82aa95857da02c74
SHA1 hash:
bbd51191403488e454744c5db582e32b1c9c294a
Link:
https://www.unpac.me/results/8c19ba04-be64-4eca-b658-86cb8933c9ac/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Saudi_Phish_Trojan
Create hunting rule
Author:Florian Roth
Description:Detects a trojan used in Saudi Aramco Phishing
Reference:https://goo.gl/Z3JUAA

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments