MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b8c70d1c0537d946bf7233df72a7e0ebdff2cb70404a69ee6a2419730973462. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b8c70d1c0537d946bf7233df72a7e0ebdff2cb70404a69ee6a2419730973462
SHA3-384 hash: 2345059175ef68e55e3afcba739d3398f7bdb27616038c06dace1ca36b23414f4217e05d7420c09c681142a906d6b8ce
SHA1 hash: 0c719e9dd9a9c8f903ffd521fc8e3381e71dec08
MD5 hash: b6af0517d80a8c5e962674bad3643c3c
humanhash: social-dakota-triple-india
File name:b6af0517d80a8c5e962674bad3643c3c
Download: download sample
File size:2'034'176 bytes
First seen:2021-10-03 09:51:28 UTC
Last seen:2021-10-03 10:39:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 27516fd8750f40bdecf52a1420a0296a (12 x CoinMiner)
ssdeep 49152:YGE8qDJ7hmOWOZjcgOVDf8wLrcBPbl5Fv/V5AClyBBSQZH:Y9eYZjctFfyP53ZMF
Threatray 81 similar samples on MalwareBazaar
TLSH T12B95337D4A3BAF70DAC290BF98D908768C6464B29FBB0712252BFFF06165E14D48D790
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://ck87769.tmweb.ru/service.exe
Verdict:
No threats detected
Analysis date:
2021-10-03 03:54:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ada555cb-5100-4330-844b-a55b501ef0c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/194331/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37709755.8869.8893.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/615c2ed1e3d213d202b7738a/reports/8eb81151-5914-485f-acc6-c07a9b6c3337/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b65f2d41-c27b-4ae2-b1de-1690d4896c9a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/863389
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 495817 Sample: Vx5qmusFjP Startdate: 03/10/2021 Architecture: WINDOWS Score: 76 45 Multi AV Scanner detection for submitted file 2->45 47 Sigma detected: Suspicious Svchost Process 2->47 9 services32.exe 2->9         started        12 Vx5qmusFjP.exe 2->12         started        process3 signatures4 59 Multi AV Scanner detection for dropped file 9->59 61 Writes to foreign memory regions 9->61 63 Allocates memory in foreign processes 9->63 14 conhost.exe 5 9->14         started        65 Creates a thread in another existing process (thread injection) 12->65 17 conhost.exe 4 12->17         started        19 svchost.exe 1 12->19         started        process5 file6 41 C:\Users\user\AppData\...\sihost32.exe, PE32+ 14->41 dropped 21 sihost32.exe 14->21         started        43 C:\Users\user\AppData\...\services32.exe, PE32+ 17->43 dropped 24 cmd.exe 1 17->24         started        26 cmd.exe 1 17->26         started        process7 signatures8 49 Multi AV Scanner detection for dropped file 21->49 51 Writes to foreign memory regions 21->51 53 Allocates memory in foreign processes 21->53 55 Creates a thread in another existing process (thread injection) 21->55 28 conhost.exe 2 21->28         started        30 services32.exe 24->30         started        33 conhost.exe 24->33         started        57 Uses schtasks.exe or at.exe to add and modify task schedules 26->57 35 conhost.exe 26->35         started        37 schtasks.exe 1 26->37         started        process9 signatures10 67 Writes to foreign memory regions 30->67 69 Allocates memory in foreign processes 30->69 71 Creates a thread in another existing process (thread injection) 30->71 39 conhost.exe 2 30->39         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b8c70d1c0537d946bf7233df72a7e0ebdff2cb70404a69ee6a2419730973462/
Threat name:
Win64.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-10-03 05:05:39 UTC
AV detection:
8 of 45 (17.78%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
329903818d07ba0d9e6e77b1a334e7adc0be9ca594d122ee592257b34d4e8208
3a4b5c0c302fdd8b9980e6d497ea2477ecc10357dcc73108d62f3a0f97fd356b
65bbafc229aa726d189d7607d03b1c6835ddcdf8ad6ac90017749b051f6b0770
73c1188d93bd4318a830cb6d891aae7580a61c396ce37ba3676a321bbd3a137e
75359481a80ae7253f5a8859cc9d899020a24af197b95f8ef2716a9f011dc3b1
833ab773ed2c4e4cd2581d1e42bc5471f0621786007a8846aaf6cdfeccb198c2
92d222fc274d0c981a595327cf103960535339a655ae240f9267a84aedba7f41
bdbf24537950b4bb8ca32e92dc5934fd651792db3452c748d7893da61aca1710
dc9787f1ca396af3c6a84f52c1f4a1969b7d33999507f2093480071fc22e9d63
fdaae3b3560efecbdf76d5a6751c1d7c5964bb0186b81575fedce4b394a8fe0a
+ 71 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211003-lv39msfbe5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
9b8c70d1c0537d946bf7233df72a7e0ebdff2cb70404a69ee6a2419730973462
MD5 hash:
b6af0517d80a8c5e962674bad3643c3c
SHA1 hash:
0c719e9dd9a9c8f903ffd521fc8e3381e71dec08
Link:
https://www.unpac.me/results/cf11b816-f6ec-4333-9d2d-435d284e6eb9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9b8c70d1c053/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/9b8c70d1c0537d946bf7233df72a7e0ebdff2cb70404a69ee6a2419730973462

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 9b8c70d1c0537d946bf7233df72a7e0ebdff2cb70404a69ee6a2419730973462

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1652610/
Cape
Cape
https://www.capesandbox.com/analysis/194331/

Comments


Avatar
zbet commented on 2021-10-03 09:51:30 UTC

url : hxxp://ck87769.tmweb.ru/service.exe