MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ca8dc8342e23488434e9dd93ce915c1a562ab0f8b4a5e9c4d994e78fcddf5d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ca8dc8342e23488434e9dd93ce915c1a562ab0f8b4a5e9c4d994e78fcddf5d2
SHA3-384 hash: d6478369557eab2a5d3cacfa32b4b1ad15e323cb8db4a742b78b274e8d8eecc082b9ca8ccd61fa162fef73afc4c5d786
SHA1 hash: 07024cadac976c38e48cfb3013baa30409fab609
MD5 hash: 3e936ce1e2ba3c89a2d17ff72d6b1e7f
humanhash: lemon-fix-hydrogen-two
File name:SecuriteInfo.com.Trojan.Siggen23.9548.30187.20005
Download: download sample
File size:454'144 bytes
First seen:2024-01-25 01:32:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fd091cf3211a377595fdbb9a846d8568
ssdeep 6144:+3xhN/cQCCXXV19rqqhsh2ZmHqH75ZJs6xZtTS79JCyEXaaKWl+Z7hfx5KIxiMej:QmQC+TOMsh24HA5ZJsonSBJt6azK3Ml
TLSH T140A42390F7AAF8B0CA519CB1A59319489358C4FA361B73BBAF0354CF6CD61982F47381
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon b24dce030fcc4db2
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
410
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/472822/
Detection(s):
SecuriteInfo.com.Trojan.Siggen23.9548.30187.20005.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Launching a process
Setting a keyboard event handler
Modifying a system executable file
Forced system process termination
Searching for the window
Creating a file
Forced shutdown of a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
epmpress lolbin mpress packed packed packed shell32
Link:
https://www.filescan.io/uploads/65b1ba52eda27a7ac1015478/reports/1b67e96e-6b2e-41ed-a745-4149b8758e34/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/9ca8dc8342e23488434e9dd93ce915c1a562ab0f8b4a5e9c4d994e78fcddf5d2
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7d789b4d-8276-445c-952a-56ae40d0b8e9
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1380826
Signature
Antivirus / Scanner detection for submitted sample
Creates a Image File Execution Options (IFEO) Debugger entry
Creates an undocumented autostart registry key
Disables UAC (registry)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9ca8dc8342e23488434e9dd93ce915c1a562ab0f8b4a5e9c4d994e78fcddf5d2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ca8dc8342e23488434e9dd93ce915c1a562ab0f8b4a5e9c4d994e78fcddf5d2/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2024-01-25 01:33:08 UTC
File Type:
PE (Exe)
Extracted files:
105
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tsunza2c4i2iqq2otxmtz2ivygswfkyprnff5hcntfhhr7g56xja._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/240125-byh3rsdcg8/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Modifies Installed Components in the registry
Sets file execution options in registry
UAC bypass
Unpacked files
SH256 hash:
b163c599a6050931b5eb26b686d1f8782d76ccb73bb6fdf28a78978f4f850719
MD5 hash:
3e4bc43882a7db15b3e0fe92fab4a9a2
SHA1 hash:
fae794d22f2b58509a530d4c03c2cfdbe1393c95
Link:
https://www.unpac.me/results/804275d3-e4e4-4ce5-804a-ed6083702aaf/
SH256 hash:
01546d534cddaf4b09b07962610e37224112b64da5a7ec5e9fd0d79c5ce67d95
MD5 hash:
78149d0fc238276aa4eeb0d55ca0489f
SHA1 hash:
6afbb62f70112f8ea44a78d1fc229ca28b7b8f5f
Link:
https://www.unpac.me/results/804275d3-e4e4-4ce5-804a-ed6083702aaf/
SH256 hash:
1fd9a4dcf86bc7d1f87b9e6815ebe179f678766a86f20988d57be6c0e8e5777f
MD5 hash:
fe6ab97abcbfea3cb41ffcfc5758e374
SHA1 hash:
454cbb0de5885c801af05903730a4c81685f3680
Link:
https://www.unpac.me/results/804275d3-e4e4-4ce5-804a-ed6083702aaf/
SH256 hash:
55d9eaa6f52e58db39815622c3e4d04727b3d024b9423ec1b3a3edadc03b29fb
MD5 hash:
912f6c01ccfd04b12aaed7f162044c46
SHA1 hash:
1623ef84adc43730911d33ff0a17c7ee2efd2aac
Link:
https://www.unpac.me/results/804275d3-e4e4-4ce5-804a-ed6083702aaf/
SH256 hash:
0377585ec50ed2e1b3d8519be272599f31024accd20b484ddae8240e09cc83b4
MD5 hash:
13d3997b43c3d5cbafb0ff10b6f0dee1
SHA1 hash:
e650a76f3fa8d28e2ff3751ccf44d124ef2b82bd
Link:
https://www.unpac.me/results/804275d3-e4e4-4ce5-804a-ed6083702aaf/
SH256 hash:
ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0
MD5 hash:
a35ee23aaab26afc575ac83df9572b57
SHA1 hash:
81ea38c694ce9702faddfb961f17c1bbf628a76d
Link:
https://www.unpac.me/results/804275d3-e4e4-4ce5-804a-ed6083702aaf/
SH256 hash:
9ca8dc8342e23488434e9dd93ce915c1a562ab0f8b4a5e9c4d994e78fcddf5d2
MD5 hash:
3e936ce1e2ba3c89a2d17ff72d6b1e7f
SHA1 hash:
07024cadac976c38e48cfb3013baa30409fab609
Detections:
INDICATOR_EXE_Packed_MPress
Create hunting rule
Link:
https://www.unpac.me/results/804275d3-e4e4-4ce5-804a-ed6083702aaf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9ca8dc8342e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9ca8dc8342e23488434e9dd93ce915c1a562ab0f8b4a5e9c4d994e78fcddf5d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:mpress_2_xx_x86
Create hunting rule
Author:Kevin Falcoz
Description:MPRESS v2.XX x86 - no .NET
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WinLock
Create hunting rule
Author:@bartblaze
Description:Identifies WinLock (aka Blocker) ransomware variants generically.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/472822/

Comments