MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e963186264d8f04f86916921e1f197bd98bd7305af779247c9ff4632d05900b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e963186264d8f04f86916921e1f197bd98bd7305af779247c9ff4632d05900b
SHA3-384 hash: 3a5891697f6dfc477ca492e585603bfd874399c674a00a6a443f2e376eb1e9638f045008f967c7408c7b63377ba022ef
SHA1 hash: 8e775221e4fa31eaf138594090a21dcee50c8bee
MD5 hash: d2e27e129c82b56a810bcd5901508791
humanhash: hotel-lamp-finch-sink
File name:d2e27e129c82b56a810bcd5901508791
Download: download sample
File size:1'652'302 bytes
First seen:2021-06-24 09:21:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8c16c795b57934183422be5f6df7d891 (36 x Mofksys, 18 x CryptOne, 6 x AveMariaRAT)
ssdeep 24576:PFOaRvs8z4CEfqTCQUQyUStUEwb/lG4/5TdV5Yz49W0c4268nMBfN16qEwQCQgVN:tB8bVXQyUStub44/RdVq4cHgKq7QK
Threatray 4'959 similar samples on MalwareBazaar
TLSH 66752327A9148837E86645F2B9E6E62ABD025F2647D5DD4B3674BF0537F8203B1B020F
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d2e27e129c82b56a810bcd5901508791
Verdict:
No threats detected
Analysis date:
2021-06-24 09:27:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/680b4ff9-7d06-4737-8fb6-9d0efcfe6089

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167953/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Win.Trojan.VBGeneric-6735875-0
Create hunting rule

Win.Trojan.Agent-1109049
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc4ec259-a252-4aa4-8a21-edafeb4a48f7
Result
Threat name:
CryptOne Mofksys
Create hunting rule
Detection:
malicious
Classification:
spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807356
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Yara detected Mofksys
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439766 Sample: YNVtTMLhpP Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 63 Antivirus / Scanner detection for submitted sample 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Yara detected Mofksys 2->67 69 5 other signatures 2->69 10 YNVtTMLhpP.exe 1 3 2->10         started        14 svchost.exe 2->14         started        16 svchost.exe 9 1 2->16         started        19 11 other processes 2->19 process3 dnsIp4 49 C:\Windows\Resources\Themes\icsys.icn.exe, MS-DOS 10->49 dropped 51 C:\Users\user\Desktop\ynvttmlhpp.exe, PE32 10->51 dropped 95 Drops executables to the windows directory (C:\Windows) and starts them 10->95 21 icsys.icn.exe 2 10->21         started        25 ynvttmlhpp.exe 10->25         started        97 Changes security center settings (notifications, updates, antivirus, firewall) 14->97 27 MpCmdRun.exe 1 14->27         started        55 127.0.0.1 unknown unknown 16->55 file5 signatures6 process7 file8 47 C:\Windows\Resources\Themes\explorer.exe, MS-DOS 21->47 dropped 79 Antivirus detection for dropped file 21->79 81 Machine Learning detection for dropped file 21->81 83 Drops executables to the windows directory (C:\Windows) and starts them 21->83 85 Drops PE files with benign system names 21->85 29 explorer.exe 14 21->29         started        34 conhost.exe 27->34         started        signatures9 process10 dnsIp11 57 codecmd03.googlecode.com 29->57 59 codecmd02.googlecode.com 29->59 61 3 other IPs or domains 29->61 53 C:\Windows\Resources\spoolsv.exe, MS-DOS 29->53 dropped 99 Antivirus detection for dropped file 29->99 101 System process connects to network (likely due to code injection or exploit) 29->101 103 Machine Learning detection for dropped file 29->103 105 Drops PE files with benign system names 29->105 36 spoolsv.exe 2 29->36         started        file12 signatures13 process14 file15 45 C:\Windows\Resources\svchost.exe, MS-DOS 36->45 dropped 71 Antivirus detection for dropped file 36->71 73 Machine Learning detection for dropped file 36->73 75 Drops executables to the windows directory (C:\Windows) and starts them 36->75 77 Drops PE files with benign system names 36->77 40 svchost.exe 2 2 36->40         started        signatures16 process17 signatures18 87 Antivirus detection for dropped file 40->87 89 Detected CryptOne packer 40->89 91 Machine Learning detection for dropped file 40->91 93 Drops executables to the windows directory (C:\Windows) and starts them 40->93 43 spoolsv.exe 1 40->43         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e963186264d8f04f86916921e1f197bd98bd7305af779247c9ff4632d05900b/
Threat name:
Win32.Worm.Mofksys
Create hunting rule
Status:
Malicious
First seen:
2021-06-16 06:33:00 UTC
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
32672928863af3e154d0e2cc454c5fd31f217a3bfabc7acff2223bb72a5bbe6f
3e89231dca077c17c8e22b527557da4a34d1a06871f481e39d4a3fb2512f16af
603b8b4a8d2fedea549b4f06b345da9234a06ceab9366175c8de484df155a2b9
6c094a18d2ab75c95ffc39399cece2eebdb8064f91cec40226be037fb20f64d9
90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9
a2bd87a81b3cc4f40cc8f1e6ba1111a010ad3970b4dff9e98c729142af28b823
b23274e47a003476681da8925f2c15ff1c7ef988cabf76dbf1e5799a914a3ab1
b603bb5bf05a55c7687cbfa64566cb5608947284b8eaf0da2b1b6d282fee3ecd
bc630e07cf99324ac65fb506e9d54bbd6d405887070604e00d98c52ba60d64c1
e761d308089dba30cc23f8878d984aa1f11b049f2f096e9766db3c92e1ccf290
+ 4'949 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence upx
Link:
https://tria.ge/reports/210624-tq4gkwbma6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
UPX packed file
Modifies visiblity of hidden/system files in Explorer
Unpacked files
SH256 hash:
9e963186264d8f04f86916921e1f197bd98bd7305af779247c9ff4632d05900b
MD5 hash:
d2e27e129c82b56a810bcd5901508791
SHA1 hash:
8e775221e4fa31eaf138594090a21dcee50c8bee
Link:
https://www.unpac.me/results/ce6202ed-e54c-4821-a525-97eee055c1d5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9e963186264d8f04f86916921e1f197bd98bd7305af779247c9ff4632d05900b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 9e963186264d8f04f86916921e1f197bd98bd7305af779247c9ff4632d05900b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1394238/
Cape
Cape
https://www.capesandbox.com/analysis/167953/

Comments