MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f11a8c899cebf82b33fb6e0b457081a4d9cbc8da214579ca3d71dced16c0471. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f11a8c899cebf82b33fb6e0b457081a4d9cbc8da214579ca3d71dced16c0471
SHA3-384 hash: 9e6b06ae5595ff93cb2e264c658d9c319a231d4c090a2e12a2a40778ca4b4951caf2c91f05cbc1e82eb78f350105600f
SHA1 hash: 0591fe4aa9dbc14c5ee5b1b0b11edda3203142b3
MD5 hash: 43ed73f9dc285b9cbac6910b6e0567c0
humanhash: mars-comet-nitrogen-kansas
File name:virussign.com_43ed73f9dc285b9cbac6910b6e0567c0
Download: download sample
File size:58'636 bytes
First seen:2022-07-15 16:31:04 UTC
Last seen:2024-07-24 19:42:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 09d0478591d4f788cb3e5ea416c25237 (4 x Worm.Mofksys, 3 x Blackmoon, 2 x Gh0stRAT)
ssdeep 1536:D7TJopblB4dqyyUiZ06pX3I6/qxiSEGNJFV:D7TQlatyYePxiFV
TLSH T11543F23455951426F0F6EE708DC2C68E0447FEAE563B4D8D2BD2772E793A26F802052B
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
dhash icon e4f6b2f0e8ccf0f0 (14 x Worm.AutoRun, 11 x AutoRun, 1 x CoinMiner)
Reporter KdssSupport
Tags:exe


Avatar
KdssSupport
Uploaded with API

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
virussign.com_43ed73f9dc285b9cbac6910b6e0567c0
Verdict:
Malicious activity
Analysis date:
2022-07-16 04:25:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c5bc98dc-64bd-40d2-ab3a-fb298cf3d882

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/290014/
Detection(s):
PUA.Win.Packer.PECompact-2
Create hunting rule

Win.Malware.Ulise-9955124-0
Create hunting rule

Win.Trojan.VB-3895
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file in the Windows subdirectories
Creating a file in the Windows directory
Creating a process from a recently created file
Creating a process with a hidden window
Searching for analyzing tools
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/62d1969d3ec0b068997bdb75/reports/ff5ad025-032e-41b1-af71-19913ae9a84e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1034378
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes the view of files in windows explorer (hidden files and folders)
Changes the wallpaper picture
Creates an undocumented autostart registry key
Creates autorun.inf (USB autostart)
Detected unpacking (changes PE section rights)
Disables the Windows registry editor (regedit)
Disables UAC (registry)
Disables Windows system restore
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Spreads via windows shares (copies files to share folders)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 666872 Sample: cLf8IYtWDb.com_43ed73f9dc28... Startdate: 17/07/2022 Architecture: WINDOWS Score: 100 91 220.255.0.0.in-addr.arpa 2->91 107 Antivirus detection for dropped file 2->107 109 Antivirus / Scanner detection for submitted sample 2->109 111 Multi AV Scanner detection for dropped file 2->111 113 5 other signatures 2->113 9 cLf8IYtWDb.exe 1 46 2->9         started        signatures3 process4 dnsIp5 99 192.168.2.1 unknown unknown 9->99 69 C:\Windows\mscomctl.ocx, PE32 9->69 dropped 71 C:\Windows\SysWOW64\MSCOMCTL.OCX, PE32 9->71 dropped 73 C:\Windows\SysWOW64\17-7-2022.exe, PE32 9->73 dropped 75 7 other files (3 malicious) 9->75 dropped 125 Detected unpacking (changes PE section rights) 9->125 127 Creates autorun.inf (USB autostart) 9->127 129 Spreads via windows shares (copies files to share folders) 9->129 131 2 other signatures 9->131 14 smss.exe 31 9->14         started        18 csrss.exe 30 9->18         started        20 PING.EXE 9->20         started        23 4 other processes 9->23 file6 signatures7 process8 dnsIp9 77 C:\Users\user\...behaviorgraphaara The Kazekage.exe, PE32 14->77 dropped 79 C:\user Gamesbehaviorgraphaara games - Naruto.exe, PE32 14->79 dropped 133 Spreads via windows shares (copies files to share folders) 14->133 25 Gaara.exe 30 14->25         started        29 Kazekage.exe 14->29         started        31 PING.EXE 14->31         started        42 3 other processes 14->42 81 C:\user Games81aruto games.exe, PE32 18->81 dropped 135 Drops executables to the windows directory (C:\Windows) and starts them 18->135 34 PING.EXE 18->34         started        36 PING.EXE 18->36         started        44 5 other processes 18->44 95 220.255.0.0.in-addr.arpa 20->95 38 conhost.exe 20->38         started        97 220.255.0.0.in-addr.arpa 23->97 40 conhost.exe 23->40         started        file10 signatures11 process12 dnsIp13 65 C:\user Games\Hokage-Sampit (Nothing).exe, PE32 25->65 dropped 115 Spreads via windows shares (copies files to share folders) 25->115 46 system32.exe 25->46         started        50 PING.EXE 25->50         started        53 smss.exe 1 25->53         started        63 3 other processes 25->63 67 C:\user Games\Kazekage VS Hokage.exe, PE32 29->67 dropped 117 Detected unpacking (changes PE section rights) 29->117 119 Creates an undocumented autostart registry key 29->119 121 Changes the view of files in windows explorer (hidden files and folders) 29->121 123 4 other signatures 29->123 55 smss.exe 29->55         started        57 Gaara.exe 29->57         started        59 csrss.exe 29->59         started        101 220.255.0.0.in-addr.arpa 31->101 103 220.255.0.0.in-addr.arpa 34->103 61 conhost.exe 34->61         started        105 220.255.0.0.in-addr.arpa 36->105 file14 signatures15 process16 dnsIp17 83 C:\Windows\SysWOW64\drivers\system32.exe, ASCII 46->83 dropped 85 C:\Windows\SysWOW64\drivers\Kazekage.exe, ASCII 46->85 dropped 87 C:\Windows\Fonts\...\smss.exe, ASCII 46->87 dropped 89 4 other files (2 malicious) 46->89 dropped 137 Detected unpacking (changes PE section rights) 46->137 139 Tries to detect sandboxes and other dynamic analysis tools (window names) 46->139 141 Spreads via windows shares (copies files to share folders) 46->141 93 220.255.0.0.in-addr.arpa 50->93 file18 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f11a8c899cebf82b33fb6e0b457081a4d9cbc8da214579ca3d71dced16c0471/
Threat name:
Win32.Trojan.Dacic
Create hunting rule
Status:
Malicious
First seen:
2022-07-10 01:41:31 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t4i2rsezz27yfmz7w3qlivyidjgzzpenuikfphfd24o45ulmaryq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware trojan
Link:
https://tria.ge/reports/220715-t1e31adcgn/
Behaviour
Modifies Control Panel
Modifies Internet Explorer settings
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Drops file in Windows directory
Drops autorun.inf file
Drops file in System32 directory
Sets desktop wallpaper using registry
Adds Run key to start application
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Loads dropped DLL
Disables RegEdit via registry modification
Disables use of System Restore points
Drops file in Drivers directory
Executes dropped EXE
Sets file execution options in registry
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
Modifies visiblity of hidden/system files in Explorer
UAC bypass
Unpacked files
SH256 hash:
740ed0f397b6a9694d2a8a4d2e36cc839cefa099146c8527b9bc78df5ea83316
MD5 hash:
175d5241fc12ff76be3f461eab5a9ebd
SHA1 hash:
d3d5c035f9381a4f62bc1f08e2158cdb08972ce7
Link:
https://www.unpac.me/results/78fbbb68-bb3b-4f73-a0b3-d072cd94d704/
SH256 hash:
9f11a8c899cebf82b33fb6e0b457081a4d9cbc8da214579ca3d71dced16c0471
MD5 hash:
43ed73f9dc285b9cbac6910b6e0567c0
SHA1 hash:
0591fe4aa9dbc14c5ee5b1b0b11edda3203142b3
Link:
https://www.unpac.me/results/78fbbb68-bb3b-4f73-a0b3-d072cd94d704/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f11a8c899cebf82b33fb6e0b457081a4d9cbc8da214579ca3d71dced16c0471

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 9f11a8c899cebf82b33fb6e0b457081a4d9cbc8da214579ca3d71dced16c0471

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/290014/

Comments