MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0338c7c29d4d227c52c66bc6f31b42e5a53973c1a8ab204bf078dd2a98d2e54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rootkit.ZeroAccess

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	a0338c7c29d4d227c52c66bc6f31b42e5a53973c1a8ab204bf078dd2a98d2e54
SHA3-384 hash:	245fd04ccc54f5932f6db89514ec274b48cc534cd14be5cbe9f35b07f5315d20b68a66cfb4f76e6f64922fdb46b4c3df
SHA1 hash:	d0066ec007a829eab31feaf108f16df97d78866b
MD5 hash:	52fd7004dabcf03f8e09e60be0daa203
humanhash:	johnny-winter-mars-river
File name:	SecuriteInfo.com.BackDoor.Maxplus.12847.31909.25952
Download:	download sample
Signature	Rootkit.ZeroAccess Create hunting rule
File size:	137'728 bytes
First seen:	2024-03-01 18:25:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6f52cd457b6a24462b6b20dfc5456a98 (1 x Rootkit.ZeroAccess)
ssdeep	3072:MsxlmflqmAJpb0tFND9tJSUsTxhGeZt+bZFmpQb+lYSVJt:Mup6uUAGeZIfHs
TLSH	T176D3024DF40A597BD6E912FE0475AFA893AB2120700EEC2D52D4B4CEFC89596D90D7C3
TrID	37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 12.7% (.EXE) Win64 Executable (generic) (10523/12/4) 7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	SecuriteInfoCom
Tags:	exe Rootkit.ZeroAccess

Intelligence

File Origin

# of uploads :

# of downloads :

470

Origin country :

Vendor Threat Intelligence

Malware family:

zeroaccess

ID:

File name:

a0338c7c29d4d227c52c66bc6f31b42e5a53973c1a8ab204bf078dd2a98d2e54.exe

Verdict:

Malicious activity

Analysis date:

2024-03-01 18:35:49 UTC

Tags:

zeroaccess trojan

Link:

https://app.any.run/tasks/1e6747c7-d070-4764-9125-fa811e9ca2c7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.BackDoor.Maxplus.12847.31909.25952.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a UDP request

Searching for synchronization primitives

Creating a file

Launching cmd.exe command interpreter

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Deleting of the original file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fingerprint keylogger packed sirefef

Link:

https://www.filescan.io/uploads/65e21ddaf73edfc4770292df/reports/b06cf0d0-931b-4f53-b5a6-1e5a9faf4ed8/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/a0338c7c29d4d227c52c66bc6f31b42e5a53973c1a8ab204bf078dd2a98d2e54

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

ZeroAccess

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3ead66b9-a17d-4fa4-bd81-af00f2e82acc

Result

Threat name:

ZeroAccess

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1401637

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to modify windows services which are used for security filtering and protection

Contains functionality to set registry keys in stealthy way

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking system information)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Writes to foreign memory regions

Yara detected ZeroAccess

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a0338c7c29d4d227c52c66bc6f31b42e5a53973c1a8ab204bf078dd2a98d2e54

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a0338c7c29d4d227c52c66bc6f31b42e5a53973c1a8ab204bf078dd2a98d2e54/

Threat name:

Win32.Trojan.ZeroAccess

Status:

Malicious

First seen:

2013-08-29 13:16:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 38 (76.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uazyy7bj2tjcprjmm26g6mnufznfhfz4dkflebf7a6g5fkmnfzka._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

10/10

Tags:

evasion persistence

Link:

https://tria.ge/reports/240301-w277aabe42/

Behaviour

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Suspicious use of SetThreadContext

Adds Run key to start application

Drops desktop.ini file(s)

Deletes itself

Unexpected DNS network traffic destination

Sets service image path in registry

Modifies firewall policy service

Modifies security service

Unpacked files

SH256 hash:

6eef23c178ffe135538aa1fd0902af5bcab8c16704b03c50f85b2b788d98d80d

MD5 hash:

a6b384644e0e06f05e58b0e9059ef8d1

SHA1 hash:

e6e41d3cb62f63c5adcce7eafa7e1b0cb1647567

Link:

https://www.unpac.me/results/78a39293-1cc7-4cb9-a806-d061f35f1a1e/

SH256 hash:

13dfe4fd7d3bad944197fc6b07fe844377a110e9c6d455101106f57f1bf92ee4

MD5 hash:

9edd8697b54d354079ba30f0e6b39aee

SHA1 hash:

7b221a613f4d526bce183de7770fd631f6b2ed91

Detections:

INDICATOR_EXE_Packed_aPLib

Link:

https://www.unpac.me/results/78a39293-1cc7-4cb9-a806-d061f35f1a1e/

SH256 hash:

3ad8224dd09d893af015ed14dbd85fe1a48cb2480a0ab7f77a3b0be0edca749b

MD5 hash:

1451b080850a1d0e13ad3fc87db51a9a

SHA1 hash:

da24ee707d5ec90ceb56b1cd45f1962c866a0187

Link:

https://www.unpac.me/results/78a39293-1cc7-4cb9-a806-d061f35f1a1e/

SH256 hash:

33fc237709b946c569a2212fe2a43af381af96660383bd5015993748e9541a86

MD5 hash:

41afd9a1d66020761f37811fa59c8241

SHA1 hash:

d3027bf0f52c43d667090adfb2d2944c613d74f3

Detections:

win_zeroaccess_auto

Link:

https://www.unpac.me/results/78a39293-1cc7-4cb9-a806-d061f35f1a1e/

SH256 hash:

2a882df1b80c38e3adc9eca9f4f36e5f9e630a387f533c731a182c94d16d4e46

MD5 hash:

883b6e360203b634003ef04a486d73cd

SHA1 hash:

702a851aac821decde35c854ff27cf856ebee6b2

Link:

https://www.unpac.me/results/78a39293-1cc7-4cb9-a806-d061f35f1a1e/

SH256 hash:

a0338c7c29d4d227c52c66bc6f31b42e5a53973c1a8ab204bf078dd2a98d2e54

MD5 hash:

52fd7004dabcf03f8e09e60be0daa203

SHA1 hash:

d0066ec007a829eab31feaf108f16df97d78866b

Link:

https://www.unpac.me/results/78a39293-1cc7-4cb9-a806-d061f35f1a1e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a0338c7c29d4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

ZeroAccess

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a0338c7c29d4d227c52c66bc6f31b42e5a53973c1a8ab204bf078dd2a98d2e54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::CopySid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetNamedSecurityInfoW ADVAPI32.dll::GetSidSubAuthorityCount ADVAPI32.dll::GetSidSubAuthority ADVAPI32.dll::GetTokenInformation
MULTIMEDIA_API	Can Play Multimedia	MSACM32.dll::acmDriverID
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::GetSecurityDescriptorControl ADVAPI32.dll::GetSecurityDescriptorDacl ADVAPI32.dll::GetSecurityDescriptorGroup ADVAPI32.dll::GetSecurityDescriptorOwner ADVAPI32.dll::GetSidIdentifierAuthority
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::OpenProcessToken KERNEL32.dll::VirtualAllocEx KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WinExec KERNEL32.dll::WriteConsoleA KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleOutputCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateFileA KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW KERNEL32.dll::GetWindowsDirectoryW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegGetKeySecurity ADVAPI32.dll::RegLoadKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegOpenKeyExA
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuW USER32.dll::EmptyClipboard USER32.dll::FindWindowW USER32.dll::OpenClipboard USER32.dll::PeekMessageW USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample