MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a56fd1905d2af8a3a945ca699d94a4e1dff1759c719284af3ca975e47d150be5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a56fd1905d2af8a3a945ca699d94a4e1dff1759c719284af3ca975e47d150be5
SHA3-384 hash: ee46bea15322ece520f0da66842f338d08512a8298404743d021b1fc0da53eb7428506ab01a7b851d1dc53bd9de2f046
SHA1 hash: ad2e89dcf4f9feb251b14eb20af8774fbf8b9c54
MD5 hash: c8d1263386f7cb98ca1795ba2558a443
humanhash: oregon-alaska-avocado-mango
File name:c8d1263386f7cb98ca1795ba2558a443
Download: download sample
File size:1'869'595 bytes
First seen:2021-06-24 01:06:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 49152:NsrFa7LUfPSDdjfoaanX3Kv24Dpdj0JK3iKrSbc1Qwf:urg7LaSxDjjv2SdguiKrHQwf
Threatray 567 similar samples on MalwareBazaar
TLSH 32852332BAC28971D8B308380DFDAB31563D7D701F649B5EA3D83E6E5E348419625B93
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c8d1263386f7cb98ca1795ba2558a443
Verdict:
Suspicious activity
Analysis date:
2021-06-24 01:08:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fa2ab3b9-22b2-400d-9c53-351a4ae0c433

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Generic.mg.7118444d587a1d65.31770.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d50e25e-972a-4d48-b5de-5d322cc700c4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/807037
Signature
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Submitted sample is a known malware sample
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439442 Sample: ccXIdSdTCF Startdate: 24/06/2021 Architecture: WINDOWS Score: 72 51 Multi AV Scanner detection for submitted file 2->51 53 Machine Learning detection for dropped file 2->53 55 Sigma detected: Regsvr32 Anomaly 2->55 57 2 other signatures 2->57 11 ccXIdSdTCF.exe 8 2->11         started        process3 process4 13 mshta.exe 19 11->13         started        process5 15 cmd.exe 2 13->15         started        file6 47 C:\Users\user\AppData\Local\Temp\p10.EXE, PE32 15->47 dropped 49 Submitted sample is a known malware sample 15->49 19 p10.EXE 18 15->19         started        22 taskkill.exe 1 15->22         started        24 conhost.exe 15->24         started        signatures7 process8 signatures9 59 Multi AV Scanner detection for dropped file 19->59 26 mshta.exe 19 19->26         started        28 mshta.exe 1 19->28         started        process10 process11 30 cmd.exe 2 26->30         started        33 cmd.exe 1 28->33         started        file12 45 C:\Users\user\AppData\Local\Temp\0BSXD.7, PE32 30->45 dropped 35 conhost.exe 30->35         started        37 regsvr32.exe 30->37         started        39 cmd.exe 2 30->39         started        41 cmd.exe 1 30->41         started        43 conhost.exe 33->43         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a56fd1905d2af8a3a945ca699d94a4e1dff1759c719284af3ca975e47d150be5/
Threat name:
Win32.Trojan.Bunitucrypt
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 01:07:16 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
118dd258630c48b0beacd8b4c04c9c9cd3b9f698b660b6a904b1dfc033e00cd1
27ae4533158f4a5e2ab70f57a674e6d84c989b13dd89fdb0fefadbeb22bffc95
2d725c799e8787ef98e26cb025144cbe405aef31bc4ddd2011c80c09efa87400
5e4cb5b794577345c50a2012ee0ece2301012527d17646d984a253781bcd39c9
689290a8b842a0fd09f5ce00654d64d70d0be3e19e2ca60d5dd3d199d3e09054
9f452d7d0048825bc6a35952dd645d68e6b5788858481998c660b8b31d1e1b63
a080aa812c19b8bbe2b32ac62f362909cebc68658ec751be2ee234ffd1200f47
b833d79953fe177a48a5832ce2606c41d00f0d5b9bd31ceb25d3055a3850c2f7
d33a9b8def5c0bc379362bf5924cd9697d2b219bcc412399814b160f9627c3c3
fcbdafcedb7e9d18b0c8b640e375975320e6f74fd4170fea17b2ca210215d855
+ 557 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210624-67g46knf4s/
Behaviour
Kills process with taskkill
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
a56fd1905d2af8a3a945ca699d94a4e1dff1759c719284af3ca975e47d150be5
MD5 hash:
c8d1263386f7cb98ca1795ba2558a443
SHA1 hash:
ad2e89dcf4f9feb251b14eb20af8774fbf8b9c54
Link:
https://www.unpac.me/results/7e1918f2-a7a7-4f3a-b764-d029dfb23edc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a56fd1905d2af8a3a945ca699d94a4e1dff1759c719284af3ca975e47d150be5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a56fd1905d2af8a3a945ca699d94a4e1dff1759c719284af3ca975e47d150be5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1393144/
  
URLhaus
https://urlhaus.abuse.ch/url/1393199/
  
URLhaus
https://urlhaus.abuse.ch/url/1393293/
  
URLhaus
https://urlhaus.abuse.ch/url/1393543/
  
URLhaus
https://urlhaus.abuse.ch/url/1393991/
  
URLhaus
https://urlhaus.abuse.ch/url/1394010/
  
URLhaus
https://urlhaus.abuse.ch/url/1394063/
  
URLhaus
https://urlhaus.abuse.ch/url/1394214/
  
URLhaus
https://urlhaus.abuse.ch/url/1394263/

Comments