MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
SHA3-384 hash: c45a68b3041437617791f72c06a0c9a68938e3ddb337f91e4075cca803663bccfe5bf250625e048dfd5da4f2abee3643
SHA1 hash: cf68a72794b595588a39474aa6cfd3c91e0e3f7b
MD5 hash: bbd5a4c3248441c1126d57a3c7e023a5
humanhash: carolina-equal-cup-cat
File name:bbd5a4c3248441c1126d57a3c7e023a5.exe
Download: download sample
File size:3'923'968 bytes
First seen:2020-12-19 12:39:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 81bd39165a9640df832d204eb04feb6a
ssdeep 98304:XqgigUXTc//////WJRgjqBZMGLd51YkPu4cJMGBj4DhDZANxBYts:CtX3gjwM0LNPy8DpZ+C2
Threatray 76 similar samples on MalwareBazaar
TLSH 8506F151BDC940BAC38E19314BE5EF3D99BDA9402F14CB836764EEDC2932781AB31536
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108547/
Detection(s):
Win.Dropper.Vilsel-9772642-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a service
Launching a service
Launching a process
Sending a UDP request
Creating a file in the drivers directory
Loading a system driver
DNS request
Creating a file
Enabling autorun for a service
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/566785
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Checks if browser processes are running
Contains functionality to detect sleep reduction / modifications
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Sigma detected: Suspicious Double Extension
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332476 Sample: dPTqTpDNrQ.exe Startdate: 19/12/2020 Architecture: WINDOWS Score: 100 71 Antivirus detection for dropped file 2->71 73 Antivirus / Scanner detection for submitted sample 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 6 other signatures 2->77 10 dPTqTpDNrQ.exe 1 2->10         started        14 Jbcdt.exe 2->14         started        16 svchost.exe 2->16         started        18 4 other processes 2->18 process3 file4 61 C:\Windows\SysWOW64\RdpSau.exe, PE32 10->61 dropped 91 Drops executables to the windows directory (C:\Windows) and starts them 10->91 20 RdpSau.exe 2 10->20         started        93 Antivirus detection for dropped file 14->93 95 Machine Learning detection for dropped file 14->95 24 Jbcdt.exe 13 1 14->24         started        97 Checks if browser processes are running 16->97 99 Contains functionality to detect sleep reduction / modifications 16->99 63 C:\Windows\SysWOW64\                .exe, PE32 18->63 dropped 27                .exe 18->27         started        signatures5 process6 dnsIp7 55 C:\Users\user\AppData\Local\Temp\yu1.exe, PE32 20->55 dropped 57 C:\Users\user\AppData\Local\Temp\yu.exe, PE32 20->57 dropped 85 Antivirus detection for dropped file 20->85 87 Machine Learning detection for dropped file 20->87 29 cmd.exe 1 20->29         started        31 cmd.exe 1 20->31         started        65 cf1549064127.xicp.net 174.128.255.252, 10086, 90 ST-BGPUS United States 24->65 67 192.168.2.1 unknown unknown 24->67 59 C:\Windows\System32\drivers\QAssist.sys, PE32+ 24->59 dropped 89 Sample is not signed and drops a device driver 24->89 file8 signatures9 process10 process11 33 yu1.exe 1 1 29->33         started        37 conhost.exe 29->37         started        39 yu.exe 3 2 31->39         started        41 conhost.exe 31->41         started        file12 51 C:\Windows\SysWOW64\Jbcdt.exe, PE32 33->51 dropped 79 Antivirus detection for dropped file 33->79 81 Multi AV Scanner detection for dropped file 33->81 83 Machine Learning detection for dropped file 33->83 43 cmd.exe 1 33->43         started        53 C:\Users\user\AppData\Local\...\6839000.txt, PE32 39->53 dropped signatures13 process14 dnsIp15 69 127.0.0.1 unknown unknown 43->69 101 Uses ping.exe to sleep 43->101 47 conhost.exe 43->47         started        49 PING.EXE 1 43->49         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d/
Threat name:
Win32.PUA.FlyStudio
Create hunting rule
Status:
Malicious
First seen:
2020-12-07 20:50:00 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
02965941d39eef787b6d2483095f7c5c6eec84a2a97ce4e85eee9e0e610506e2
31153d0989d41bd597297136f2457681ac68bb89051509bba7d52c10c554a09e
3bb1bbf49c6e224032025dc7dacb3862e8b16c8b39e5cc19c5aceda4dbc917d9
56133c0d017af35f49253926e3583cf72c36146ab7faa65b6058971685166652
683fa4be9635d3399ee7eb05dde053930faa95aae3f022cdc0e13e5980438b43
75b388003cc32b680abc3d9b41bc6c435af723de235eaab36a323fddcb906f62
799b7395c9f279d8cd1cd24657788ecb37db7ae03c0dddeb3344a95a551d1325
82385c5627675bb1a2f760238c766d1b8d3c31e109e067334959c084d62e5d55
8abec65ae164e9b277cdddba8cb63034e1c9ea1971b27973560c77f37c7a4daa
c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e
+ 66 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/201219-6cwwsslfpn/
Behaviour
Runs ping.exe
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Sets DLL path for service in the registry
Sets service image path in registry
UPX packed file
Unpacked files
SH256 hash:
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
MD5 hash:
bbd5a4c3248441c1126d57a3c7e023a5
SHA1 hash:
cf68a72794b595588a39474aa6cfd3c91e0e3f7b
Link:
https://www.unpac.me/results/10ab3e0e-55ad-4976-a47c-397b8ce72261/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/108547/

Comments