MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a639dce38f6ea72a69d7037a35b9d0cd0a4026130995fa89ef52865eb630036d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackShades


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a639dce38f6ea72a69d7037a35b9d0cd0a4026130995fa89ef52865eb630036d
SHA3-384 hash: ab4e4293c4682faa9872b4ccfa2a0306c1510c9d3f063d6f08ca724e2466b3044b893568dec0ddd6336b66aabf5b965f
SHA1 hash: 9049c89d8b868d5dd47fce84f43f5acb1ef0e4d6
MD5 hash: cce24cf2442c519ce26ee12dac29d783
humanhash: social-green-mockingbird-mississippi
File name:cce24cf2442c519ce26ee12dac29d783.exe
Download: download sample
Signature BlackShades
Create hunting rule
File size:404'506 bytes
First seen:2020-12-21 07:14:55 UTC
Last seen:2020-12-21 08:55:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3eaa732d4dae53340f9646bdd85dac41 (11 x NetSupport, 6 x RedLineStealer, 4 x ISRStealer)
ssdeep 6144:51bhajKgqx6iftHMqyML/J8qF9kkYqziww1mG1Cf6sUtMQ34LDQUXP0bu:51taegqFftHLJ8qF9hewzLFnQMN
Threatray 4'712 similar samples on MalwareBazaar
TLSH 9084E0A266D1C072E16314308EF9D760FAB9F8355770998ABF900E6D7F22AD1CB25713
Reporter abuse_ch
Tags:BlackShades exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cce24cf2442c519ce26ee12dac29d783.exe
Verdict:
Malicious activity
Analysis date:
2020-12-21 07:15:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e57ac6c4-0699-4423-8f4f-8bbb209485e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BlackShades
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108651/
Detection(s):
SecuriteInfo.com.Trojan.Rasftuby.Gen.11.26147.4748.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% directory
Running batch commands
Creating a process from a recently created file
Moving a file to the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a process with a hidden window
DNS request
Connection attempt
Sending a UDP request
Launching a process
Creating a file in the mass storage device
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Firewall traversal
Enabling autorun
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Blackshades Poisonivy
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/567186
Signature
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Yara detected Blackshades RAT
Yara detected Generic Dropper
Yara detected Poisonivy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332670 Sample: vhk2oABla2.exe Startdate: 21/12/2020 Architecture: WINDOWS Score: 100 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for dropped file 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 4 other signatures 2->77 10 vhk2oABla2.exe 8 2->10         started        13 IMPORTANT.exe 2->13         started        16 IMPORTANT.exe 2->16         started        18 IMPORTANT.exe 2->18         started        process3 file4 61 C:\Users\user\AppData\...\IMPORTANT.sfx.exe, PE32 10->61 dropped 20 cmd.exe 1 10->20         started        83 Installs a global keyboard hook 13->83 signatures5 process6 process7 22 IMPORTANT.sfx.exe 7 20->22         started        26 conhost.exe 20->26         started        file8 59 C:\Users\user\AppData\Roaming\IMPORTANT.exe, PE32 22->59 dropped 79 Multi AV Scanner detection for dropped file 22->79 28 IMPORTANT.exe 5 1 22->28         started        signatures9 process10 dnsIp11 65 kanzit.no-ip.biz 94.73.36.254, 3333 AS15704ES Spain 28->65 67 192.168.2.1 unknown unknown 28->67 63 C:\Users\user\...\IMPORTANT.exe (copy), PE32 28->63 dropped 85 Antivirus detection for dropped file 28->85 87 Multi AV Scanner detection for dropped file 28->87 89 Creates an undocumented autostart registry key 28->89 91 2 other signatures 28->91 33 cmd.exe 1 28->33         started        36 cmd.exe 1 28->36         started        38 cmd.exe 1 28->38         started        40 cmd.exe 1 28->40         started        file12 signatures13 process14 signatures15 69 Uses cmd line tools excessively to alter registry or file data 33->69 42 reg.exe 1 1 33->42         started        45 conhost.exe 33->45         started        47 conhost.exe 36->47         started        49 reg.exe 1 36->49         started        51 conhost.exe 38->51         started        53 reg.exe 1 38->53         started        55 conhost.exe 40->55         started        57 reg.exe 40->57         started        process16 signatures17 81 Modifies the windows firewall 42->81
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a639dce38f6ea72a69d7037a35b9d0cd0a4026130995fa89ef52865eb630036d/
Threat name:
Win32.Dropper.Slipafext
Create hunting rule
Status:
Malicious
First seen:
2014-06-21 18:17:00 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uy45zy4pn2tsu2oxan5dlooqzufeajqtbgk7vcppkkdf5nrqanwq._file
Verdict:
malicious
Similar samples:
0221a0e77a374582b84c6df13c131a0f04716a00951dc3f6a483d3f612da882f
BlackShades
49a326ef65fb6a7f8e778fb2104aa2708e38601348ddbc04e8cbd9117af0458a
BlackShades
8940b16aa336b5ec5c5e313f82f8d0a467edfa563a18354949a9964a51512fde
BlackShades
a519b94cbb4c14b6fb3397c3220851ebf960fffe4f82360dbd4493bad0d38747
BlackShades
bb83199024b5592d9de0a82374d6a34f6d9652fd4d885c7587c734c4d5b0cc94
BlackShades
bf312133bbf5084cf719d23988bf29b9ff4bb87f88e1c8c63d019640f6ca77a9
BlackShades
d98f26da9dd79c4a39085174946c13d4d0d1655bed138a2273ba0b92eca640ce
BlackShades
e2f0a2043a3d8ae1e3b6c3f156a410544c2336108b244dd2f9b77f2f9ede0a56
BlackShades
f1c0e198445a81a738ad7509079b63752b0bc934cd66ce39bc95cb50224ca0d3
BlackShades
f1e7407cc064f9c74ab09a214fde2dea53c28fef69e3a97a6c5f5dbe52fef859
BlackShades
+ 4'702 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/201221-2wzynjz6ae/
Behaviour
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Adds policy Run key to start application
Executes dropped EXE
Modifies firewall policy service
Unpacked files
SH256 hash:
9fdd73545c88b8c1af72236a8ebc599e701b894b7938034061c0e283f2203b90
MD5 hash:
2321c07681c2e35009ee33e8639908ba
SHA1 hash:
d61ff56bef738122df9784be6132000f029d5fb4
Detections:
win_blackshades_w0
Create hunting rule
Link:
https://www.unpac.me/results/29b20617-5b81-4db1-864f-b3fb24199ee1/
SH256 hash:
a639dce38f6ea72a69d7037a35b9d0cd0a4026130995fa89ef52865eb630036d
MD5 hash:
cce24cf2442c519ce26ee12dac29d783
SHA1 hash:
9049c89d8b868d5dd47fce84f43f5acb1ef0e4d6
Link:
https://www.unpac.me/results/29b20617-5b81-4db1-864f-b3fb24199ee1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Starter
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a639dce38f6ea72a69d7037a35b9d0cd0a4026130995fa89ef52865eb630036d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/108651/

Comments