MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7419640b97af3b82eba614a5595b48b8fe5fd904fea36cbf499468f51b38475. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7419640b97af3b82eba614a5595b48b8fe5fd904fea36cbf499468f51b38475
SHA3-384 hash: cd6f4313afb3501ff77bdafb4289c25811765d8d371d3477389b90c516f8e997b7c982e1527413874d9118a83b0b42df
SHA1 hash: 792b6ffff6301f584f192b545f40c491117a5aa3
MD5 hash: 69b7d9525815c1345ff32d4fffa657c4
humanhash: red-equal-hotel-quiet
File name:a7419640b97af3b82eba614a5595b48b8fe5fd904fea36cbf499468f51b38475
Download: download sample
File size:739'123 bytes
First seen:2021-02-28 22:08:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4bb6c97d0fd6fbaeabdd43515fbc6b28 (17 x DCRat, 1 x NanoCore)
ssdeep 12288:to4JzBT1d2/0uCoDfMEztc4HNG/F1QNaq1jfADKCGxsCUbiIaQFEkoaMImN3Hdm2:tnXufDfpZVoMx1jfg9wwdaQFEkoaedZV
Threatray 410 similar samples on MalwareBazaar
TLSH CBF41261E28C3CE1C04621F9AD34E889B01BFB69112C8D697AB6F84B94B65C37477D4F
Reporter c3rb3ru5d3d53c2


Avatar
c3rb3ru5d3d53c
@c3rb3ru5d3d53c Live Hunt

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MCHacker.exe
Verdict:
Malicious activity
Analysis date:
2021-02-28 17:49:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/50aa2402-ab6f-4b88-9b47-24f54174c839

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/120060/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Win.Malware.Rasftuby-9219744-0
Create hunting rule

Win.Dropper.Nanocore-9774880-0
Create hunting rule

Win.Malware.Uztuby-9797514-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Launching a process
Creating a file in the Program Files subdirectories
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Unauthorized injection to a recently created process
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621492
Signature
.NET source code contains in memory code execution
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 359739 Sample: VhYd1M4za8 Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 71 canonicalizer.ucsuri.tcs 2->71 73 prda.aadg.msidentity.com 2->73 85 Antivirus detection for dropped file 2->85 87 Antivirus / Scanner detection for submitted sample 2->87 89 Multi AV Scanner detection for submitted file 2->89 91 7 other signatures 2->91 14 VhYd1M4za8.exe 3 11 2->14         started        17 yeFQvlCYfOKJSorkWbe.exe 3 2->17         started        signatures3 process4 file5 69 C:\Users\user\...\OiNOJa01zZspBeagsxaI.exe, PE32 14->69 dropped 20 wscript.exe 1 14->20         started        79 Antivirus detection for dropped file 17->79 81 Machine Learning detection for dropped file 17->81 83 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->83 signatures6 process7 process8 22 cmd.exe 1 20->22         started        signatures9 101 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 22->101 25 OiNOJa01zZspBeagsxaI.exe 11 22->25         started        29 conhost.exe 22->29         started        process10 file11 67 C:\Users\user\AppData\...\netdriver.exe, PE32 25->67 dropped 103 Multi AV Scanner detection for dropped file 25->103 31 wscript.exe 1 25->31         started        signatures12 process13 process14 33 cmd.exe 1 31->33         started        process15 35 netdriver.exe 1 11 33->35         started        39 conhost.exe 33->39         started        file16 59 C:\Windows\Vss\Writers\...\dllhost.exe, PE32 35->59 dropped 61 C:\Recovery\yeFQvlCYfOKJSorkWbe.exe, PE32 35->61 dropped 63 C:\Recovery\winlogon.exe, PE32 35->63 dropped 65 C:\Program Files\...\WmiPrvSE.exe, PE32 35->65 dropped 93 Antivirus detection for dropped file 35->93 95 Machine Learning detection for dropped file 35->95 97 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 35->97 99 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->99 41 WmiPrvSE.exe 14 2 35->41         started        45 schtasks.exe 1 35->45         started        47 schtasks.exe 1 35->47         started        49 2 other processes 35->49 signatures17 process18 dnsIp19 75 us-east-1.route-1.000webhost.awex.io 145.14.145.70, 443, 49700 AWEXUS Netherlands 41->75 77 offbeat-echo.000webhostapp.com 41->77 105 Protects its processes via BreakOnTermination flag 41->105 51 conhost.exe 45->51         started        53 conhost.exe 47->53         started        55 conhost.exe 49->55         started        57 conhost.exe 49->57         started        signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7419640b97af3b82eba614a5595b48b8fe5fd904fea36cbf499468f51b38475/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2021-02-28 22:09:06 UTC
AV detection:
26 of 47 (55.32%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
026e27e7f9ed14e29d3f9feffd83f8c83b88291439c5f1376d264504b832c2ca
09861033c2109fa6827b4ff30052d087e28b81a53bd0b4d235c68128a8a451f5
3cc4ba07331525cdf84257291993e9a68c322dfe7e91ff112191ed2c2ababcb4
3f1d6522a3dc9c69310b7c960788de537186c1256dae425eac2cf07c66dd3ab8
4231d303577111382f2c3a44d1b4077b11dfe8125d851a5bda6ceebef5a0d5a4
50444a618ccea3cc6b93088378260b2fab89b5b92d4b06f27fc2e8a58b950c79
7125ff46ae7468216b1764b9e22b5811d4890f33a237776c6cbf22c8d8f09bbc
b3f70398a3cccd64b165ef13c19ee9cb0e94f5743bf0a6147148044bcb0e485e
bf375d5c15abb5c57b0cc3371a3537b79560fe82b1aff486afde752e05971ebb
c84d34fac4693d44191e1d297b14f60978794ffdb95258d0fce3b89e61285e2d
+ 400 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware upx
Link:
https://tria.ge/reports/210228-9q8w381h7s/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
07d59b40a8f34380fdc792f04c02aa1d4363edf851998d1d09d554866c6c9a01
MD5 hash:
91d4f43b25296838a8d509906728f6c4
SHA1 hash:
fc6c34931070892f396d238d577b55af3a1ef197
Link:
https://www.unpac.me/results/4858eae2-3099-4f95-a1c6-029d127981e9/
SH256 hash:
89d573c731a3d9a612da1ab5eacbd1be82ef5eb45b4d46cc9e66aa90639eed16
MD5 hash:
3f92e900b79d180c21a140c58c8a5db8
SHA1 hash:
27e94ffde75282e6d70ddc31fed685c87c6a6e15
Link:
https://www.unpac.me/results/4858eae2-3099-4f95-a1c6-029d127981e9/
SH256 hash:
a7419640b97af3b82eba614a5595b48b8fe5fd904fea36cbf499468f51b38475
MD5 hash:
69b7d9525815c1345ff32d4fffa657c4
SHA1 hash:
792b6ffff6301f584f192b545f40c491117a5aa3
Link:
https://www.unpac.me/results/4858eae2-3099-4f95-a1c6-029d127981e9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/a7419640b97af3b82eba614a5595b48b8fe5fd904fea36cbf499468f51b38475

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:upx_packed
Create hunting rule
Description:UPX packed file

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.virustotal.com/gui/file/a7419640b97af3b82eba614a5595b48b8fe5fd904fea36cbf499468f51b38475/details
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/120060/

Comments