MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9ec6aa98e4855c955d1d2f8be710c2de52ab574fe1a3748b43bea75ea37a881. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9ec6aa98e4855c955d1d2f8be710c2de52ab574fe1a3748b43bea75ea37a881
SHA3-384 hash: 9b9c32db5a76b9b967831e089d3cab662d5fee92587d676adc1cc29242f8057f09debe4aa8861e2950caa61e88cb6357
SHA1 hash: 4d7ff94ed182398b2d7d80cbb74dee383011276b
MD5 hash: ebfe3cc196712a6c4b09fcc2c9790fd0
humanhash: tennis-equal-muppet-two
File name:SecuriteInfo.com.Trojan.Siggen12.25943.14679.4091
Download: download sample
File size:3'438'092 bytes
First seen:2021-03-12 11:41:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 98304:S4H4DAQUO0GkALWUzDdfWISzjhGTdPi1TRJ:kDAQUO0Gk0WC5Wp2MTH
TLSH 51F533155749C4B7F0BA8B391D58869EC7F77A1005781FA6B39C1AFD33A19C8C92C38A
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123918/
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.25943.14679.4091.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Deleting a recently created file
Launching a process
Creating a window
Creating a file
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Moving a file to the Windows subdirectory
Enabling the 'hidden' option for recently created files
Sending a UDP request
Launching a tool to kill processes
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Deleting of the original file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/637704
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Deletes itself after installation
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Potentially malicious time measurement code found
Sample is protected by VMProtect
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 367823 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 12/03/2021 Architecture: WINDOWS Score: 100 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for dropped file 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 8 other signatures 2->62 9 SecuriteInfo.com.Trojan.Siggen12.25943.14679.exe 2 18 2->9         started        13 twustwus.exe 2->13         started        process3 file4 46 C:\Windows\SysWOW64\...\uninstall.exe, PE32 9->46 dropped 48 C:\Windows\SysWOW64\PluginManager\twus.exe, PE32 9->48 dropped 50 C:\Users\user\AppData\...\processwork.dll, PE32 9->50 dropped 52 C:\Users\user\AppData\Local\...\SelfDel.dll, PE32 9->52 dropped 70 Injects code into the Windows Explorer (explorer.exe) 9->70 72 Drops executables to the windows directory (C:\Windows) and starts them 9->72 74 Writes to foreign memory regions 9->74 15 twus.exe 2 9->15         started        18 explorer.exe 9->18         started        76 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->76 signatures5 process6 file7 54 C:\Users\user\AppData\Local\Temp\...\twus.tmp, PE32 15->54 dropped 21 twus.tmp 30 33 15->21         started        64 Deletes itself after installation 18->64 signatures8 process9 file10 38 C:\Program Files (x86)\twus\is-QMAJ0.tmp, PE32 21->38 dropped 40 C:\Program Files (x86)\twus\is-4K2RA.tmp, PE32 21->40 dropped 42 C:\Windows\SysWOW64\Mornitor32\is-8SR87.tmp, PE32 21->42 dropped 44 14 other files (none is malicious) 21->44 dropped 66 Drops executables to the windows directory (C:\Windows) and starts them 21->66 25 twustwus.exe 1 21->25         started        28 taskkill.exe 1 21->28         started        30 taskkill.exe 1 21->30         started        32 jsjkjsjk.exe 21->32         started        signatures11 process12 signatures13 68 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 25->68 34 conhost.exe 28->34         started        36 conhost.exe 30->36         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9ec6aa98e4855c955d1d2f8be710c2de52ab574fe1a3748b43bea75ea37a881/
Threat name:
Win32.Ransomware.GandCrab
Create hunting rule
Status:
Malicious
First seen:
2021-03-06 07:03:00 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence vmprotect
Link:
https://tria.ge/reports/210312-7cramfp3k6/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Deletes itself
Loads dropped DLL
Executes dropped EXE
VMProtect packed file
Unpacked files
SH256 hash:
68bd6756f2235fe65b51271596dbd1e973472755acab0bfada3d7c68ef23f04a
MD5 hash:
303a0f44e4a2f285d2f6cf0b1072c24f
SHA1 hash:
fd6a8567929ee4a1fb7d63be8c2304bcd908f732
Link:
https://www.unpac.me/results/dd58109c-668c-46cd-87f7-6ccb08ccdd1f/
SH256 hash:
28814e9431daf0ebfbb177dc9c0d019ca5a9b3317c961fb7e31695840720f3aa
MD5 hash:
89d2d8ab41fd6e4cf88f6a2e5c13dd14
SHA1 hash:
e4f72cb979d1c45fd87e71f4368bc214dffa2806
Link:
https://www.unpac.me/results/dd58109c-668c-46cd-87f7-6ccb08ccdd1f/
SH256 hash:
1c39e40823ac30d7f9d05ca10ce2cd1b49f6e2ba2f25dd75b4cdb4adbe00ceb3
MD5 hash:
28b0b0ac223cc40a765e3555eb3ce29d
SHA1 hash:
cde210804cdd849fa77ec34d9d4e20b833ca206d
Link:
https://www.unpac.me/results/dd58109c-668c-46cd-87f7-6ccb08ccdd1f/
SH256 hash:
2c3cfeffc60d1aaf5dddcb26128bf418ea0f76c760243b5c5cdd8944068626ab
MD5 hash:
60ce85ed55c5da0ae26d5577e7060e8c
SHA1 hash:
cb288b10e42adbcb444aceaebd2a36f9e8e6a85d
Link:
https://www.unpac.me/results/dd58109c-668c-46cd-87f7-6ccb08ccdd1f/
SH256 hash:
39f133a575ad08f311bb9faedbfd0b1c822a95713dfa9a30998f4c48048461b8
MD5 hash:
1f753622d3f6afa62e65533d6aff81f8
SHA1 hash:
c13f1aac70e7b368d084bff24d820e8bb319536c
Link:
https://www.unpac.me/results/dd58109c-668c-46cd-87f7-6ccb08ccdd1f/
SH256 hash:
7aa92cb09bedfb4ca93f871436e77c8f5d9518949d2f7d0225e0ccb74bfe555c
MD5 hash:
7ea770a66ce92be6a8324785d4d33c4d
SHA1 hash:
ab2246dfe64167c83d9c678cbfdf7fe4e89109d2
Link:
https://www.unpac.me/results/dd58109c-668c-46cd-87f7-6ccb08ccdd1f/
SH256 hash:
57ee727d98d02003937a07ae5d6d4207594763e2605aa39e3d4511f88dbcd82e
MD5 hash:
a1af0edbc66817cbfa74f9c2c44b0b31
SHA1 hash:
893a44a9bc4b2e08179f60991aae839614e19ac4
Link:
https://www.unpac.me/results/dd58109c-668c-46cd-87f7-6ccb08ccdd1f/
SH256 hash:
4ef107bea42476fe278a328039686c5f3325095d65afda21ce57c984a76362b6
MD5 hash:
55d105f85fe7d6f4f835f860a8ec435f
SHA1 hash:
44822544a749b7268ee7f6b7ae2d6058419b77c9
Link:
https://www.unpac.me/results/dd58109c-668c-46cd-87f7-6ccb08ccdd1f/
SH256 hash:
a8f5fc7395a5a38b82db1ce94d8770cbfea2d52aad6facbd91f68064adfa7393
MD5 hash:
c95ced17956f77a4b827b282243adcde
SHA1 hash:
3adc57265e31171b1548400b1bd0c3419c9fa2be
Link:
https://www.unpac.me/results/dd58109c-668c-46cd-87f7-6ccb08ccdd1f/
SH256 hash:
897dc9b0380f2f13e6d330e777ebb626497b16f0dff5fae93b1df430fc192f7e
MD5 hash:
ddfab1ce615778b9cca4ae3e23bac01f
SHA1 hash:
208250f93057935f08e272e931b48a19fe05066f
Link:
https://www.unpac.me/results/dd58109c-668c-46cd-87f7-6ccb08ccdd1f/
SH256 hash:
9b58839f648a50c383373a35ae9b3831a728bfb4cc3cbd57b377a55a9dc02bb4
MD5 hash:
7e589370e797d7ba3b8694fcbf3d984a
SHA1 hash:
1fd1ab89b8428ea421c37888faf9d3cc679edb87
Link:
https://www.unpac.me/results/dd58109c-668c-46cd-87f7-6ccb08ccdd1f/
SH256 hash:
7cb51ccf21655e9590a6c3232920b16a3dfef15ffe9df7b8e71f487ca8c24da9
MD5 hash:
5e14f6774c43bdff6ffe0afb0d51c47f
SHA1 hash:
fb1e7b6e63afa6db6aa2033b5e7e90f1f4ba5e27
Link:
https://www.unpac.me/results/dd58109c-668c-46cd-87f7-6ccb08ccdd1f/
SH256 hash:
27329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c
MD5 hash:
0a4fa7a9ba969a805eb0603c7cfe3378
SHA1 hash:
0f018a8d5b42c6ce8bf34b4a6422861c327af88c
Link:
https://www.unpac.me/results/dd58109c-668c-46cd-87f7-6ccb08ccdd1f/
SH256 hash:
7db4bb4fb2978c17c077720dc3855b6b38f6d555704e6a51a3c6db7390fb1ec5
MD5 hash:
17b58224ad5b09161bc865eb494e607e
SHA1 hash:
6fd031983f78cb59be5dc1ca05c8635bb095c49e
Link:
https://www.unpac.me/results/dd58109c-668c-46cd-87f7-6ccb08ccdd1f/
SH256 hash:
90b6b888aaf341fb59a05fec95aceebd48756bd2fe82d700fd026cb5cc11d029
MD5 hash:
672b42473a4942c8524bead57c059aae
SHA1 hash:
9b64855b73debda77c26f8070ac9660ac5135de6
Link:
https://www.unpac.me/results/dd58109c-668c-46cd-87f7-6ccb08ccdd1f/
SH256 hash:
8d442267936f25292a7bc116b5ffec3271e6c8171874dae63eb959dca485019c
MD5 hash:
6f41132bedb9da246a6b15d778ac5cc8
SHA1 hash:
a4dfc5393ca8fd93cf4a651e83bc8acfcbe570ab
Link:
https://www.unpac.me/results/dd58109c-668c-46cd-87f7-6ccb08ccdd1f/
SH256 hash:
a9ec6aa98e4855c955d1d2f8be710c2de52ab574fe1a3748b43bea75ea37a881
MD5 hash:
ebfe3cc196712a6c4b09fcc2c9790fd0
SHA1 hash:
4d7ff94ed182398b2d7d80cbb74dee383011276b
Link:
https://www.unpac.me/results/dd58109c-668c-46cd-87f7-6ccb08ccdd1f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9ec6aa98e4855c955d1d2f8be710c2de52ab574fe1a3748b43bea75ea37a881

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a9ec6aa98e4855c955d1d2f8be710c2de52ab574fe1a3748b43bea75ea37a881

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1062924/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/123918/

Comments