MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab4b88ea37d6cfd5f6510acb73a14c27b5ef89f3a0103ac9f36cc465579c16c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: ab4b88ea37d6cfd5f6510acb73a14c27b5ef89f3a0103ac9f36cc465579c16c5
SHA3-384 hash: 663355fe1b77bdab2dd18932993b9793472dc69526fee3b292234744e508df8d2de596f9b8538d8610d0cca44ca54f61
SHA1 hash: c2d2f357706d48017f2f6abef992f9fc38964bc8
MD5 hash: daaf84966d5d348ba931443dc34e697e
humanhash: lima-three-india-chicken
File name:tasks_206.vir
Download: download sample
Signature n/a
File size:336'956 bytes
First seen:2020-07-19 16:47:09 UTC
Last seen:2020-07-19 19:11:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0148a442190df467afb5de84dac4c1ed
ssdeep 6144:tz/vXPPKHRnL1WxnTHN+5frYhUm+lNH3L6kKfPHsN0T/VWM:N/fAFLsxnTHNSlx7gn53
TLSH CF6412753B038D12ED9439B48EA281066A723C349F624E6F3857BF6DAF365C04F0665E
Reporter @tildedennis
Tags:tasks


Twitter
@tildedennis
tasks version 206

Intelligence


File Origin
# of uploads :
4
# of downloads :
24
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
Clickfraudbot
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247179 Sample: tasks_206.vir Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 2 other signatures 2->56 7 navuwoa.exe 5 19 2->7         started        11 tasks_206.exe 2 5 2->11         started        14 winsec32.exe 2->14         started        16 svchost.exe 4 2->16         started        process3 dnsIp4 46 coolsearch37845.com 212.32.237.92, 49724, 49726, 49728 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 7->46 48 survey-smiles.com 95.211.117.215, 49725, 49727, 49729 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 7->48 64 Antivirus detection for dropped file 7->64 66 Detected unpacking (changes PE section rights) 7->66 68 Detected unpacking (creates a PE file in dynamic memory) 7->68 78 7 other signatures 7->78 18 explorer.exe 3 7->18 injected 20 navuwoa.exe 7->20         started        40 C:\Windows\SysWOW64\winsec32.exe, PE32 11->40 dropped 42 C:\Users\user\AppData\Roaming\...\navuwoa.exe, PE32 11->42 dropped 44 C:\Users\user\AppData\...\tmpfc7aa810.bat, DOS 11->44 dropped 70 Detected unpacking (overwrites its own PE header) 11->70 72 Drops batch files with force delete cmd (self deletion) 11->72 74 Tries to detect virtualization through RDTSC time measurements 11->74 22 navuwoa.exe 11->22         started        25 cmd.exe 1 11->25         started        76 Machine Learning detection for dropped file 14->76 27 WerFault.exe 26 10 14->27         started        29 WerFault.exe 16->29         started        file5 signatures6 process7 signatures8 31 navuwoa.exe 18->31         started        34 navuwoa.exe 18->34         started        36 navuwoa.exe 18->36         started        58 Overwrites Windows DLL code with PUSH RET codes 22->58 60 Overwrites code with function prologues 22->60 38 conhost.exe 25->38         started        62 Writes to foreign memory regions 29->62 process9 signatures10 80 Overwrites Windows DLL code with PUSH RET codes 31->80 82 Overwrites code with function prologues 31->82
Threat name:
Win32.Trojan.Kryptik
Status:
Malicious
First seen:
2013-05-06 02:08:00 UTC
AV detection:
21 of 25 (84.00%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Drops file in Windows directory
Drops file in Windows directory
Drops file in System32 directory
Drops file in System32 directory
Checks whether UAC is enabled
Adds Run key to start application
Adds Run key to start application
Deletes itself
Loads dropped DLL
Executes dropped EXE
Executes dropped EXE
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments