MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac696ef5a12039b72e408b6b14e08823c407ee652a6a36b7c33d01cd8d373497. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac696ef5a12039b72e408b6b14e08823c407ee652a6a36b7c33d01cd8d373497
SHA3-384 hash: dee0591187dce8b270af5f6b410c02d5514c110d2b7dc98b13efaa51cdfec297bf09189bd8c7a893c4a42ab7960e5578
SHA1 hash: 03c1c428cb2b478a7e9babec460795eb897c464b
MD5 hash: 67c2474a2fb201491c0ff5ff7ab783ea
humanhash: fruit-speaker-michigan-comet
File name:AnnualReport-17.12.exe
Download: download sample
File size:588'120 bytes
First seen:2020-12-17 19:54:22 UTC
Last seen:2020-12-17 21:51:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cd93f429d031a34e98b5671cceb32a0b
ssdeep 12288:Oiu9UaIinYq2S4mgpe2Jfjp7rB5/g+CR0AdzdzeNgFU5YorZW:du9kinYq/b2Jpv/gxRzdTkY2ZW
Threatray 169 similar samples on MalwareBazaar
TLSH FEC4AF83B14430DCF4EF433BE9D64E25A6E2BC170A525E0911747FB5BF322909BD962A
Reporter James_inthe_box
Tags:exe

Code Signing Certificate

Organisation:COMODO RSA Extended Validation Code Signing CA
Issuer:COMODO RSA Certification Authority
Algorithm:sha384WithRSAEncryption
Valid from:Dec 3 00:00:00 2014 GMT
Valid to:Dec 2 23:59:59 2029 GMT
Serial number: 6DD472EB02AE0406E3DD843F5FE145E1
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: D1863B55A0629F32A5DAD867D02DF1D1A4550B23AC422B53581E79E548FD6617
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://sosefinawinnifredsullivan8-5ce0e.gr8.com/
Verdict:
Malicious activity
Analysis date:
2020-12-17 19:52:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9d8cbc3e-43b3-4471-b379-9f8bc6a2579e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108390/
Detection(s):
SecuriteInfo.com.Generic.mg.67c2474a2fb20149.24154.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/565718
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac696ef5a12039b72e408b6b14e08823c407ee652a6a36b7c33d01cd8d373497/
Verdict:
malicious
Similar samples:
093f2b5a9d4628d9331751d7e6d3582cf097ab3f4091463ec895052dee8d22c3
177b312a0c7c2d03be3b2916505fb3e9fdefe785330c74ac29e89cb22656367e
3f8460bc24307e53301d0e4981d54a52017b6594304f36efc49ba02d91348e71
700b77930bca3d819661978ac60e902e0e0367730389261ddfbc08b6856c7ada
a28cead812579eacf8d58be5b5ee55adc18409499108d4f5cc98acbf92c87531
a3b2528b5e31ab1b82e68247a90ddce9a1237b2994ec739beb096f71d58e3d5b
b5f8f3ecbf1f2276024ac2590a3ab257e9aacd9a773b6cb44af57776a8a1fc1e
cae79d8ceb527eb8367b1df9e916718e4329d2768ed0b7e61f7c406af9d21f31
e87a3aade32a0e9b09eede42d6e59ee32646adb37da99f8ae730f35582f65dc2
f5d920482e18df058cc0848a4e96d06af5322c05b3b61d3cf05800ab345d3edf
+ 159 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/201217-5jd9np39pa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
ac696ef5a12039b72e408b6b14e08823c407ee652a6a36b7c33d01cd8d373497
MD5 hash:
67c2474a2fb201491c0ff5ff7ab783ea
SHA1 hash:
03c1c428cb2b478a7e9babec460795eb897c464b
Link:
https://www.unpac.me/results/281ffdf3-390d-465f-91f4-c53ad2658788/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac696ef5a12039b72e408b6b14e08823c407ee652a6a36b7c33d01cd8d373497

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/108390/

Comments