MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b06ce74a41d1cfd7bc73dc8b67417f1c17c85d9570f88fb842e124c9eb0c29ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b06ce74a41d1cfd7bc73dc8b67417f1c17c85d9570f88fb842e124c9eb0c29ea
SHA3-384 hash: cf78780021f20b20629c02d049f396b169e6e0b1499e0231b0408913a8cd07b9d2b4a474af2c3d06b7ee2a51f77ec51e
SHA1 hash: 187125949c88663397f510f6a179e330059be749
MD5 hash: 90070741e9c025f841f47f0c3adee3d2
humanhash: wolfram-texas-oscar-jig
File name:b06ce74a41d1cfd7bc73dc8b67417f1c17c85d9570f88fb842e124c9eb0c29ea
Download: download sample
File size:12'451'008 bytes
First seen:2021-03-29 08:17:36 UTC
Last seen:2021-03-29 08:43:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bdc5a9caae3c3cac8c0aed5418f3c304
ssdeep 98304:09Yyb5er5PTIHykLIbh94WsUPSifcDeFPPA//FIqNN0qNIMEJLhk/vql9lVYPjOH:09berPbnK+yei/icN0NMEE3WqlE9VWk
Threatray 597 similar samples on MalwareBazaar
TLSH D9C60101EAC19577D8B201B412BB97BA5D3AA5202729C5D3A7C438787D307D16A3F3EE
Reporter JAMESWT_WT
Tags:Bisoyetutu Ltd Ltd signed

Code Signing Certificate

Organisation:Bisoyetutu Ltd Ltd
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-03-18T00:00:00Z
Valid to:2022-03-18T23:59:59Z
Serial number: 262ca7ae19d688138e75932832b18f9d
Intelligence: 9 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 55dd0f160ab77ef1feff218774fe4760ed9f7b87ce650e95c76c04e15cd00b2a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b06ce74a41d1cfd7bc73dc8b67417f1c17c85d9570f88fb842e124c9eb0c29ea
Verdict:
Malicious activity
Analysis date:
2021-03-29 08:22:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a7f703e7-a9eb-4d19-9144-32fdb82d3dbe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127519/
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.56824.15369.8792.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Launching cmd.exe command interpreter
Launching a process
DNS request
Creating a file in the %temp% directory
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/656630
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Hijacks the control flow in another process
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 377247 Sample: StF5kb6YwZ Startdate: 29/03/2021 Architecture: WINDOWS Score: 96 44 t1.cloudshielding.xyz 2->44 52 Antivirus detection for dropped file 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 3 other signatures 2->58 9 StF5kb6YwZ.exe 2->9         started        signatures3 process4 signatures5 60 Detected unpacking (changes PE section rights) 9->60 62 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->62 64 Hijacks the control flow in another process 9->64 66 2 other signatures 9->66 12 StF5kb6YwZ.exe 5 9->12         started        process6 dnsIp7 46 t1.cloudshielding.xyz 195.181.169.92, 443, 49712, 49743 CDN77GB United Kingdom 12->46 48 srv2.checkblanco.xyz 12->48 40 C:\Program Files (x86)\...\prun.exe, PE32 12->40 dropped 42 C:\Program Files (x86)\...\appsetup.exe, PE32 12->42 dropped 68 Adds a directory exclusion to Windows Defender 12->68 17 cmd.exe 1 12->17         started        20 cmd.exe 1 12->20         started        22 cmd.exe 1 12->22         started        24 14 other processes 12->24 file8 signatures9 process10 signatures11 50 Adds a directory exclusion to Windows Defender 17->50 26 powershell.exe 7 17->26         started        28 powershell.exe 5 20->28         started        30 powershell.exe 5 22->30         started        32 powershell.exe 5 24->32         started        34 powershell.exe 5 24->34         started        36 powershell.exe 24->36         started        38 8 other processes 24->38 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b06ce74a41d1cfd7bc73dc8b67417f1c17c85d9570f88fb842e124c9eb0c29ea/
Threat name:
Win32.Trojan.Emotet
Create hunting rule
Status:
Malicious
First seen:
2021-03-29 08:18:09 UTC
File Type:
PE (Exe)
Extracted files:
35
AV detection:
13 of 48 (27.08%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
04c950e9fb1cf6ff2de10fd17f04191f8e938189766482ef856efa2581df8dbb
064cad19bee4580a82bc4ee3558e8510100ebba8da83720749f553cc411d5cb3
06fa1b160e322bd7710c9110b1e4e873795b5c2680b8bbe70bbaf23484533459
173240b443fdb5cc7ed97cf6eedeb0d823924df3dab6d468c9da2898443f3ac6
1bceb4e84115eabb8bf3df704b5cc014834ca08b126451ae95d60a968e66d666
38272fb3fbcabee6980aeb4be9ae17147a7979dc415cb3cfbedc48cc298bbefa
3a64941353e52a3d8fb3bc898189a0d684b1a88a9c5fdbc496ef58738f42c444
67b662f28ef6c6a148443ebece272e63e7eeb9d366032b4366fe459b7c5c41f8
6c131f342e8226706ba1b39cc955852b022130c14ea12bd3b3cf340bbea25bf6
7e88f1c425154e6fff6d031aaaa4d8bb4c8ff131e429f44310fd936bfc08b357
+ 587 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210329-94bqxp2d5e/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Adds Run key to start application
Executes dropped EXE
Unpacked files
SH256 hash:
8fe1c054a8aa93d5b498c3302a3b34656e208913d21d5f62e605eec2b75f5bbc
MD5 hash:
f1a4d7af74740559ba2baa84db5b710f
SHA1 hash:
c82f21b07f177b0954d98cf5eed5acdec3d4f095
Link:
https://www.unpac.me/results/f7ced74d-a2a4-4f55-93cb-6a7253eed28c/
SH256 hash:
b06ce74a41d1cfd7bc73dc8b67417f1c17c85d9570f88fb842e124c9eb0c29ea
MD5 hash:
90070741e9c025f841f47f0c3adee3d2
SHA1 hash:
187125949c88663397f510f6a179e330059be749
Link:
https://www.unpac.me/results/f7ced74d-a2a4-4f55-93cb-6a7253eed28c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b06ce74a41d1cfd7bc73dc8b67417f1c17c85d9570f88fb842e124c9eb0c29ea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/127519/

Comments