MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b36726aaf78b085d289247ffcd61dfe6121ebefe721bbbcd28f3327db73ece4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b36726aaf78b085d289247ffcd61dfe6121ebefe721bbbcd28f3327db73ece4c
SHA3-384 hash: fa70629d66a833827853765a7bc156658598adcc0ee91815af36e88ca4d6662a6657be8e11e48a700448ec9b7e2d55d6
SHA1 hash: 10081260a0f36ef8046beaffc3454da41fe62362
MD5 hash: e8b534f89b0f23446b410e47ded4a76f
humanhash: kilo-nebraska-georgia-november
File name:SecuriteInfo.com.ArtemisE8B534F89B0F.17048
Download: download sample
File size:159'944 bytes
First seen:2020-11-16 22:42:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f58945a61a6b47043b44c62cae4e52d0
ssdeep 1536:Gco62MeKXUiRGY97wSRpGfNtI328Unt0I85M7BRv0avSCC:A6WpiA20qv282VvW
Threatray 22 similar samples on MalwareBazaar
TLSH 9EF3B4436763861EF7C50AB05F77C1A1A73B9EB1D71C7ACB1DD688C21EA29020563BB4
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.ArtemisE8B534F89B0F.17048.UNOFFICIAL
Create hunting rule

PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Creating a file
Creating a window
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Deleting a recently created file
Replacing files
Launching a process
Creating a file in the Windows subdirectories
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/538570
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 318381 Sample: SecuriteInfo.com.ArtemisE8B... Startdate: 17/11/2020 Architecture: WINDOWS Score: 84 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Multi AV Scanner detection for domain / URL 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 4 other signatures 2->52 7 SecuriteInfo.com.ArtemisE8B534F89B0F.exe 17 2->7         started        process3 dnsIp4 38 icaterp.com 50.63.161.194, 49732, 80 GO-DADDY-COM-LLCUS United States 7->38 40 masterdentalsolution.com 65.39.193.40, 49734, 80 COGECO-PEER1CA Canada 7->40 42 2 other IPs or domains 7->42 32 C:\Users\user\AppData\Local\...\CEA7.tmp.exe, PE32 7->32 dropped 34 C:\Users\user\AppData\...\pegasun1[1].exe, PE32 7->34 dropped 11 CEA7.tmp.exe 2 7->11         started        14 cmd.exe 1 7->14         started        file5 process6 dnsIp7 36 C:\Users\user\AppData\Local\...\CEA7.tmp.tmp, PE32 11->36 dropped 17 CEA7.tmp.tmp 32 143 11->17         started        44 127.0.0.1 unknown unknown 14->44 20 conhost.exe 14->20         started        22 PING.EXE 1 14->22         started        file8 process9 file10 24 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 17->24 dropped 26 C:\Program Files (x86)\...\is-T6B24.tmp, PE32 17->26 dropped 28 C:\Program Files (x86)\...\is-MS082.tmp, PE32 17->28 dropped 30 43 other files (none is malicious) 17->30 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b36726aaf78b085d289247ffcd61dfe6121ebefe721bbbcd28f3327db73ece4c/
Threat name:
Win32.Infostealer.Kpot
Create hunting rule
Status:
Malicious
First seen:
2020-11-16 19:45:12 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0768091f99fd78ab38fa9cf9d062e589990dfb0f4cca263a171a17b0f6980ff1
0a38680744dee8b5b301b4877eaabebc2ac9791a72bcec60dffaddd990a18406
39067a6a8ac06d60189b34afbb9acd73e8e33aba91653c39a037c2f78f972f29
7c9eeac634ce6e1fb9079de077d07df63062a38626c59243f5b24f1d8924d60a
7fa4d0985ab3815937955768756e954d33a26c2c230399bbf0a547495764f11e
89b6341763b7e43e9616702513b7261434ce1042652403cddf2195bce2000c1b
8e7116f27e8c84422d2d5612765b45166a1a1144774a52e5107d74a7884e758f
a000e227ce8717391688d874e250b2797bcff21933d5b8c7ee5236ec73241d44
d4898d4aec91b789a3abb2d9e103eb1111d783a05a119ef7d1db9ab3811a79c2
db83d459b5418dc564aec8fd3dd1d70f5e6cf99cfa49d7584db1adbca446ce34
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/201116-pm931vvfnn/
Behaviour
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
b36726aaf78b085d289247ffcd61dfe6121ebefe721bbbcd28f3327db73ece4c
MD5 hash:
e8b534f89b0f23446b410e47ded4a76f
SHA1 hash:
10081260a0f36ef8046beaffc3454da41fe62362
Link:
https://www.unpac.me/results/f6f7608b-baba-4217-b8d6-7361d3732d84/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe b36726aaf78b085d289247ffcd61dfe6121ebefe721bbbcd28f3327db73ece4c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/824223/
  
Delivery method
Distributed via web download

Comments