MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b384f43a2818ff05307d3559f82e00c33efc45b86ffbb1efe5c2d15716ce6b6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b384f43a2818ff05307d3559f82e00c33efc45b86ffbb1efe5c2d15716ce6b6c
SHA3-384 hash: 392facfdbdde9643cf31da1403f421279da3224bb363ef1acc2a4b381f46dc6dc1a231b0f0b53bf39f9fe9d24544ee4c
SHA1 hash: ae057c255dfc962447c98da603c2baf3c9044ae9
MD5 hash: 2b40a904ca1035eade33cd74e6219c0a
humanhash: diet-don-william-low
File name:sysctle.exe
Download: download sample
File size:4'809'284 bytes
First seen:2022-06-30 08:23:37 UTC
Last seen:2022-06-30 08:39:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 98304:8SiJ3GKQf9AAHciIQ7m3KJBz+36+zn715Z3PQC5Wle0ITCo:S3GKQi5iI4mzn55Z3Pl10/o
Threatray 13 similar samples on MalwareBazaar
TLSH T1E326123FF268A13EC4AA1B3245B39250587BBA65780A8C1E07FC394DCF765701E3B656
TrID 49.7% (.EXE) Inno Setup installer (109740/4/30)
19.5% (.EXE) InstallShield setup (43053/19/16)
18.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter stoerchl
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/284524/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Creating a file
Running batch commands
Launching a process
Adding an access-denied ACE
Launching a tool to kill processes
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/23056/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
60%
Tags:
overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/62bd5de01756f979fbcbce3d/reports/8e1defcd-8b78-476d-a902-8f6ccbcc4c09/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e1fc0ac5-d9aa-468c-99ea-322c95969444
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1022433
Signature
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Queries disk data (e.g. SMART data)
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 654929 Sample: sysctle.exe Startdate: 30/06/2022 Architecture: WINDOWS Score: 92 61 Snort IDS alert for network traffic 2->61 63 Multi AV Scanner detection for dropped file 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 3 other signatures 2->67 10 sysctle.exe 2 2->10         started        14 diskinfo.scr 2->14         started        process3 file4 57 C:\Users\user\AppData\Local\...\sysctle.tmp, PE32 10->57 dropped 73 Obfuscated command line found 10->73 16 sysctle.tmp 3 13 10->16         started        19 diskinfo.scr 14->19         started        signatures5 process6 file7 47 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 16->47 dropped 21 sysctle.exe 2 16->21         started        process8 file9 49 C:\Users\user\AppData\Local\...\sysctle.tmp, PE32 21->49 dropped 71 Obfuscated command line found 21->71 25 sysctle.tmp 3 17 21->25         started        signatures10 process11 file12 51 C:\Users\user\AppData\...\is-AJIT1.tmp, PE32 25->51 dropped 53 C:\Users\user\AppData\...\diskinfo.scr (copy), PE32 25->53 dropped 55 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 25->55 dropped 28 diskinfo.scr 25->28         started        31 cmd.exe 1 25->31         started        33 taskkill.exe 1 25->33         started        process13 signatures14 75 Injects a PE file into a foreign processes 28->75 35 diskinfo.scr 28->35         started        39 conhost.exe 31->39         started        41 icacls.exe 1 31->41         started        43 icacls.exe 1 31->43         started        45 conhost.exe 33->45         started        process15 dnsIp16 59 185.215.113.73, 49773, 49774, 49775 WHOLESALECONNECTIONSNL Portugal 35->59 69 Queries disk data (e.g. SMART data) 35->69 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b384f43a2818ff05307d3559f82e00c33efc45b86ffbb1efe5c2d15716ce6b6c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wocpioridd7qkmd5gvm7qlqaym7pyrnyn753d37fylivofwonnwa._file
Verdict:
unknown
Similar samples:
0cffbd0a9a71d6dc4ccb63dbbfeef735b2c8bf9acdf1409f1cbdeed36ce0faf8
1116037d457d9126f16fc9529a4be482d374047f0e834614ae8292a631ed8aaa
85e499e0c1e7395fbcdefe961afac42b0a333e0004084f55707ab53ca97fc4dc
9f27dace8e848c5957adb0686992fe7ce392cbc7f957116b13935d20e668f91b
a5541460d296b3b3ca23cc1663882122351a08067b3ee608fabb88e38e95e515
b31bacca7824f68859ded0863bac01fd8844eaf00558fe505557f94e1da1e8c5
d2205532e27cf8ae9dbc0a62fdf3fca598f5fa8f9cc948bec49df54b0b8a8cd6
db4d9628d02ae5e9812156655106fddf94c4f09b2702fea9601596c97b9fdae6
e4a932eaaec97ff04b018060f31b800dbd9a56ca0ba2bbb300037be3c55ee507
e972045da5186bd0d1b384aeb756fee789855c246080dcef9bd0c0b0f2e228e1
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
bootkit discovery persistence suricata
Link:
https://tria.ge/reports/220630-kapp3shccn/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Writes to the Master Boot Record (MBR)
Checks computer location settings
Deletes itself
Drops startup file
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Inbound)
suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Outbound)
Unpacked files
SH256 hash:
dae3e86d0edc2f2da40d075def80b57c989614cedcd916f83c9b89f7202216da
MD5 hash:
af35ead2d618bf7b43ed32b16f3ea1a6
SHA1 hash:
f064f108837dc084df735a8a99eaca8c5422035a
Link:
https://www.unpac.me/results/0a198054-04cc-4346-bb6a-f150818ebb73/
SH256 hash:
4398416ec84b1e80876d5ced3b595cd2ac5685954c179c37c2253b6c76539054
MD5 hash:
c8c179caa75e7da9ac8aea69ec7b8245
SHA1 hash:
2ee1c267e3e94c51f766109f17621df7599d64b7
Link:
https://www.unpac.me/results/0a198054-04cc-4346-bb6a-f150818ebb73/
SH256 hash:
992333b8c5f916ccf849dd1132e2f13e0c510fa371bf3ba4afae40d6e06be293
MD5 hash:
ad38103ee2d9f304b2f3bad576e0659a
SHA1 hash:
d1c4a477428c1095d5c43cd2427e19374870646f
Link:
https://www.unpac.me/results/0a198054-04cc-4346-bb6a-f150818ebb73/
SH256 hash:
b384f43a2818ff05307d3559f82e00c33efc45b86ffbb1efe5c2d15716ce6b6c
MD5 hash:
2b40a904ca1035eade33cd74e6219c0a
SHA1 hash:
ae057c255dfc962447c98da603c2baf3c9044ae9
Link:
https://www.unpac.me/results/0a198054-04cc-4346-bb6a-f150818ebb73/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b384f43a2818ff05307d3559f82e00c33efc45b86ffbb1efe5c2d15716ce6b6c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/284524/

Comments