MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b41864bcaa9443f1e9cf6457b3f6d7702fd7fa3fbdaae79e3033f2c82bb70a38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b41864bcaa9443f1e9cf6457b3f6d7702fd7fa3fbdaae79e3033f2c82bb70a38
SHA3-384 hash: 4eeb7cb8a1ec296f9447b39e7871ca1681b1007beaf8ab55889198d19bdd51c85b2edfc7cd971a99e542b33f5f862ed3
SHA1 hash: fd54be0e93d629f070fe956226a50d3d8b491b83
MD5 hash: 201ab6dc5da2907194a7148f9fafb14e
humanhash: wisconsin-winter-georgia-nebraska
File name:201ab6dc5da2907194a7148f9fafb14e.exe
Download: download sample
File size:2'185'728 bytes
First seen:2021-02-16 20:07:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:HVaYcEUtO1glcSTqcnFFbc29XpAEqKCiGGoR8iV:6EUtaO/FFHeExVoq
Threatray 17 similar samples on MalwareBazaar
TLSH A4A53362B2E90473E96457F41CAB820305313FB18E18D717635C866E8DB2BC6A5F6F2D
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117438/
Detection(s):
SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a file
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Deleting a recently created file
Sending a UDP request
Forced system process termination
Creating a file in the Windows subdirectories
Launching the process to interact with network services
Launching a service
Loading a system driver
Enabling autorun for a service
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/609460
Signature
Binary contains a suspicious time stamp
Bypasses PowerShell execution policy
Command shell drops VBS files
Contains functionality to start a terminal service
Creates a Windows Service pointing to an executable in C:\Windows
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: Dot net compiler compiles file from suspicious location
Uses cmd line tools excessively to alter registry or file data
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 353758 Sample: xzmsM3qkT8.exe Startdate: 16/02/2021 Architecture: WINDOWS Score: 96 74 Multi AV Scanner detection for submitted file 2->74 76 Sigma detected: Dot net compiler compiles file from suspicious location 2->76 78 Contains functionality to start a terminal service 2->78 80 2 other signatures 2->80 12 xzmsM3qkT8.exe 1 6 2->12         started        14 rdpdr.sys 2->14         started        process3 process4 16 cmd.exe 5 12->16         started        file5 58 C:\Users\user\AppData\Local\Temp\start.vbs, ASCII 16->58 dropped 60 C:\Users\user\AppData\Local\Temp\ready.ps1, ASCII 16->60 dropped 72 Command shell drops VBS files 16->72 20 wscript.exe 1 16->20         started        23 conhost.exe 16->23         started        signatures6 process7 signatures8 82 Wscript starts Powershell (via cmd or directly) 20->82 84 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 20->84 25 powershell.exe 55 20->25         started        process9 dnsIp10 70 192.168.2.1 unknown unknown 25->70 66 C:\Windows\SysWOW64\rdpclip.exe, PE32+ 25->66 dropped 68 C:\Users\user\AppData\...\4ediq3ch.cmdline, UTF-8 25->68 dropped 86 Uses cmd line tools excessively to alter registry or file data 25->86 88 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 25->88 90 Powershell drops PE file 25->90 30 reg.exe 25->30         started        33 cmd.exe 25->33         started        35 csc.exe 25->35         started        38 9 other processes 25->38 file11 signatures12 process13 file14 92 Creates a Windows Service pointing to an executable in C:\Windows 30->92 40 cmd.exe 33->40         started        62 C:\Users\user\AppData\Local\...\4ediq3ch.dll, PE32 35->62 dropped 42 cvtres.exe 35->42         started        64 C:\Users\user\AppData\Local\...\cmis4uaj.dll, PE32 38->64 dropped 44 cmd.exe 38->44         started        46 cvtres.exe 38->46         started        48 conhost.exe 38->48         started        50 3 other processes 38->50 signatures15 process16 process17 52 net.exe 40->52         started        54 net.exe 44->54         started        process18 56 net1.exe 52->56         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b41864bcaa9443f1e9cf6457b3f6d7702fd7fa3fbdaae79e3033f2c82bb70a38/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-16 06:16:20 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0d22efcba5ba1b7d3f159b2d75da6c08a81c734c9d16ea8b8e0db48602dab58b
2041d3956c7f57faada1dbb321525808811bdd7e3e88ded466296f9e2100fc73
2256580eed80d1262369169185bd9412062d0cb0d1aff219625aec76ca3ed5fb
2b1995968ff5b1b0c1bc81553052f425decebcb3333b9fc5b95343c4df69c33f
56af437f8b3b60b32b7cba77fa159138a777a48e98ce0215e8ec6f97ef12b223
60ccdec92b23413b1b5391cb9923931e5b151f0f5877f1f90d730f0fede5f365
b0fedb5fc4232c07ff1161ddcc830cf11596ba2653cc7cea1d5666b4bab1f276
b87295a4b2fb2d2f4df9d502d52e2f50a5e9b3ba9f56b17e252fa0f3022ae6f4
f2e928cf697e22da9dff49ec85e64be6cb60e00d02503649cf2a2230a487c310
f90041a9197917c980af0b2d8d724814436ef421833efb38584bc73b4a32f0fd
+ 7 additional samples on MalwareBazaar
Unpacked files
SH256 hash:
b41864bcaa9443f1e9cf6457b3f6d7702fd7fa3fbdaae79e3033f2c82bb70a38
MD5 hash:
201ab6dc5da2907194a7148f9fafb14e
SHA1 hash:
fd54be0e93d629f070fe956226a50d3d8b491b83
Link:
https://www.unpac.me/results/5316ecde-4bbb-423e-93e3-ebde159f86aa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b41864bcaa9443f1e9cf6457b3f6d7702fd7fa3fbdaae79e3033f2c82bb70a38

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe b41864bcaa9443f1e9cf6457b3f6d7702fd7fa3fbdaae79e3033f2c82bb70a38

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1000821/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/117438/

Comments