MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6bfb18cb265786cbf4373a6dc82d4b8ec586d90f6a6e2cc72a1a3d20b60dda9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6bfb18cb265786cbf4373a6dc82d4b8ec586d90f6a6e2cc72a1a3d20b60dda9
SHA3-384 hash: 0086a5343c4438072c2b23d93884dead27aaddc40e79b4fed4ecd6108f6ddd8fd2e7a228da8204a8bc99b267165657d9
SHA1 hash: 5dbe2cf5b3bcebbaff5f3428303f3acb2afac1e2
MD5 hash: 93756e29b83c7fcde7846a1dfd30da6a
humanhash: winter-bulldog-earth-rugby
File name:TOOL.exe
Download: download sample
File size:16'091'867 bytes
First seen:2020-11-24 08:38:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ba54e48d0f0346b349e9f7a2c8ecaf5c (1 x ValleyRAT)
ssdeep 393216:Ol4DDxi9c5hlER35ShR4uw22WmfDZHZTtN3ZWAgiQx6w:g4XxOEhkpQ2z7/tN34Q
Threatray 2 similar samples on MalwareBazaar
TLSH D5F63346B222147CE442E277ECA16838C133B4175F58652F6B6D23349BE32ED3E75B62
Reporter Anonymous

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a file
Deleting a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/545801
Signature
Antivirus / Scanner detection for submitted sample
DLL side loading technique detected
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321995 Sample: TOOL.exe Startdate: 24/11/2020 Architecture: WINDOWS Score: 76 49 ip-api.com 2->49 51 api.telegram.org 2->51 53 api.mylnikov.org 2->53 61 Antivirus / Scanner detection for submitted sample 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 May check the online IP address of the machine 2->65 67 3 other signatures 2->67 9 TOOL.exe 501 2->9         started        signatures3 process4 file5 43 C:\Users\user\AppData\...\VCRUNTIME140.dll, Unknown 9->43 dropped 45 C:\Users\user\AppData\...\TOOL.exe.manifest, Unknown 9->45 dropped 12 TOOL.exe 9 9->12         started        process6 dnsIp7 55 raw.githubusercontent.com 12->55 57 ip-api.com 208.95.112.1, 49724, 49751, 49760 TUT-ASUS United States 12->57 59 2 other IPs or domains 12->59 47 C:\Users\user\AppData\...\CommandCam.exe, PE32 12->47 dropped 16 cmd.exe 1 12->16         started        18 cmd.exe 1 12->18         started        20 cmd.exe 1 12->20         started        22 6 other processes 12->22 file8 process9 process10 24 WMIC.exe 1 16->24         started        27 conhost.exe 16->27         started        29 conhost.exe 18->29         started        37 3 other processes 18->37 31 conhost.exe 20->31         started        39 2 other processes 20->39 33 CommandCam.exe 1 1 22->33         started        35 conhost.exe 22->35         started        41 7 other processes 22->41 signatures11 69 DLL side loading technique detected 24->69
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6bfb18cb265786cbf4373a6dc82d4b8ec586d90f6a6e2cc72a1a3d20b60dda9/
Threat name:
Win64.Trojan.Wacatac
Create hunting rule
Status:
Suspicious
First seen:
2020-10-31 09:30:03 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
13af08593a4bd73dfcf9620842e8c86b24d6e30a2afe5b17aee21274eaf8a8b3
8d3c6da3f4d6513a1d38058a6cf6028e0c07210a5c0509f47150152362093636
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/201124-q3tfajscv2/
Behaviour
Creates scheduled task(s)
Gathers network information
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
JavaScript code in executable
Looks up external IP address via web service
Loads dropped DLL
Unpacked files
SH256 hash:
b6bfb18cb265786cbf4373a6dc82d4b8ec586d90f6a6e2cc72a1a3d20b60dda9
MD5 hash:
93756e29b83c7fcde7846a1dfd30da6a
SHA1 hash:
5dbe2cf5b3bcebbaff5f3428303f3acb2afac1e2
Link:
https://www.unpac.me/results/e9d796b4-761a-4afb-b9ca-9fdaeac1508c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6bfb18cb265786cbf4373a6dc82d4b8ec586d90f6a6e2cc72a1a3d20b60dda9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:PE_File_pyinstaller
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Description:Detect PE file produced by pyinstaller
Reference:https://isc.sans.edu/diary/21057
Rule name:Ponmocup
Create hunting rule
Author:Danny Heppener, Fox-IT
Description:Ponmocup plugin detection (memory)
Reference:https://foxitsecurity.files.wordpress.com/2015/12/foxit-whitepaper_ponmocup_1_1.pdf
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments