MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6ec0b812392c3b7b5bd500c68934c4bcffe861bd43c734452db72d781de0f58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6ec0b812392c3b7b5bd500c68934c4bcffe861bd43c734452db72d781de0f58
SHA3-384 hash: 98d8d3c3caf3f7172595509227f9554d3806ca3d7662d69350348b39b8df48881384875cb2174fe8e71895a1d725ac25
SHA1 hash: 00f9d8f878357794fef0402a7aa5c54495f7c937
MD5 hash: 2500f43c9f4df6befa21ef57b5eede89
humanhash: beryllium-oscar-kitten-ceiling
File name:b6ec0b812392c3b7b5bd500c68934c4bcffe861bd43c734452db72d781de0f58
Download: download sample
File size:295'936 bytes
First seen:2021-03-04 20:17:16 UTC
Last seen:2021-03-04 21:34:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f787ca9700f2a7ee7968e41ec048797f
ssdeep 3072:gCjPBO+SySJ4VSDvqjB7zVYFY9G6HqwuLaC+6qyv3TJTKVdGZ1uKi12jZEvxGDqV:pPENl4ADvqMC9hqBH13TphlEvxGDNs1
Threatray 48 similar samples on MalwareBazaar
TLSH 8C541296DA33B2E6CAFD967353397438954C81271A2097830BDE3D8CAE559926C0F37C
Reporter Anonymous
Tags:hvnc

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b6ec0b812392c3b7b5bd500c68934c4bcffe861bd43c734452db72d781de0f58
Verdict:
Malicious activity
Analysis date:
2021-03-04 20:20:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/28dee1e1-36d3-4a5b-b944-ac42e75f1e37

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
HiddenVNC
Create hunting rule
Link:
https://www.capesandbox.com/analysis/122363/
Detection(s):
PUA.Win.Packer.Purebasic-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Sending a UDP request
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Ramnit
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/629170
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to inject threads in other processes
Contains VNC / remote desktop functionality (version string found)
Creates an undocumented autostart registry key
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Searches for specific processes (likely to inject)
Writes to foreign memory regions
Yara detected Ramnit VNC Module
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6ec0b812392c3b7b5bd500c68934c4bcffe861bd43c734452db72d781de0f58/
Threat name:
Win32.Trojan.Graftor
Create hunting rule
Status:
Malicious
First seen:
2021-03-04 20:18:10 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
102309e3bb52f160ab298e054ca17e117fd602607121429fcd0275e99f1763da
3785550afcc22a9c9cc82c4f6515f77eb9cc0984966aeb238d57e1ea3cb9d351
3851673a8448fae896b14ae44ce35adf89113f914387fd8dce6ccaeff6f5b123
3f5bc52dbad154f0693d28e459ff19c203c93ec58d6d99fa86631b049ba9746a
4bdabf667555e37d4bf5afdcb3b4331c68571ca798340cbf6f3b2c206b840975
6641844eca61aba9bea60b2dee53da73541ec911b58363d78884c0c05aaef662
777441ba67aa9043dac6a7d9ed97ac483935ac25b0781ca3494f72ea15119f50
c87ccc80f1c070fec4033411d19cb2c12d6bfdcd723c1d97879d2dbae3690e17
f22462a16e1e5b3eed3a84c6003aef25eb4ccdd78cb7064fdb39404528f3b9f0
f327fd0a9151dfcbdfadd244a57d3cdb08e55f5ec3ced39497a39c2ff01d95ce
+ 38 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210304-d3gj6f7swa/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
201ac385c711c96ec347fab6a4f7e13b77c397bdb2f16d4a4e0b3ba6459a3216
MD5 hash:
9230654d3952f925bb56edfaead9542a
SHA1 hash:
67fcf36c891a32929fc157da660950934e372781
Link:
https://www.unpac.me/results/0037c207-85bd-4572-8168-4539dd7995db/
SH256 hash:
b6ec0b812392c3b7b5bd500c68934c4bcffe861bd43c734452db72d781de0f58
MD5 hash:
2500f43c9f4df6befa21ef57b5eede89
SHA1 hash:
00f9d8f878357794fef0402a7aa5c54495f7c937
Link:
https://www.unpac.me/results/0037c207-85bd-4572-8168-4539dd7995db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/b6ec0b812392c3b7b5bd500c68934c4bcffe861bd43c734452db72d781de0f58

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/122363/

Comments