MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6f0422e0ce7fd8f2ad23bc2ff2fab72b331e252810ce7a4582217a3bea32c67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: b6f0422e0ce7fd8f2ad23bc2ff2fab72b331e252810ce7a4582217a3bea32c67
SHA3-384 hash: 345e7538ebb7a1dc02a69d969b6c4018e37fbfd7b6612e8eb55e2e68dbac4c8d91280d32bebf8e5572b8c8fb27f1fba7
SHA1 hash: 28461e56f09813363ccc1fa686e48938afde7ec4
MD5 hash: 11b3ae60c845189bbec476f762476e69
humanhash: princess-arizona-yankee-neptune
File name:action_2.0.8.9.vir
Download: download sample
Signature ZeuS
File size:389'632 bytes
First seen:2020-07-19 16:47:17 UTC
Last seen:2020-07-19 19:11:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 739c6b0a9c9c9348d604f81247a19060
ssdeep 6144:XxCmihMpJzS6uPXrqsbrIyuaE9gYQSw1oKWUm0R5i+OFebc/q0A/oae:tihKzcZwmEu9U4mw5FvbCfAo1
TLSH ED84E0167F8AD023C0B1473C4D90D541FF9EF969A2991742FBAC316F89326C359B628B
Reporter @tildedennis
Tags:action


Twitter
@tildedennis
action version 2.0.8.9

Intelligence


File Origin
# of uploads :
3
# of downloads :
18
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247186 Sample: action_2.0.8.9.vir Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Antivirus / Scanner detection for submitted sample 2->68 70 5 other signatures 2->70 8 action_2.0.8.9.exe 3 6 2->8         started        13 ceow.exe 2->13         started        process3 dnsIp4 62 2.0.8.9 FranceTelecom-OrangeFR France 8->62 54 C:\Users\user\AppData\Roaming\...\ceow.exe, PE32 8->54 dropped 72 Detected unpacking (changes PE section rights) 8->72 74 Detected unpacking (overwrites its own PE header) 8->74 76 Creates autostart registry keys with suspicious names 8->76 86 3 other signatures 8->86 15 ceow.exe 8->15         started        18 cmd.exe 1 8->18         started        78 Writes to foreign memory regions 13->78 80 Allocates memory in foreign processes 13->80 82 Creates a thread in another existing process (thread injection) 13->82 84 Injects a PE file into a foreign processes 13->84 20 mstsc.exe 12 13 13->20         started        file5 signatures6 process7 dnsIp8 88 Antivirus detection for dropped file 15->88 90 Multi AV Scanner detection for dropped file 15->90 92 Detected unpacking (changes PE section rights) 15->92 100 8 other signatures 15->100 24 cmd.exe 1 15->24         started        26 cmd.exe 1 15->26         started        28 cmd.exe 1 15->28         started        32 8 other processes 15->32 30 conhost.exe 18->30         started        56 specialnan.date 20->56 58 office365.bit 20->58 60 127.0.0.1 unknown unknown 20->60 52 C:\Users\user\AppData\Local\...\Preferences, ASCII 20->52 dropped 94 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->94 96 Contains functionality to inject threads in other processes 20->96 98 Disables Internet Explorer cookie cleaning (a user can no longer delete cookies) 20->98 102 4 other signatures 20->102 file9 signatures10 process11 process12 48 4 other processes 24->48 34 conhost.exe 26->34         started        36 sc.exe 1 26->36         started        38 conhost.exe 28->38         started        40 sc.exe 1 28->40         started        42 conhost.exe 32->42         started        44 conhost.exe 32->44         started        46 conhost.exe 32->46         started        50 10 other processes 32->50
Threat name:
Win32.Trojan.Chapak
Status:
Malicious
First seen:
2018-10-18 16:58:29 UTC
AV detection:
25 of 31 (80.65%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan ransomware bootkit persistence
Behaviour
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Launches sc.exe
Launches sc.exe
Adds Run key to start application
Adds Run key to start application
Reads user/profile data of web browsers
Loads dropped DLL
Deletes itself
Stops running service(s)
Executes dropped EXE
Stops running service(s)
Modifies WinLogon to allow AutoLogon
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender Real-time Protection settings
Threat name:
Unknown
Score:
1.00

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments