MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9318666f15be8c73f3014e7abaa6337e5ca53fe5263e2f5b64cd2ad435d21eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9318666f15be8c73f3014e7abaa6337e5ca53fe5263e2f5b64cd2ad435d21eb
SHA3-384 hash: 8209d0d258044e410a1feb5cf72bfe2c92f44f1b6714ec9ab6d96ac80774f8b86337bdca3bbf8d97315ff669f1286767
SHA1 hash: 0e0fcb44567c9ef2ce82a1e00e734e1cad402372
MD5 hash: 9f3b563a15c52fc14740c08c02072953
humanhash: victor-oven-one-fruit
File name:svchost.exe
Download: download sample
File size:2'957'512 bytes
First seen:2020-11-20 13:34:18 UTC
Last seen:2020-11-21 20:38:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bc70c4fa605f17c85050b7c7b6d42e44 (15 x njrat, 12 x RedLineStealer, 10 x AgentTesla)
ssdeep 49152:iQnPKkE81jPUAcYmvZ78krkZssAIkjGChQiAMZoEJAAis/5Ab5kyXJZ9Lh733vpL:dPKkESjmvvZ78KFIkyW5mAisA9Bbp9J
Threatray 74 similar samples on MalwareBazaar
TLSH 89D5331C70D80A76ED68537513EC32437B7B68D24BEC2213665EE8C20ED9968763972F
Reporter James_inthe_box
Tags:exe

Code Signing Certificate

Organisation:AAA Certificate Services
Issuer:AAA Certificate Services
Algorithm:sha1WithRSAEncryption
Valid from:Jan 1 00:00:00 2004 GMT
Valid to:Dec 31 23:59:59 2028 GMT
Serial number: 01
Intelligence: 369 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a window
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
DNS request
Delayed writing of the file
Creating a process from a recently created file
Deleting a recently created file
Adding an access-denied ACE
Connection attempt
Sending an HTTP POST request
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Deleting of the original file
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
54 / 100
Link:
https://www.joesandbox.com/analysis/544170
Signature
Deletes itself after installation
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Certutil Command
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321183 Sample: svchost.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 54 49 Multi AV Scanner detection for submitted file 2->49 51 Uses ping.exe to sleep 2->51 53 Machine Learning detection for sample 2->53 55 2 other signatures 2->55 9 svchost.exe 1 7 2->9         started        11 rundll32.exe 2->11         started        process3 process4 13 cmd.exe 1 9->13         started        15 cmd.exe 1 9->15         started        signatures5 18 cmd.exe 2 13->18         started        22 conhost.exe 13->22         started        24 certutil.exe 2 13->24         started        61 Drops PE files with a suspicious file extension 15->61 26 conhost.exe 15->26         started        process6 file7 41 C:\Users\user\AppData\Local\...\dllhost.com, PE32 18->41 dropped 57 Uses ping.exe to sleep 18->57 28 dllhost.com 18->28         started        30 PING.EXE 1 18->30         started        33 PING.EXE 1 18->33         started        35 3 other processes 18->35 signatures8 process9 dnsIp10 37 dllhost.com 28->37         started        45 127.0.0.1 unknown unknown 30->45 47 zpbTWPYwB.zpbTWPYwB 33->47 process11 dnsIp12 43 rAiiQQZZDTHfMcSuylifDtsYazbc.rAiiQQZZDTHfMcSuylifDtsYazbc 37->43 59 Deletes itself after installation 37->59 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b9318666f15be8c73f3014e7abaa6337e5ca53fe5263e2f5b64cd2ad435d21eb/
Threat name:
Win32.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2020-11-20 13:32:50 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
396372108ec44e73e42fed3e3012b1604aeaa0d33b83d3b0634b2929f5d81f3f
3eb24bbe1ee3e304a99486d0857ff1c1160554513c893fd8e4534a869fcf73ce
56007af3c6b00548660560601efe9e3ea1fbec553562dd7436fe85673ed7a0c8
5ee970db11a1dbfeff58b1f1206045d141022d6d396d50ba571910522a2c106d
a33f5e8c172f9c027c7fd1151e8ec195ca102a14647c674e8089e2651276c391
a5d9ec13651c51cba4591a97feecc25624d8a081cd5380187469391d321d544d
a6bf564665f281e7226d137f8da8692436c44edb6ab7881cab31282ffd6649ad
e3afb8be8f04e148a4214c375eff4817f2afcfcaff0f6a0bf2f5e324d9649b1b
f4a33b8f7fb094518fd522f620884e2b19c0f0e6176049d0995a2c8692d1d933
fc25512ebc702b7b64fe49986b457e95884386944560d4fbdcf8a573e612629e
+ 64 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201120-wkwc3wtah2/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
b9318666f15be8c73f3014e7abaa6337e5ca53fe5263e2f5b64cd2ad435d21eb
MD5 hash:
9f3b563a15c52fc14740c08c02072953
SHA1 hash:
0e0fcb44567c9ef2ce82a1e00e734e1cad402372
Link:
https://www.unpac.me/results/32f32e28-9f1f-4ca2-b279-e68cc1b42ca5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b9318666f15be8c73f3014e7abaa6337e5ca53fe5263e2f5b64cd2ad435d21eb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments