MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd0d884649509aece899372e0bea6f6dbe833b463e35206753dae69a0bc60632. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd0d884649509aece899372e0bea6f6dbe833b463e35206753dae69a0bc60632
SHA3-384 hash: 7d2ba50533811f2a698760558fc0b5c1e60774c5ced68fcd608f7da73ded20dced529614f9edab4f3bbe610d189728e6
SHA1 hash: d1f9ce042613f50d6aa459adc047c502db6cccf1
MD5 hash: ade42f4b65885ceacfb8a05e680e9a93
humanhash: bakerloo-minnesota-aspen-aspen
File name:我是图片.scr
Download: download sample
File size:8'641'121 bytes
First seen:2021-02-18 14:43:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9165ea3e914e03bda3346f13edbd6ccd (3 x ValleyRAT, 2 x QuasarRAT, 1 x Redosdru)
ssdeep 196608:I8pLr4aWp3sORWLA1WO+57bC8CAe8TMjNHN+PI9xLoMPspyQC/32:I8ea9AWO+pC8CPjv+PtdyQCv2
TLSH AC962232B5C34437C05366380DA6AB76A8B4BE111E34B957B7F4ED9CBF3624169222C7
Reporter vm001cn
Tags:exe flystudio RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
我是图片.scr
Verdict:
No threats detected
Analysis date:
2021-02-18 14:38:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a49fcc5d-85a7-4931-9b82-f3f4ea347fd2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117796/
Detection(s):
Win.Downloader.13403-1
Create hunting rule

PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

Win.Malware.Vmprotect-6824127-0
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

Win.Malware.Flystudio-6937682-0
Create hunting rule

Win.Trojan.Agent-111655
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/611656
Signature
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (creates a PE file in dynamic memory)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Injects files into Windows application
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 354842 Sample: #U6211#U662f#U56fe#U7247.scr Startdate: 18/02/2021 Architecture: WINDOWS Score: 100 62 Antivirus detection for dropped file 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 8 other signatures 2->68 8 #U6211#U662f#U56fe#U7247.exe 7 2->8         started        11 EXCEL.EXE 24 22 2->11         started        15 Synaptics.exe 2->15         started        process3 dnsIp4 42 C:\Users\user\AppData\Local\Temp\csrss2.exe, PE32 8->42 dropped 44 C:\Users\user\AppData\Local\...\krnln.fnr, PE32 8->44 dropped 46 C:\Users\user\AppData\Local\...\shell.fne, PE32 8->46 dropped 17 csrss2.exe 1 5 8->17         started        60 192.168.2.1 unknown unknown 11->60 88 Injects files into Windows application 11->88 file5 signatures6 process7 file8 30 C:\Users\user\Desktop\._cache_csrss2.exe, PE32 17->30 dropped 32 C:\ProgramData\Synaptics\Synaptics.exe, PE32 17->32 dropped 34 C:\ProgramData\Synaptics\RCXA9D8.tmp, PE32 17->34 dropped 70 Antivirus detection for dropped file 17->70 72 Machine Learning detection for dropped file 17->72 21 Synaptics.exe 46 17->21         started        26 ._cache_csrss2.exe 1 12 17->26         started        signatures9 process10 dnsIp11 48 googlehosted.l.googleusercontent.com 216.58.208.161, 443, 49738, 49740 GOOGLEUS United States 21->48 50 www-env.dropbox-dns.com 162.125.66.18, 443, 49756, 49757 DROPBOXUS United States 21->50 56 12 other IPs or domains 21->56 36 C:\Users\user\Documents\~$cache1, PE32 21->36 dropped 38 C:\Users\user\AppData\Local\...\mVFFcFgo.exe, PE32 21->38 dropped 40 C:\Users\user\AppData\Local\...\j9yGY4OE.xlsm, Microsoft 21->40 dropped 74 Antivirus detection for dropped file 21->74 76 Drops PE files to the document folder of the user 21->76 78 Creates HTML files with .exe extension (expired dropper behavior) 21->78 80 Contains functionality to detect sleep reduction / modifications 21->80 28 WerFault.exe 23 9 21->28         started        52 123.58.182.203, 80 NETEASE-ASGuangzhouNetEaseComputerSystemCoLtdCN China 26->52 54 123.58.182.251, 80 NETEASE-ASGuangzhouNetEaseComputerSystemCoLtdCN China 26->54 58 5 other IPs or domains 26->58 82 Detected unpacking (creates a PE file in dynamic memory) 26->82 84 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 26->84 86 Machine Learning detection for dropped file 26->86 file12 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd0d884649509aece899372e0bea6f6dbe833b463e35206753dae69a0bc60632/
Threat name:
Win32.PUA.FlyStudio
Create hunting rule
Status:
Malicious
First seen:
2021-02-18 09:13:59 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  1/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210218-x1sjh8znr2/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Unpacked files
SH256 hash:
ad75817b147fbb02806c839e65f1a930d5448570545ab73066905f408c6db2dd
MD5 hash:
c83fd1e6a621482a7db1bde0c2050b0c
SHA1 hash:
d092a23fbe2af35e4d36fd91fc168b95aba5bb78
Link:
https://www.unpac.me/results/70f3afbb-3545-4c92-81ed-3fc932f5b8d8/
SH256 hash:
96ca1aa12152995c31d69c29427e640bb77be1735b5320d068cc73dd8c01acab
MD5 hash:
a4aa46a06d72f4813361e804525d1ad2
SHA1 hash:
5f368b5805c7cb6e0d0a454a1a230c309c6cf06b
Link:
https://www.unpac.me/results/70f3afbb-3545-4c92-81ed-3fc932f5b8d8/
SH256 hash:
e16093473ecd29273e97a31eab10a14389f8bf942a420dbb8a3a03fe936a3498
MD5 hash:
05d1bd713239ed64279fa3f010d7617e
SHA1 hash:
4f4ff25c8e856fef2a2ebdafcebbad9aed2fbd7f
Link:
https://www.unpac.me/results/70f3afbb-3545-4c92-81ed-3fc932f5b8d8/
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/70f3afbb-3545-4c92-81ed-3fc932f5b8d8/
SH256 hash:
4bed8a6e4e1548fddee40927b438132b47ef2aca6e9beb06b89fcf7714726310
MD5 hash:
1eece63319e7c5f6718562129b1572f1
SHA1 hash:
089ea3a605639eb1292f6a2a9720f0b2801b0b6e
Link:
https://www.unpac.me/results/70f3afbb-3545-4c92-81ed-3fc932f5b8d8/
SH256 hash:
27056baf1b3d3b3d8174a610b7dec37d640a4eb6cdfb48e4e09c35aced6911f7
MD5 hash:
faf650ef68ca45fa71ad9b5b0b948be8
SHA1 hash:
183a7e0f7518b8c5f29b1ccedc9702f55a2f7749
Link:
https://www.unpac.me/results/70f3afbb-3545-4c92-81ed-3fc932f5b8d8/
SH256 hash:
bd0d884649509aece899372e0bea6f6dbe833b463e35206753dae69a0bc60632
MD5 hash:
ade42f4b65885ceacfb8a05e680e9a93
SHA1 hash:
d1f9ce042613f50d6aa459adc047c502db6cccf1
Link:
https://www.unpac.me/results/70f3afbb-3545-4c92-81ed-3fc932f5b8d8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd0d884649509aece899372e0bea6f6dbe833b463e35206753dae69a0bc60632

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/117796/

Comments