MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 becd0b29eedeb8014c64d7e46a7ab09d37954b2de283d46518bf2dbbaeb01fcb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: becd0b29eedeb8014c64d7e46a7ab09d37954b2de283d46518bf2dbbaeb01fcb
SHA3-384 hash: 9edeed4c9060dba93cf73b9672fd87f6c9b11af064ae4b8199060ba067b32b0be6a471762568f7f4891674e7960a4204
SHA1 hash: 43460ef219b5dc771124d7283308d7f527616f3c
MD5 hash: c365dfad521db206b6088b0b59fe151c
humanhash: table-chicken-berlin-xray
File name:新建文件夹.exe
Download: download sample
File size:3'750'400 bytes
First seen:2021-01-09 21:42:03 UTC
Last seen:2021-01-09 23:41:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ce1662ab74b6fd55a91e4291647e4f8 (1 x CoinMiner)
ssdeep 98304:TK/mc4rd7/FJ4CF8s61476kPm9ApJ/K7hW17qZLEWYrScsN:ui/FJ4aV7RPmyWhW17qZg3sN
Threatray 9 similar samples on MalwareBazaar
TLSH E90633A8F5A27362E0720D7F321AC7015BD79EB95A3647DAEC20F24F1A2CBD39443815
Reporter r3dbU7z
Tags:exe Reconyc

Intelligence

File Origin
# of uploads :
2
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.PECompact-2
Create hunting rule

PUA.Win.Packer.PecompactHeuris-1
Create hunting rule

PUA.Win.Packer.Pecompact-69
Create hunting rule

PUA.Win.Packer.Pecompact-72
Create hunting rule

PUA.Win.Packer.Pecompact-74
Create hunting rule

PUA.Win.Packer.Pecompact-75
Create hunting rule

PUA.Win.Adware.Softpulse-6693799-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file
Searching for the window
Sending a custom TCP request
Setting a new proxy server as a default one
DNS request
Sending an HTTP GET request
Sending a UDP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/577362
Signature
Allocates memory in foreign processes
Checks if browser processes are running
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sets a proxy for the internet explorer
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337731 Sample: #U65b0#U5efa#U6587#U4ef6#U5... Startdate: 09/01/2021 Architecture: WINDOWS Score: 100 81 Multi AV Scanner detection for dropped file 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 Detected unpacking (changes PE section rights) 2->85 87 8 other signatures 2->87 7 #U65b0#U5efa#U6587#U4ef6#U5939.exe 3 9 2->7         started        11 windows update.exe 2 2->11         started        13 windows update.exe 2 2->13         started        process3 file4 35 C:\Windows\windos\AM.exe, PE32 7->35 dropped 37 C:\Windows\windos37etUtil.dll, PE32 7->37 dropped 39 C:\Windows\windos\Msvcr110.dll, PE32 7->39 dropped 41 C:\Windows\windos\MangoStatistic.dll, PE32 7->41 dropped 89 Detected unpacking (changes PE section rights) 7->89 91 Drops executables to the windows directory (C:\Windows) and starts them 7->91 15 AM.exe 9 7->15         started        93 Writes to foreign memory regions 11->93 95 Allocates memory in foreign processes 11->95 97 Injects a PE file into a foreign processes 11->97 19 svchost.exe 11->19         started        22 svchost.exe 11->22         started        24 svchost.exe 8 13->24         started        26 svchost.exe 2 13->26         started        signatures5 process6 dnsIp7 47 C:\Users\Public\Tencent program\svchost.exe, PE32 15->47 dropped 49 C:\Users\Public\...\MangoStatistic.dll, PE32 15->49 dropped 51 C:\Users\Public\Tencent program51etUtil.dll, PE32 15->51 dropped 53 C:\Users\Public\...\Msvcr110.dll, PE32 15->53 dropped 71 Writes to foreign memory regions 15->71 73 Allocates memory in foreign processes 15->73 75 Drops PE files with benign system names 15->75 77 Injects a PE file into a foreign processes 15->77 28 svchost.exe 3 1 15->28         started        33 svchost.exe 1 17 15->33         started        63 www.xiaoniu168.com 19->63 55 C:\Users\Public\...\ssleay32.dll, PE32 19->55 dropped 57 C:\Users\Public\...\makecert.exe, PE32 19->57 dropped 59 C:\Users\Public\...\libeay32.dll, PE32 19->59 dropped 61 3 other files (none is malicious) 19->61 dropped 79 System process connects to network (likely due to code injection or exploit) 19->79 65 www.xiaoniu168.com 24->65 file8 signatures9 process10 dnsIp11 67 116.204.169.199, 49725, 8000 MOACKCOLTD-AS-APMOACKCoLTDKR China 28->67 43 C:\Users\Public\...\windows update.exe, PE32 28->43 dropped 99 System process connects to network (likely due to code injection or exploit) 28->99 69 www.xiaoniu168.com 121.42.109.41, 80 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 33->69 45 C:\Users\Public\Tencent program\efd.dll, PE32 33->45 dropped 101 Sets a proxy for the internet explorer 33->101 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/becd0b29eedeb8014c64d7e46a7ab09d37954b2de283d46518bf2dbbaeb01fcb/
Threat name:
Win32.PUA.FlyStudio
Create hunting rule
Status:
Malicious
First seen:
2021-01-09 21:42:07 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
22daeb4926cc6d795bdf53a3e5ba750a62c81aa85f9bcfb2c424577873f9164c
4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9
4c19c15867d67267bd79c9304bcdfb4ddb894b4d79cf6e127ba4336ad67ba884
5d31ded12c6a8943f96522d5353af0d3bbb9a5ee81cef07db1c14c7cc0f117c6
75b388003cc32b680abc3d9b41bc6c435af723de235eaab36a323fddcb906f62
868183d6e80d3a977ea679492ad7c869469d39504d2f4bc29b4a599577093fcd
9b6c23ee51101f9e2542bb697e7b218e0a57d51ac6b577998cba351581aa7491
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
bd668ef292ae01d2ed9a32b1ea054e2acb484f61e86481f306669637ba31ce82
Result
Malware family:
n/a
Score:
  8/10
Tags:
aspackv2 persistence
Link:
https://tria.ge/reports/210109-rakdz93mxn/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
JavaScript code in executable
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
Unpacked files
SH256 hash:
a7aa27ea796b31bd5423fa2654db43b4d239519c649453074d9441ec6dc83aa7
MD5 hash:
597c971681e7ba12770a7eba79439620
SHA1 hash:
009de8c50bca1d4e4759e774b4ff4ce8a4fe45a0
Link:
https://www.unpac.me/results/d4021260-3a7f-4862-85a4-3850060ebd79/
SH256 hash:
857b1747d14c9bbe1e4067ff27228cf933e4a0194b3796c6be23876507a97f13
MD5 hash:
a17e7883ea86d349041379f8d17f150a
SHA1 hash:
02c21389fc0f849c123b65e719ad11fe268bf10a
Link:
https://www.unpac.me/results/d4021260-3a7f-4862-85a4-3850060ebd79/
SH256 hash:
a311642381608eca304ee7bb4c02ed6e31bb70e75bce7f41249e49f6872c513d
MD5 hash:
212c4f8921d163ada3f9ac42c3de5c9b
SHA1 hash:
138d84a1a330d945ad33126c908e50d51243a947
Link:
https://www.unpac.me/results/d4021260-3a7f-4862-85a4-3850060ebd79/
SH256 hash:
c8680ceef21526bb57abc9496eeabde8e5178884d0502d0243d75ae5c6f7658f
MD5 hash:
9635558d4fbc2103b59a77647e75080c
SHA1 hash:
5edba9573957265a01acb9187d3316944fb2285e
Link:
https://www.unpac.me/results/d4021260-3a7f-4862-85a4-3850060ebd79/
SH256 hash:
becd0b29eedeb8014c64d7e46a7ab09d37954b2de283d46518bf2dbbaeb01fcb
MD5 hash:
c365dfad521db206b6088b0b59fe151c
SHA1 hash:
43460ef219b5dc771124d7283308d7f527616f3c
Link:
https://www.unpac.me/results/d4021260-3a7f-4862-85a4-3850060ebd79/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
FlyStudio
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/becd0b29eedeb8014c64d7e46a7ab09d37954b2de283d46518bf2dbbaeb01fcb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments