MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1144e14f61b4b21b4278969ce02abbd8528ba44172fccc190f1cbf28bf84d7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1144e14f61b4b21b4278969ce02abbd8528ba44172fccc190f1cbf28bf84d7c
SHA3-384 hash: 6cee20543958b29063a55ff18801ee1fbc773e9f523aa4f24f4c3f471d080964ac9d85a68adb5785d0ea0588269e3b84
SHA1 hash: 809d855b393015a54f0e7c067b8e1a8fd7694092
MD5 hash: 48cb3fb9515c76627660f9c7716d68f6
humanhash: arizona-oven-iowa-bravo
File name:48cb3fb9515c76627660f9c7716d68f6.exe
Download: download sample
File size:4'273'152 bytes
First seen:2022-03-14 19:07:31 UTC
Last seen:2022-04-20 10:24:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 511cff895609a1cf1f0a80aeee92ffc8 (3 x ZeuS, 2 x CryptBot)
ssdeep 98304:6bi+DUqk50OprFD8W6anm6qy2IlCiQl86sUBBVLmg7QYos:6dDNk54AqPziQlHQu3
Threatray 9'978 similar samples on MalwareBazaar
TLSH T1CF16339A128756B9C1A4FF76123108FA03CBBD5B77D16E63C22FA83188416ED6747B13
File icon (PE):PE icon
dhash icon b270f8c4e4b4e4c0 (2 x ZeuS, 2 x CryptBot, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/250395/
Detection(s):
SecuriteInfo.com.Variant.Zusy.416597.1606.28342.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a window
Running batch commands
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Using the Windows Management Instrumentation requests
Reading critical registry keys
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
autoit packed
Link:
https://www.filescan.io/uploads/622f9298dfdfa8501c9f865a/reports/f2660f24-f203-4af6-bcb7-11f3f5d744fa/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Zeus
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a9d93b3a-148a-4330-abe8-316b7cda3ce4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/956487
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Copying Sensitive Files with Credential Data
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 588965 Sample: kyFP57nrCE.exe Startdate: 14/03/2022 Architecture: WINDOWS Score: 100 43 Multi AV Scanner detection for domain / URL 2->43 45 Antivirus detection for URL or domain 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 5 other signatures 2->49 7 kyFP57nrCE.exe 1 22 2->7         started        11 Dekkoce.exe 2->11         started        process3 dnsIp4 41 sapyjn12.top 5.188.89.119, 49773, 80 PINDC-ASRU Russian Federation 7->41 51 Query firmware table information (likely to detect VMs) 7->51 53 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->53 55 Tries to harvest and steal browser information (history, passwords, etc) 7->55 57 2 other signatures 7->57 13 cmd.exe 2 7->13         started        16 cmd.exe 2 7->16         started        18 cmd.exe 2 7->18         started        20 5 other processes 7->20 signatures5 process6 signatures7 59 Tries to harvest and steal browser information (history, passwords, etc) 13->59 22 conhost.exe 13->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        61 Uses schtasks.exe or at.exe to add and modify task schedules 20->61 28 expand.exe 9 20->28         started        31 conhost.exe 20->31         started        33 conhost.exe 20->33         started        35 4 other processes 20->35 process8 file9 37 C:\Users\user\AppData\...\Dekkoce.exe (copy), PE32 28->37 dropped 39 C:\...\6e72d756bb0fa445a659ffed796e2ab6.tmp, PE32 28->39 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1144e14f61b4b21b4278969ce02abbd8528ba44172fccc190f1cbf28bf84d7c/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2022-03-14 17:31:38 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
27 of 42 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1a7b82468f3a677663daab8f8142ff99cf65465d6a772f71c655b55f05395303
1ea344df676e38129a21b994a29ba66cc814348ae6bb99bd068b4c5cc51e27b0
2d38b3e2d84638d146a476b7798635569f4f8c0841166a44b628260180d10ecd
2dfc078c3658a63016fd846cc735c0d5c359b6639cb89ae08ccc9a19fb3e5df3
41df984882b7cb539f1bcc03433f60e2bd7a0313b1e05bda78338d9176d6996b
c5235a63f916e2de15aaa66e0664c1548caa85c4a56c11fb5e328921bab1f459
e13fb6156b386d9cea3a46c3835a97636ad0eeddda3b354f86f19915721638fc
eaef807dc7cdfd704cf47b74a667b55004de9171fdb8b949c451274569549d41
f8462784c938c32e326abdba379d8944c9600f34ad85737efd6e7866d0bedff8
fda35cece63310cf205317722754efa6773e9faa0b787dcc7dadf46a7da10383
+ 9'968 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/220314-xs8xwsddbq/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Reads user/profile data of web browsers
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
7127345488c8379ffe02f8f69b4af4efc6b82bf4e10a5ed6b7c4b68b86d7df89
MD5 hash:
791338354ae9e545bc8e5d304a76ba13
SHA1 hash:
bada42b64c4c2b215e065cf59ba84cd422e1407e
Link:
https://www.unpac.me/results/2a17047c-07e2-4575-bc9c-8bbabad7206e/
SH256 hash:
c1144e14f61b4b21b4278969ce02abbd8528ba44172fccc190f1cbf28bf84d7c
MD5 hash:
48cb3fb9515c76627660f9c7716d68f6
SHA1 hash:
809d855b393015a54f0e7c067b8e1a8fd7694092
Link:
https://www.unpac.me/results/2a17047c-07e2-4575-bc9c-8bbabad7206e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/c1144e14f61b4b21b4278969ce02abbd8528ba44172fccc190f1cbf28bf84d7c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe c1144e14f61b4b21b4278969ce02abbd8528ba44172fccc190f1cbf28bf84d7c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2086285/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/250395/

Comments