MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c30dcbba3ad05453eba2cc769ca4e65cd2706627b1fe631deb546cb46f9aa262. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c30dcbba3ad05453eba2cc769ca4e65cd2706627b1fe631deb546cb46f9aa262
SHA3-384 hash: aea67777ab6825f94d48f2fbbe0166f1e06f23bbcb535545d005d8acd8772857fdd8e997fe8b3515149c311da7aeb502
SHA1 hash: 41710a4de5703fd62b2eb6057a8c0c59a6aec8cd
MD5 hash: f379d611ab66507d1f44380d76161370
humanhash: gee-kilo-spring-gee
File name:f379d611ab66507d1f44380d76161370
Download: download sample
File size:494'208 bytes
First seen:2021-07-10 15:02:27 UTC
Last seen:2021-07-10 15:35:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b27842d03165b361b8c1cc4af7711a6c
ssdeep 12288:QAERPntA4GZzrpAS9kTV9Voshd4Kfdyk8o0Ai:Q9R2NZzrpu1BHrokni
Threatray 235 similar samples on MalwareBazaar
TLSH T1FDB47E32B2E24437D1635F75DC6B926DA836BF501D2868866BE51D0CDF397C2382B2D2
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f379d611ab66507d1f44380d76161370
Verdict:
Malicious activity
Analysis date:
2021-07-10 15:04:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0a3c3ebf-554b-427e-8ad0-f4e5533bd111

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170810/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf5c6fe7-c0b9-48a6-8883-861b6dbfe94f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/814333
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446744 Sample: I3uCu0rcy7 Startdate: 10/07/2021 Architecture: WINDOWS Score: 100 35 Antivirus detection for dropped file 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for dropped file 2->39 41 5 other signatures 2->41 7 I3uCu0rcy7.exe 2->7         started        10 winsvc.exe 2->10         started        process3 signatures4 43 Contains functionality to capture and log keystrokes 7->43 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->45 47 Contains functionality to detect sleep reduction / modifications 7->47 12 cmd.exe 2 7->12         started        16 cmd.exe 1 7->16         started        19 cmd.exe 1 7->19         started        process5 dnsIp6 31 C:\Users\user\AppData\Roaming\...\winsvc.exe, PE32 12->31 dropped 49 Drops PE files to the startup folder 12->49 51 Uses ping.exe to check the status of other devices and networks 12->51 21 conhost.exe 12->21         started        33 127.0.0.1 unknown unknown 16->33 23 conhost.exe 16->23         started        25 PING.EXE 1 16->25         started        27 winsvc.exe 19->27         started        29 conhost.exe 19->29         started        file7 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c30dcbba3ad05453eba2cc769ca4e65cd2706627b1fe631deb546cb46f9aa262/
Threat name:
Win32.Trojan.APost
Create hunting rule
Status:
Malicious
First seen:
2021-07-10 15:03:06 UTC
AV detection:
26 of 46 (56.52%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
21ba0bed0b05a2ce68496e73a5c103fb5b815ac2c77e997f46e5d09666c1c978
507cd77f0000cc2af40601e9121683769ea55d389a1df1c7832a103785711fb4
55580a7b5ec8510e0bf498f20928778b6c7b2071a31d8332f809a7a718c66b48
71f5a0e02cfd97625bfaf4c5e48825b8b08262a7ac89f1b7f8ae82c1200205f8
9f86527e3ca4530bb3209d8608dae083afab4ef2cf7b0ae23bcd6fdc322a0c33
a342e3327fc258c1634ffd9e27f0635bd2dc8aeada903d2cac0c5e1ab2e00811
ac4b99079b1ceb11db593097e421de9d9092765feedc23a3ab8ef912b292c988
be0ef76b404286ed958cf94b39682e20feac93c0d89c241a6a2cd95af19c25da
cf2aec2969353dc99a7f715ac818212b42b8cff7a58c9109442f2c65ff62de42
d1d0ac76e59b9e2a8ae3a433e0186d74fc61417c89fe5ee4b93c02faa1dc58f8
+ 225 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210710-t2493kalpa/
Behaviour
Runs ping.exe
Suspicious use of WriteProcessMemory
Deletes itself
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
c30dcbba3ad05453eba2cc769ca4e65cd2706627b1fe631deb546cb46f9aa262
MD5 hash:
f379d611ab66507d1f44380d76161370
SHA1 hash:
41710a4de5703fd62b2eb6057a8c0c59a6aec8cd
Link:
https://www.unpac.me/results/a00165d7-5e79-4582-b833-3cd2739feb47/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c30dcbba3ad05453eba2cc769ca4e65cd2706627b1fe631deb546cb46f9aa262

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe c30dcbba3ad05453eba2cc769ca4e65cd2706627b1fe631deb546cb46f9aa262

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1441547/
Cape
Cape
https://www.capesandbox.com/analysis/170810/

Comments


Avatar
zbet commented on 2021-07-10 15:02:28 UTC

url : hxxp://2.56.213.167/bragej2s93/vir/original.exe