MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c366a12ebce6fac89542bd70335a3ad9b0c44692946c6d173234a7840f846812. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c366a12ebce6fac89542bd70335a3ad9b0c44692946c6d173234a7840f846812
SHA3-384 hash: 3bd16654cabe37c6e7b88f45a6577c004538ae6776234eae9d4d6f2e40b62bc0aa0b3770d0afb38b93a1710298e2dda3
SHA1 hash: 7d41613f8d740725969f4e22af8fd87eeea89f6c
MD5 hash: d138efdda74566b44188fb7187ca54fc
humanhash: fanta-mockingbird-carpet-steak
File name:c366a12ebce6fac89542bd70335a3ad9b0c44692946c6d173234a7840f846812
Download: download sample
File size:1'646'816 bytes
First seen:2021-03-29 07:09:30 UTC
Last seen:2021-03-29 07:48:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ba4cc0afb12afe0a3f885ae6696404ed (1 x ArkeiStealer)
ssdeep 24576:PIZg+uitrPO37fzH4A6haDzcUZEIdT9TagtzCNjyxIQBrNDV3iWVv5OmvB0KB6Mc:PgFrPO37fzH4A6hanqNmZBVVySOmvAv
Threatray 581 similar samples on MalwareBazaar
TLSH 69758D2AB1B24CB6F36A5E3658164160673EFD843E28ACD635D6FA3E0BF514335361C2
Reporter JAMESWT_WT
Tags:LTD SERVICES LIMITED signed

Code Signing Certificate

Organisation:LTD SERVICES LIMITED
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-03-18T00:00:00Z
Valid to:2022-03-18T23:59:59Z
Serial number: 7d36cbb64bc9add17ba71737d3ecceca
Intelligence: 9 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 05be3171ca7272803d139ca13b16c24a3dd22917b1b8d6d0fd5401e63a79dd27
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c366a12ebce6fac89542bd70335a3ad9b0c44692946c6d173234a7840f846812
Verdict:
Suspicious activity
Analysis date:
2021-03-29 07:20:08 UTC
Tags:
installer
Link:
https://app.any.run/tasks/579f1dd1-5696-461d-a327-42ce940013fc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127480/
Detection(s):
PUA.Win.Packer.PrivateEXEProtector4-6192998-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Sending a custom TCP request
DNS request
Sending a UDP request
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Sending an HTTP POST request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4169d33d-d6b3-4e09-bdc8-11e4942af278
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/656520
Signature
Allocates memory in foreign processes
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c366a12ebce6fac89542bd70335a3ad9b0c44692946c6d173234a7840f846812/
Threat name:
Win32.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2021-03-28 04:04:40 UTC
File Type:
PE (Exe)
Extracted files:
45
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
064cad19bee4580a82bc4ee3558e8510100ebba8da83720749f553cc411d5cb3
0953e54968ca9407a172c0a35a00d8b30ec603770809bbd2901a070e1b83b7f8
3d3095586bf72d6b631e44681654c68707a6f07987b02e367e7d88ac9ddab77c
411e56b415d4c23a741958c3f1ada72b3e958c078d27c339678bb690b7a895c3
4ce173da12efcf686dd4a7fec6678fc6c0e2cae352a3dd327bdfa478c18589e4
7e88f1c425154e6fff6d031aaaa4d8bb4c8ff131e429f44310fd936bfc08b357
92ddc88d7c1bde849c18747f4fcd526c240a81efe9c74ee1dcaa4a72ecc9ac3a
aa9692c1769e25297176b847f4274570c56c4d74f4577608bd036e72d82d5bdb
af05a9b5f7ed6483d7f10ea0e521e0a15fd90d224ca04a9665991ab630a54991
d0b2bc00645de803a4e9df303539995ee8f781631684b04fe67ee7e01bcf9c21
+ 571 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210329-smylspp2na/
Behaviour
Checks processor information in registry
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
7b0b8db231d411d10f45ed54779fcfa8f3e442e04a31733ee2598b0dd3f63229
MD5 hash:
e769e747bb0fb0c1893e27af747094df
SHA1 hash:
af49f0054f201ba4a4b2d010d661e3d1f78e2a72
Link:
https://www.unpac.me/results/525c64cf-db63-4ee0-916d-cee7f6c59cd8/
SH256 hash:
c366a12ebce6fac89542bd70335a3ad9b0c44692946c6d173234a7840f846812
MD5 hash:
d138efdda74566b44188fb7187ca54fc
SHA1 hash:
7d41613f8d740725969f4e22af8fd87eeea89f6c
Link:
https://www.unpac.me/results/525c64cf-db63-4ee0-916d-cee7f6c59cd8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c366a12ebce6fac89542bd70335a3ad9b0c44692946c6d173234a7840f846812

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/127480/

Comments