MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c694c60b4b94a4b2d2c512867ad70c6313811db161aebff1dc8e257993aee2b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Macoute


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c694c60b4b94a4b2d2c512867ad70c6313811db161aebff1dc8e257993aee2b7
SHA3-384 hash: 1b94d55f5d1fc059c5eebc90c4c9bf3ad7375fcfcf376eda507fe842e7994d6342d898a3b6da6b058e310bfec1d55acc
SHA1 hash: c984296ab64672b09b6dca1d4e9619c1dffb7fc2
MD5 hash: d852f019d363b1f1f0d52e22bedac32d
humanhash: green-failed-salami-iowa
File name:c694c60b4b94a4b2d2c512867ad70c6313811db161aebff1dc8e257993aee2b7
Download: download sample
Signature Macoute
Create hunting rule
File size:439'808 bytes
First seen:2021-02-28 07:07:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 23b7a2ad6dd5722f5566eaa0d8a348bf (44 x Macoute, 3 x Worm.Virut)
ssdeep 6144:BafsiuvAQ+tTm6cyERSiytj71cWE4jKS6v:WCvAQ+q6ctRt636WfjO
Threatray 4 similar samples on MalwareBazaar
TLSH C894AE82EBD340F1D8970BB15067B77F9B724B0E502CDD9AD3942E56AC33223992E794
Reporter JAMESWT_WT
Tags:Macoute

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c694c60b4b94a4b2d2c512867ad70c6313811db161aebff1dc8e257993aee2b7
Verdict:
Malicious activity
Analysis date:
2021-02-28 09:47:27 UTC
Tags:
installer
Link:
https://app.any.run/tasks/9938ddc4-1545-4f0b-a2bc-b93d126ff06d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119778/
Detection(s):
Win.Malware.Zusy-6888246-0
Create hunting rule

Win.Trojan.Agent-1201096
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Macoute
Create hunting rule
Detection:
malicious
Classification:
spre.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621188
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to steal Internet Explorer form passwords
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Macoute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359586 Sample: p8rsryaxGn Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 31 Antivirus detection for dropped file 2->31 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 6 other signatures 2->37 7 p8rsryaxGn.exe 1 4 2->7         started        11 msn.exe 2->11         started        process3 file4 25 C:\Program Files (x86)\win\msn.exe, PE32 7->25 dropped 27 C:\...\msn.exe:Zone.Identifier, ASCII 7->27 dropped 39 Contains functionality to steal Internet Explorer form passwords 7->39 13 msn.exe 20 7->13         started        signatures5 process6 signatures7 41 Tries to harvest and steal browser information (history, passwords, etc) 13->41 16 msn.exe 13->16         started        19 msn.exe 13->19         started        21 msn.exe 13->21         started        23 27 other processes 13->23 process8 dnsIp9 29 87.98.185.184, 8829 OVHFR France 16->29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c694c60b4b94a4b2d2c512867ad70c6313811db161aebff1dc8e257993aee2b7/
Threat name:
Win32.Worm.Macoute
Create hunting rule
Status:
Malicious
First seen:
2017-05-10 05:10:00 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
70c05d265f3f6dbd5758c742b6fd0e74cc25dd01d111759926012b8c64c164bb
Macoute
b0c250fc98a2149ed7adc9889263545a700bafa3356cb794da888badb529570e
Macoute
c78cb37297cbf33db078582f3895c03338d1e37771b1cd2c1f5d0ad0e2f44710
Macoute
fc6538be49c1bb53c728844d8043a26fc27c12c8c5ef76bee50e757b57ce4f3f
Macoute
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/210228-v32xw4cbze/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
c8a586a743e86f338c3ecffe86e225ba445ac30564fd51d0507705c033eae2ff
MD5 hash:
f54c79de6f2bb5e69d08517352b2c626
SHA1 hash:
8b9108b3e930adde5474f37542f116c6335b1570
Link:
https://www.unpac.me/results/2d97e2e8-4c64-4cd4-8ced-a0b4208e5e56/
SH256 hash:
c694c60b4b94a4b2d2c512867ad70c6313811db161aebff1dc8e257993aee2b7
MD5 hash:
d852f019d363b1f1f0d52e22bedac32d
SHA1 hash:
c984296ab64672b09b6dca1d4e9619c1dffb7fc2
Link:
https://www.unpac.me/results/2d97e2e8-4c64-4cd4-8ced-a0b4208e5e56/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c694c60b4b94a4b2d2c512867ad70c6313811db161aebff1dc8e257993aee2b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119778/

Comments