MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6aa7fc9c195d950bc5290cd4827019ee03a98938b6dee9f4e6101747fa69e72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6aa7fc9c195d950bc5290cd4827019ee03a98938b6dee9f4e6101747fa69e72
SHA3-384 hash: 602a3c0cd6500c4b72d878789aa7a959bc8877bf9013c2b452366fe50f7eeb5990fc39b4cb01d4e4d9b3f3c79802e68f
SHA1 hash: d099d47c2e10ba66ec614e1f96d3c3a014ef2a3d
MD5 hash: 4a3e48c79f510d0dbba058d60e284e50
humanhash: april-fifteen-fish-kansas
File name:virussign.com_4a3e48c79f510d0dbba058d60e284e50
Download: download sample
File size:327'680 bytes
First seen:2022-07-15 16:32:56 UTC
Last seen:2024-07-24 21:20:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 09d0478591d4f788cb3e5ea416c25237 (4 x Worm.Mofksys, 3 x Blackmoon, 2 x Gh0stRAT)
ssdeep 3072:P7TQlatyYePxiFVJ7TQlatyYePxiFVl7TQlatyYePxiFVL7TQlatyYePxiFVB7TJ:zTQt8JTQt8VTQt8vTQt8RTQt8XTQtY
TLSH T1C064E17551563122F0F6EF709DC2CE8E0417BFBE022A494E3BD5BA6F29393678870466
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
dhash icon e4f6b2f0e8ccf0f0 (14 x Worm.AutoRun, 11 x AutoRun, 1 x CoinMiner)
Reporter KdssSupport
Tags:exe


Avatar
KdssSupport
Uploaded with API

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
virussign.com_4a3e48c79f510d0dbba058d60e284e50
Verdict:
Malicious activity
Analysis date:
2022-07-16 04:37:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/29642d6e-4224-4c67-a3b1-f0462f089d86

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/290021/
Detection(s):
PUA.Win.Packer.PECompact-2
Create hunting rule

Win.Malware.Ulise-9955124-0
Create hunting rule

Win.Trojan.VB-3895
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the Windows subdirectories
Creating a file in the Windows directory
Creating a process from a recently created file
Creating a process with a hidden window
Searching for the window
Searching for analyzing tools
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm overlay packed
Link:
https://www.filescan.io/uploads/62d197640f510051d9f43dd7/reports/fcc378b8-3b2e-4eb7-ac33-ec2a547249fb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1034338
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes the view of files in windows explorer (hidden files and folders)
Changes the wallpaper picture
Creates an undocumented autostart registry key
Creates autorun.inf (USB autostart)
Detected unpacking (changes PE section rights)
Disables the Windows registry editor (regedit)
Disables UAC (registry)
Disables Windows system restore
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Spreads via windows shares (copies files to share folders)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 666833 Sample: zXVezkibS9.com_4a3e48c79f51... Startdate: 17/07/2022 Architecture: WINDOWS Score: 100 107 220.255.0.0.in-addr.arpa 2->107 121 Antivirus detection for dropped file 2->121 123 Antivirus / Scanner detection for submitted sample 2->123 125 Multi AV Scanner detection for dropped file 2->125 127 6 other signatures 2->127 10 zXVezkibS9.exe 1 40 2->10         started        signatures3 process4 file5 77 C:\Windows\SysWOW64\17-7-2022.exe, PE32 10->77 dropped 79 C:\Windows\Fonts\The Kazekage.jpg, PC 10->79 dropped 81 C:\user Games81aruto games.exe, PE32 10->81 dropped 83 3 other files (none is malicious) 10->83 dropped 129 Detected unpacking (changes PE section rights) 10->129 131 Spreads via windows shares (copies files to share folders) 10->131 133 Changes the wallpaper picture 10->133 14 Kazekage.exe 51 36 10->14         started        18 smss.exe 30 10->18         started        20 system32.exe 10->20         started        22 2 other processes 10->22 signatures6 process7 dnsIp8 85 C:\Windows\SysWOW64\MSCOMCTL.OCX, PE32 14->85 dropped 87 C:behaviorgraphaara.exe, PE32 14->87 dropped 89 C:\Autorun.inf, Microsoft 14->89 dropped 99 2 other files (none is malicious) 14->99 dropped 135 Detected unpacking (changes PE section rights) 14->135 137 Creates an undocumented autostart registry key 14->137 139 Creates autorun.inf (USB autostart) 14->139 145 5 other signatures 14->145 25 PING.EXE 14->25         started        28 PING.EXE 14->28         started        30 smss.exe 14->30         started        40 4 other processes 14->40 91 C:\user Gamesbehaviorgraphaara games - Naruto.exe, PE32 18->91 dropped 141 Spreads via windows shares (copies files to share folders) 18->141 32 Gaara.exe 32 18->32         started        36 csrss.exe 18->36         started        38 smss.exe 1 18->38         started        42 2 other processes 18->42 93 C:\Windows\SysWOW64\drivers\system32.exe, ASCII 20->93 dropped 95 C:\Windows\SysWOW64\drivers\Kazekage.exe, ASCII 20->95 dropped 97 C:\Windows\Fonts\...\smss.exe, ASCII 20->97 dropped 101 2 other malicious files 20->101 dropped 143 Tries to detect sandboxes and other dynamic analysis tools (window names) 20->143 109 220.255.0.0.in-addr.arpa 22->109 file9 signatures10 process11 dnsIp12 111 220.255.0.0.in-addr.arpa 25->111 44 conhost.exe 25->44         started        113 192.168.2.1 unknown unknown 28->113 115 220.255.0.0.in-addr.arpa 28->115 46 conhost.exe 28->46         started        67 C:\Windows\mscomctl.ocx, PE32 32->67 dropped 69 C:\Users\user\...behaviorgraphaara The Kazekage.exe, PE32 32->69 dropped 71 C:\user Gamesbehaviorgraphaara go to Kazekage.exe, PE32 32->71 dropped 117 Spreads via windows shares (copies files to share folders) 32->117 48 PING.EXE 32->48         started        51 PING.EXE 32->51         started        53 smss.exe 1 32->53         started        59 4 other processes 32->59 73 C:\user Games\Hokage-Sampit (Nothing).exe, PE32 36->73 dropped 75 C:\...\Anbu Team Sampit (Nothing).exe, PE32 36->75 dropped 119 Drops executables to the windows directory (C:\Windows) and starts them 36->119 55 smss.exe 36->55         started        57 Gaara.exe 36->57         started        61 2 other processes 36->61 file13 signatures14 process15 dnsIp16 103 220.255.0.0.in-addr.arpa 48->103 63 conhost.exe 48->63         started        105 220.255.0.0.in-addr.arpa 51->105 65 conhost.exe 51->65         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6aa7fc9c195d950bc5290cd4827019ee03a98938b6dee9f4e6101747fa69e72/
Threat name:
Win32.Trojan.Dacic
Create hunting rule
Status:
Malicious
First seen:
2022-07-08 01:34:55 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y2vh7sobsxmvbpcssdguqjybt3qdvgetrnw65h2omeaxi75gtzza._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence ransomware trojan
Link:
https://tria.ge/reports/220715-t2jgtaddal/
Behaviour
Modifies Control Panel
Modifies Internet Explorer settings
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Drops file in Windows directory
Drops autorun.inf file
Drops file in System32 directory
Sets desktop wallpaper using registry
Adds Run key to start application
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Loads dropped DLL
Disables RegEdit via registry modification
Disables use of System Restore points
Drops file in Drivers directory
Executes dropped EXE
Sets file execution options in registry
Modifies WinLogon for persistence
Modifies visibility of file extensions in Explorer
Modifies visiblity of hidden/system files in Explorer
UAC bypass
Unpacked files
SH256 hash:
940d78ca81c9566a7a042df7260f7614261806c5d835da621c895e200ceffbba
MD5 hash:
31590b18ea2d5b09959f52b544a3f155
SHA1 hash:
858a38cdcc4986cdbdb975978b99b74712db8208
Link:
https://www.unpac.me/results/cad8cee8-1159-444c-b082-2e9f88245eb3/
SH256 hash:
c6aa7fc9c195d950bc5290cd4827019ee03a98938b6dee9f4e6101747fa69e72
MD5 hash:
4a3e48c79f510d0dbba058d60e284e50
SHA1 hash:
d099d47c2e10ba66ec614e1f96d3c3a014ef2a3d
Link:
https://www.unpac.me/results/cad8cee8-1159-444c-b082-2e9f88245eb3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c6aa7fc9c195d950bc5290cd4827019ee03a98938b6dee9f4e6101747fa69e72

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe c6aa7fc9c195d950bc5290cd4827019ee03a98938b6dee9f4e6101747fa69e72

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/290021/

Comments