MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6fa147a533664a8bb8568cddc6efb45663e9153b62c69feedb4fd04c487582b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6fa147a533664a8bb8568cddc6efb45663e9153b62c69feedb4fd04c487582b
SHA3-384 hash: 2392220968fde2857b4e13fb680636c58904faed1d94205400fcb07897a7122851f0f71c91f0767751b8a549fbf64132
SHA1 hash: f57e2be1e9262b68ef62ce5c13100f8b50c4e877
MD5 hash: 05e3d7af11dce43f9d19e8c78c6e11c3
humanhash: xray-nebraska-nebraska-mockingbird
File name:Setup3_exe
Download: download sample
File size:5'151'232 bytes
First seen:2021-05-25 07:13:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 98304:bHaIUK+MXPKHfawHXOQTC6gVqAUqxmxlc9c5Pt+Lw1nGosyPS8b3nH0qnQYmrjw:b6IN+6KHfaqUVNfmQe5Pt+Lwa6XHDGrM
Threatray 15 similar samples on MalwareBazaar
TLSH B43633212459441FEF53C6B9D0B7E5412B6A6C22F2381E8801CF7536A9F632FD96D23E
Reporter CholeVallabh

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/161737/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/791263
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 423661 Sample: Setup3_exe Startdate: 25/05/2021 Architecture: WINDOWS Score: 100 63 Multi AV Scanner detection for dropped file 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 .NET source code contains potential unpacker 2->67 69 5 other signatures 2->69 8 Setup3_exe.exe 1 6 2->8         started        12 tzutil.exe 3 2->12         started        14 tzutil.exe 2->14         started        process3 file4 43 C:\Users\user\AppData\Roaming\...\tzutil.exe, PE32+ 8->43 dropped 45 C:\Users\user\AppData\...\Setup3_exe.exe, PE32+ 8->45 dropped 47 C:\Users\user\...\tzutil.exe:Zone.Identifier, ASCII 8->47 dropped 53 2 other malicious files 8->53 dropped 71 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->71 73 Writes to foreign memory regions 8->73 75 Allocates memory in foreign processes 8->75 77 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->77 16 Setup3_exe.exe 2 8->16         started        49 C:\Users\user\AppData\Local\Temp\tzutil.exe, PE32+ 12->49 dropped 51 C:\Users\user\...\tzutil.exe:Zone.Identifier, ASCII 12->51 dropped 79 Modifies the context of a thread in another process (thread injection) 12->79 81 Injects a PE file into a foreign processes 12->81 19 tzutil.exe 1 12->19         started        23 tzutil.exe 14->23         started        signatures5 process6 dnsIp7 59 Multi AV Scanner detection for dropped file 16->59 61 Machine Learning detection for dropped file 16->61 25 Roamingcliconfg.exe 1 16->25         started        28 WerFault.exe 20 9 16->28         started        57 192.168.2.1 unknown unknown 19->57 41 C:\Users\user\AppData\Roamingcliconfg.exe, PE32+ 19->41 dropped 31 Roamingcliconfg.exe 19->31         started        33 WerFault.exe 19->33         started        35 WerFault.exe 23->35         started        file8 signatures9 process10 file11 83 Antivirus detection for dropped file 25->83 85 Multi AV Scanner detection for dropped file 25->85 87 Hides threads from debuggers 25->87 37 conhost.exe 25->37         started        55 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 28->55 dropped 39 conhost.exe 31->39         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6fa147a533664a8bb8568cddc6efb45663e9153b62c69feedb4fd04c487582b/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-05-25 07:13:12 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  3/5
Verdict:
unknown
Similar samples:
19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0
1e92ffaaee0217be3540c5a8e0b465d639008e15bb1335fc1aab14ef252f4072
79079eeea81f1225adddc2f707d5a9702877cb7d8fa6843c807b083d56edd813
b4b15f7787006e9757865b66a747135ac7452d8bafbbad777fd9491742eba06a
c52477b06f41b4e78b419e5843c6e14545e7add486185373a66c8de3865f44c0
d3369b50e963787693bdc2a967f3f156c91c09a83227e8c2d7851841150e4993
e0845f3788d8a7d0e289da2908730a8eeecfc3541df4900099ac31b2dd64b0b5
e4a364bc4301da3e0a1280d627bb19810e94828e4d2c44b477a9cd576039c664
f14a3d76508b0b87878f3a39064fb59af9bf3461e3bdc0f505c05e1da26a39de
ff9175a892b7139c1d34f6fed7c028e6f2a8c8c8fd5befea281cca4bb955918d
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210525-h8p2wq8xes/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.49
Link:
https://yomi.yoroi.company/submissions/c6fa147a533664a8bb8568cddc6efb45663e9153b62c69feedb4fd04c487582b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/161737/

Comments