MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c78cb37297cbf33db078582f3895c03338d1e37771b1cd2c1f5d0ad0e2f44710. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Macoute


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c78cb37297cbf33db078582f3895c03338d1e37771b1cd2c1f5d0ad0e2f44710
SHA3-384 hash: 608919d2a5213955c244ec91eade323afc94211e9d553d18811b161f7a864f2b54ed1dda87a449f1ed8032229793a4d2
SHA1 hash: d6da4bf7132876adece6323d5b235c55aabd57a0
MD5 hash: c599b8c932e5d9c2c9313a0c3df64559
humanhash: blue-triple-helium-tango
File name:c78cb37297cbf33db078582f3895c03338d1e37771b1cd2c1f5d0ad0e2f44710
Download: download sample
Signature Macoute
Create hunting rule
File size:438'943 bytes
First seen:2021-02-28 07:06:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 23b7a2ad6dd5722f5566eaa0d8a348bf (44 x Macoute, 3 x Worm.Virut)
ssdeep 6144:+afsiuvAQ+tTm6cyERSiytj71cWE4jKS6vZ9BTD:7CvAQ+q6ctRt636WfjOnBTD
Threatray 4 similar samples on MalwareBazaar
TLSH 5694AF86EBC340F1D8970FB15067A77F9B725B0D502CDD9AD3A42E56AC33223992E354
Reporter JAMESWT_WT
Tags:Macoute

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c78cb37297cbf33db078582f3895c03338d1e37771b1cd2c1f5d0ad0e2f44710
Verdict:
Malicious activity
Analysis date:
2021-02-28 09:37:25 UTC
Tags:
installer
Link:
https://app.any.run/tasks/91d6a303-6097-4bcb-a91c-50cd94e7816f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119776/
Detection(s):
Win.Malware.Zusy-6888246-0
Create hunting rule

Win.Packed.Ulpm-9799291-0
Create hunting rule

Win.Trojan.Agent-1201096
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Macoute
Create hunting rule
Detection:
malicious
Classification:
spre.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621192
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to steal Internet Explorer form passwords
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Macoute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359588 Sample: AX9BLP03Sz Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 31 Antivirus detection for dropped file 2->31 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 6 other signatures 2->37 7 AX9BLP03Sz.exe 1 4 2->7         started        11 msn.exe 2->11         started        process3 file4 25 C:\Program Files (x86)\win\msn.exe, PE32 7->25 dropped 27 C:\...\msn.exe:Zone.Identifier, ASCII 7->27 dropped 39 Contains functionality to steal Internet Explorer form passwords 7->39 13 msn.exe 20 7->13         started        signatures5 process6 signatures7 41 Tries to harvest and steal browser information (history, passwords, etc) 13->41 16 msn.exe 13->16         started        19 msn.exe 13->19         started        21 msn.exe 13->21         started        23 27 other processes 13->23 process8 dnsIp9 29 87.98.185.184, 8829 OVHFR France 16->29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c78cb37297cbf33db078582f3895c03338d1e37771b1cd2c1f5d0ad0e2f44710/
Threat name:
Win32.Trojan.Pholdicon
Create hunting rule
Status:
Malicious
First seen:
2018-01-10 02:18:00 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
70c05d265f3f6dbd5758c742b6fd0e74cc25dd01d111759926012b8c64c164bb
Macoute
b0c250fc98a2149ed7adc9889263545a700bafa3356cb794da888badb529570e
Macoute
c694c60b4b94a4b2d2c512867ad70c6313811db161aebff1dc8e257993aee2b7
Macoute
fc6538be49c1bb53c728844d8043a26fc27c12c8c5ef76bee50e757b57ce4f3f
Macoute
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/210228-j7a34da6nn/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
c78cb37297cbf33db078582f3895c03338d1e37771b1cd2c1f5d0ad0e2f44710
MD5 hash:
c599b8c932e5d9c2c9313a0c3df64559
SHA1 hash:
d6da4bf7132876adece6323d5b235c55aabd57a0
Link:
https://www.unpac.me/results/cf5664cb-d31f-47ed-bceb-5509b842822f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c78cb37297cbf33db078582f3895c03338d1e37771b1cd2c1f5d0ad0e2f44710

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119776/

Comments