MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9cdd5a5b0701a4d311e0264f5bcec49fa500dde81ff8dbaa081be032b0c0446. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9cdd5a5b0701a4d311e0264f5bcec49fa500dde81ff8dbaa081be032b0c0446
SHA3-384 hash: 6d17acbf3016a03ed856ce27d0ad070901f408521e48548f35f1fdea37833cf6249208d60be01644dfe9ff082be678b6
SHA1 hash: 3d3e58b4009c10d3a842a45925132e7482cfcdac
MD5 hash: c19114fc0d83113a32c5b22b8863dcc1
humanhash: twenty-orange-december-wolfram
File name:British High Commission Peter Emmerson.exe
Download: download sample
File size:1'030'656 bytes
First seen:2020-08-25 14:44:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'070 x AgentTesla, 20'026 x Formbook, 12'352 x SnakeKeylogger)
ssdeep 24576:XVp/1t/DCZ+XX6ZWUuFKkhaixrvr7OYoY:j/1E+H6ZWfF30crvrb
Threatray 6 similar samples on MalwareBazaar
TLSH 5C2564039C08AB83D56893FCFD134F982E4B1F4CE5A6BAEF40326EC73A346565D4A519
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Heur.4694.25554.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Launching a process
Moving a recently created file
Deleting a recently created file
Creating a process from a recently created file
Unauthorized injection to a recently created process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/449327
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 277044 Sample: British High Commission Pet... Startdate: 25/08/2020 Architecture: WINDOWS Score: 88 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Detected unpacking (overwrites its own PE header) 2->45 47 Machine Learning detection for sample 2->47 8 British High Commission Peter Emmerson.exe 6 13 2->8         started        process3 file4 31 C:\ProgramData\Hanthavra\rnthiavesa.exe, PE32 8->31 dropped 33 British High Commi...er Emmerson.exe.log, ASCII 8->33 dropped 11 rnthiavesa.exe 8->11         started        15 AcroRd32.exe 15 39 8->15         started        process5 dnsIp6 39 209.127.16.126, 4768, 49741 SERVER-MANIACA Canada 11->39 49 Antivirus detection for dropped file 11->49 51 Multi AV Scanner detection for dropped file 11->51 53 Detected unpacking (overwrites its own PE header) 11->53 55 Machine Learning detection for dropped file 11->55 17 RdrCEF.exe 65 15->17         started        20 AcroRd32.exe 7 6 15->20         started        signatures7 process8 dnsIp9 35 192.168.2.1 unknown unknown 17->35 22 RdrCEF.exe 17->22         started        25 RdrCEF.exe 17->25         started        27 RdrCEF.exe 17->27         started        29 2 other processes 17->29 process10 dnsIp11 37 80.0.0.0 NTLGB United Kingdom 22->37
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9cdd5a5b0701a4d311e0264f5bcec49fa500dde81ff8dbaa081be032b0c0446/
Threat name:
ByteCode-MSIL.Ransomware.Foreign
Create hunting rule
Status:
Malicious
First seen:
2020-08-25 14:44:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
012a8b58a7e5e04737ee8c5c004e1272b98e0dcf8bcb025f1573e63de8b2f7e9
567b82c892f10a5cc6d0286c5777e7462cec7182eba81db7dd7de53d1e8d3274
5680e271889058770b8e1e0511477865407735b5bbe46766599c6d0c88f74a43
7e6dc9928e049d75cd726d8542b39cf46afef0cfd37c8dcb968ea618aedbb696
9e4c64dd113e678a0f77c8bf6733621303f4848513179a5a3c15892b1d871cf1
a46a4d49d8497c6cf8560c708fc6cf68c6901f2762938caa3be46b47a62d3ea6
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200825-dbdy6lnjf6/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Executes dropped EXE
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ransomware
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9cdd5a5b0701a4d311e0264f5bcec49fa500dde81ff8dbaa081be032b0c0446

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/50573/

Comments