MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca1c052698c5a5c7e5ddcd14a95709288a364cd0be7fa06d03c62c2ead4ea78b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca1c052698c5a5c7e5ddcd14a95709288a364cd0be7fa06d03c62c2ead4ea78b
SHA3-384 hash: a2a5e666b64cb0578552a6881301c8fa3116237471f7c8cc8831cf0a545f287be8f1b9e7417613188783479abb91a519
SHA1 hash: 3e768bdf99b6e40d8da1a0a74f345c8a316a6b89
MD5 hash: a1e0aa315c2caf13f0f7edacea3e9aea
humanhash: skylark-emma-connecticut-arizona
File name:a1e0aa315c2caf13f0f7edacea3e9aea
Download: download sample
File size:460'800 bytes
First seen:2021-08-24 23:18:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f326f88ca83c9aacaa44acfb8884f1d4 (8 x RedLineStealer, 4 x DCRat, 2 x CoinMiner)
ssdeep 12288:0tzE5elwLz9Tr/G89suLMBU2R6rPfgi5QGRTYseAC+kYr8:0tA4KdTDG/hRaAiZRTyRpYA
Threatray 602 similar samples on MalwareBazaar
TLSH T1C2A4F05BB1E11089DBF581B6D592074AEB7070712B19A3DB6BB113B70B2E486DF3C3A4
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
64B32DBDE13F0303710643AAACE909D6.exe
Verdict:
Malicious activity
Analysis date:
2021-08-24 20:19:08 UTC
Tags:
trojan stealer raccoon loader
Link:
https://app.any.run/tasks/db787b14-4bab-47e6-8f2a-26646ee92b72

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182035/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.27269.24432.13950.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Using the Windows Management Instrumentation requests
Creating a file
Creating a process with a hidden window
Creating a file in the system32 directory
Sending a UDP request
Creating a file in the system32 subdirectories
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8395f170-4574-496d-a3b3-42bc626d48f5
Result
Threat name:
BitCoin Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/838646
Signature
Adds a directory exclusion to Windows Defender
Creates an autostart registry key pointing to binary in C:\Windows
Creates files inside the volume driver (system volume information)
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Uses schtasks.exe or at.exe to add and modify task schedules
Wscript starts Powershell (via cmd or directly)
Yara detected BatToExe compiled binary
Yara detected BitCoin Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 471077 Sample: 6mLkg0bZWN Startdate: 25/08/2021 Architecture: WINDOWS Score: 100 114 Multi AV Scanner detection for dropped file 2->114 116 Multi AV Scanner detection for submitted file 2->116 118 Yara detected BitCoin Miner 2->118 120 4 other signatures 2->120 12 6mLkg0bZWN.exe 9 2->12         started        15 msorg32.exe 2->15         started        process3 file4 100 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 12->100 dropped 18 cmd.exe 3 12->18         started        21 conhost.exe 12->21         started        158 Machine Learning detection for dropped file 15->158 160 Adds a directory exclusion to Windows Defender 15->160 23 cmd.exe 15->23         started        signatures5 process6 signatures7 122 Wscript starts Powershell (via cmd or directly) 18->122 124 Uses schtasks.exe or at.exe to add and modify task schedules 18->124 126 Adds a directory exclusion to Windows Defender 18->126 25 bb.exe 18->25         started        29 mmserv32.exe 5 18->29         started        31 extd.exe 1 18->31         started        39 6 other processes 18->39 33 conhost.exe 23->33         started        35 powershell.exe 23->35         started        37 powershell.exe 23->37         started        process8 dnsIp9 90 C:\...\FonthostNetBrokerMonitordhcp.exe, PE32 25->90 dropped 92 C:\...behaviorgraphwayOkWibwENIawbbXr6TcR5KPqy.bat, ASCII 25->92 dropped 138 Multi AV Scanner detection for dropped file 25->138 140 Machine Learning detection for dropped file 25->140 42 wscript.exe 25->42         started        94 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 29->94 dropped 142 Adds a directory exclusion to Windows Defender 29->142 45 cmd.exe 1 29->45         started        47 cmd.exe 1 29->47         started        110 cdn.discordapp.com 162.159.133.233, 443, 49703, 49706 CLOUDFLARENETUS United States 39->110 112 162.159.134.233, 443, 49705 CLOUDFLARENETUS United States 39->112 96 C:\Users\user\AppData\Local\...\mmserv32.exe, PE32+ 39->96 dropped 98 C:\Users\user\AppData\Local\Temp\...\bb.exe, PE32 39->98 dropped file10 signatures11 process12 signatures13 144 Wscript starts Powershell (via cmd or directly) 42->144 49 cmd.exe 42->49         started        51 svchost32.exe 5 45->51         started        55 conhost.exe 45->55         started        146 Adds a directory exclusion to Windows Defender 47->146 57 powershell.exe 23 47->57         started        59 conhost.exe 47->59         started        process14 file15 61 FonthostNetBrokerMonitordhcp.exe 49->61         started        65 conhost.exe 49->65         started        88 C:\Windows\System32\msorg32.exe, PE32+ 51->88 dropped 128 Multi AV Scanner detection for dropped file 51->128 130 Machine Learning detection for dropped file 51->130 132 Drops executables to the windows directory (C:\Windows) and starts them 51->132 67 msorg32.exe 51->67         started        69 cmd.exe 51->69         started        71 cmd.exe 51->71         started        signatures16 process17 file18 102 C:\Windows\...\ShellExperienceHost.exe, PE32 61->102 dropped 104 C:\Windows\System32\rtutils\winlogon.exe, PE32 61->104 dropped 106 C:\Windows\DtcInstall\explorer.exe, PE32 61->106 dropped 108 2 other malicious files 61->108 dropped 148 Multi AV Scanner detection for dropped file 61->148 150 Creates files inside the volume driver (system volume information) 61->150 152 Machine Learning detection for dropped file 61->152 156 4 other signatures 61->156 154 Adds a directory exclusion to Windows Defender 67->154 73 cmd.exe 67->73         started        76 conhost.exe 69->76         started        78 schtasks.exe 69->78         started        80 conhost.exe 71->80         started        82 choice.exe 71->82         started        signatures19 process20 signatures21 134 Wscript starts Powershell (via cmd or directly) 73->134 136 Adds a directory exclusion to Windows Defender 73->136 84 conhost.exe 73->84         started        86 powershell.exe 73->86         started        process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca1c052698c5a5c7e5ddcd14a95709288a364cd0be7fa06d03c62c2ead4ea78b/
Threat name:
Win64.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2021-08-21 19:24:00 UTC
AV detection:
22 of 46 (47.83%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed
19f71da28ebab8fe7256a657c603698ad607a7273e85d0e8b107269643cfa5dd
6da210965cd769856bbcb8bb501abf25c832f0f6a70e73240436629ce6362fa9
b88350726e9a1dc492b8fde7c03fdd0f5c7669b6919e1c25ddbcb8a69125c330
c1f1b8f358e98ae14b424dd8d57e022b8dc68c7c5f14a8d3dea8f1e66601f351
cba27621d4b7c92fd50bf37135e150b45097ca9306061ed7049f802047bbd1b9
ea07ac0be9b5d757b3d6eab704606fb022770451be04c729af03f3a0941d3fc8
ff1ddb96f4984d4ed65016ca7814432d51a08fe090fae4907e85926469e880da
+ 592 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210824-zzl9cypeh2/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
ca1c052698c5a5c7e5ddcd14a95709288a364cd0be7fa06d03c62c2ead4ea78b
MD5 hash:
a1e0aa315c2caf13f0f7edacea3e9aea
SHA1 hash:
3e768bdf99b6e40d8da1a0a74f345c8a316a6b89
Link:
https://www.unpac.me/results/9f297402-c5bb-46fa-8938-62da94628f7f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ca1c052698c5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ca1c052698c5a5c7e5ddcd14a95709288a364cd0be7fa06d03c62c2ead4ea78b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ca1c052698c5a5c7e5ddcd14a95709288a364cd0be7fa06d03c62c2ead4ea78b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1561573/
Cape
Cape
https://www.capesandbox.com/analysis/182035/

Comments


Avatar
zbet commented on 2021-08-24 23:18:54 UTC

url : hxxp://168.100.8.24/1.exe