MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca3ee4fd6ee1ac062b9120a3aebea22568bf1271c9894ec4914b9c29bbf1c853. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca3ee4fd6ee1ac062b9120a3aebea22568bf1271c9894ec4914b9c29bbf1c853
SHA3-384 hash: c44cc96cab83ee3cb1413e9241ffd0de3a47c02b6a0b3f598ff1cb912a5caf41ec4ea8c7dae0e6a5665fc8e4ab3620e4
SHA1 hash: 90ba8160d34bcccf86d67a2645ee12b38b70271a
MD5 hash: 95844ba296e9b84a7766efe49718f53e
humanhash: six-pennsylvania-low-sad
File name:SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368
Download: download sample
File size:1'010'014 bytes
First seen:2020-12-26 11:37:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:Y2G/nvxW3WsTq868ykX4AsiTidF6zXyPo5E31fdJQF6iXyJo5oJqPf7MY:YbA3Db685+wQUEl7QwPUokPzMY
Threatray 340 similar samples on MalwareBazaar
TLSH DF251242FEC19AB3D6610D35556DAB216138BD101F149FEBA3D02E6DEA301C0AB35BB7
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109494/
Detection(s):
SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

PUA.Win.File.Generic-7109589-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Running batch commands
Sending a UDP request
DNS request
Sending a custom TCP request
Reading critical registry keys
Creating a file
Changing a file
Replacing files
Deleting a recently created file
Sending an HTTP GET request
Unauthorized injection to a recently created process
Delayed reading of the file
Moving a recently created file
Launching a tool to kill processes
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/570198
Signature
Modifies Chrome's extension installation force list
Multi AV Scanner detection for submitted file
Sigma detected: MSHTA Spawning Windows Shell
Uses known network protocols on non-standard ports
Uses regedit.exe to modify the Windows registry
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 334159 Sample: SecuriteInfo.com.Trojan.Ras... Startdate: 26/12/2020 Architecture: WINDOWS Score: 64 69 Multi AV Scanner detection for submitted file 2->69 71 Uses known network protocols on non-standard ports 2->71 73 Uses regedit.exe to modify the Windows registry 2->73 75 Sigma detected: MSHTA Spawning Windows Shell 2->75 11 SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.exe 24 2->11         started        process3 file4 45 C:\Users\user\AppData\Local\...\chrome64.bat, DOS 11->45 dropped 47 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 11->47 dropped 49 C:\Users\user\AppData\Local\Temp\...\main.exe, PE32+ 11->49 dropped 14 main.exe 1 2 11->14         started        process5 dnsIp6 61 www.ukndesw19x.com 14->61 63 get.geojs.io 172.67.70.233, 443, 49757 CLOUDFLARENETUS United States 14->63 65 2 other IPs or domains 14->65 17 regedit.exe 3 14->17         started        20 cmd.exe 1 14->20         started        22 taskkill.exe 1 14->22         started        24 regedit.exe 4 14->24         started        process7 signatures8 67 Modifies Chrome's extension installation force list 17->67 26 mshta.exe 21 20->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        process9 process10 32 cmd.exe 1 26->32         started        process11 34 chrome.exe 14 501 32->34         started        38 conhost.exe 32->38         started        dnsIp12 51 192.168.2.1 unknown unknown 34->51 53 239.255.255.250 unknown Reserved 34->53 43 C:\Users\user\AppData\Local\...\temp-index, PDP-11 34->43 dropped 40 chrome.exe 34->40         started        file13 process14 dnsIp15 55 googlehosted.l.googleusercontent.com 216.58.215.225, 443, 49763, 49779 GOOGLEUS United States 40->55 57 192.168.2.4, 443, 49228, 49285 unknown unknown 40->57 59 clients2.googleusercontent.com 40->59
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca3ee4fd6ee1ac062b9120a3aebea22568bf1271c9894ec4914b9c29bbf1c853/
Threat name:
Win32.Trojan.Rasftuby
Create hunting rule
Status:
Malicious
First seen:
2020-12-26 07:59:48 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
048066b8f8dcf8a74e78e458a727edf50094a5849dbaae9cc80df053deae7c47
4873869d22df0e7fcec173e490e31f14e42b55bf594bf5c722d08ed43a9e5292
83591d8a19e792f771276deb5ed430ab1192b51f605a9ca7386161eaf520d0fa
85f68c16519e6f833c593ed0e6b735366c061bb808c6228d730b48e3f025a9a5
86b0b53349b935048562758a34e08ae6190c67fa522e8742f60702b334625d36
9e7babad53c8a852391f9ea81a511f97a925935e537b02b45585880ef13f7aee
a408e65fa77a4eded318a05af68fe27f522ec61b0c3e30aa34a5703b06fe2cf8
ad581fb309576256ec7a088553b885a068180541d310513acdcd985e47c04731
bcee5b3f4acfc85f500a2edd23402b92b87bca11263ffc3ef31f8c0a6c31f6a6
bf64131372e368ffb93f50038fca0362b3694c5b59e5285ba23b65326098e6e3
+ 330 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/201226-qpcc9747bn/
Behaviour
Kills process with taskkill
Modifies Internet Explorer settings
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
JavaScript code in executable
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
ca3ee4fd6ee1ac062b9120a3aebea22568bf1271c9894ec4914b9c29bbf1c853
MD5 hash:
95844ba296e9b84a7766efe49718f53e
SHA1 hash:
90ba8160d34bcccf86d67a2645ee12b38b70271a
Link:
https://www.unpac.me/results/b2f1eaa6-7210-4524-b46e-a404a555225e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Scar
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ca3ee4fd6ee1ac062b9120a3aebea22568bf1271c9894ec4914b9c29bbf1c853

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ca3ee4fd6ee1ac062b9120a3aebea22568bf1271c9894ec4914b9c29bbf1c853

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/942374/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/109494/

Comments