MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb849a97f4c8110a19e254f0a7fa13499ec97d9e3c9d645e6800e8bae45de989. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Blackmoon


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb849a97f4c8110a19e254f0a7fa13499ec97d9e3c9d645e6800e8bae45de989
SHA3-384 hash: 83bd1bc8537e2c6865303c4cb1fb33aed407d9c94d3c3350996dc1f4839b5e350dbd4df471241d00482d8a2fef255746
SHA1 hash: ddceeb5aaded81c26202aa067ea2365c13e2cd1c
MD5 hash: 678db70bf938a610ef0fe0a9b5d574f2
humanhash: ink-hamper-dakota-twenty
File name:CB849A97F4C8110A19E254F0A7FA13499EC97D9E3C9D645E6800E8BAE45DE989
Download: download sample
Signature Blackmoon
Create hunting rule
File size:259'072 bytes
First seen:2021-02-09 15:01:53 UTC
Last seen:2021-02-09 17:13:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 09d0478591d4f788cb3e5ea416c25237 (4 x Worm.Mofksys, 3 x Blackmoon, 2 x Gh0stRAT)
ssdeep 6144:HukrdT/buTQ8ntfgI73BZAVHgh+9Jvgtpw:5J/bqnntIA4wIJv+
Threatray 5 similar samples on MalwareBazaar
TLSH CC44231216E805F6E41389BA2FD57F6CF222B79C01660B510A31294837B7B7F56A73EC
Reporter JAMESWT_WT
Tags:Blackmoon

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CB849A97F4C8110A19E254F0A7FA13499EC97D9E3C9D645E6800E8BAE45DE989
Verdict:
Malicious activity
Analysis date:
2020-10-30 07:10:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4c36b020-ff74-4d85-91d2-51922dc4514e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116210/
Detection(s):
SecuriteInfo.com.Trojan.Inject2.17140.25935.15591.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Creating a file in the Windows directory
Sending a UDP request
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a window
DNS request
Enabling the 'hidden' option for analyzed file
Sending an HTTP GET request
Changing DNS server
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/603153
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 350605 Sample: oifdGsZ16e Startdate: 09/02/2021 Architecture: WINDOWS Score: 96 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Machine Learning detection for sample 2->47 49 PE file contains section with special chars 2->49 7 oifdGsZ16e.exe 1 2 2->7         started        10 oifdGsZ16e.exe 1 1 2->10         started        12 oifdGsZ16e.exe 1 1 2->12         started        process3 signatures4 51 Detected unpacking (changes PE section rights) 7->51 53 Contains functionality to inject code into remote processes 7->53 55 Writes to foreign memory regions 7->55 57 Tries to detect virtualization through RDTSC time measurements 7->57 14 cacls.exe 2 12 7->14         started        18 WerFault.exe 20 9 7->18         started        59 Allocates memory in foreign processes 10->59 61 Injects a PE file into a foreign processes 10->61 21 WerFault.exe 9 10->21         started        23 cacls.exe 10->23         started        25 cacls.exe 12 10->25         started        27 WerFault.exe 9 12->27         started        29 cacls.exe 12->29         started        process5 dnsIp6 39 users.qzone.qq.com 58.250.136.113, 80 UNICOM-SHENZHEN-IDCChinaUnicomGuangdongIPnetworkCN China 14->39 41 127.0.0.1 unknown unknown 14->41 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->63 33 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->33 dropped 35 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 21->35 dropped 31 WerFault.exe 20 9 23->31         started        37 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 27->37 dropped file7 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb849a97f4c8110a19e254f0a7fa13499ec97d9e3c9d645e6800e8bae45de989/
Threat name:
Win32.Trojan.Konar
Create hunting rule
Status:
Malicious
First seen:
2016-03-14 02:57:22 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
35 of 47 (74.47%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
262a54039c705942528ee00f350ceb0134da12ebf5b064c1a1161ed0d3d0973e
Blackmoon
39ca34a2755de42be78cb183b932e50691bff55839f37ff7a407a2f25e16f035
Blackmoon
4f9f730c52691af3f646e047aa7bb48b75e4ce6ca889b04bc6e3a8e911c0ab65
Blackmoon
7304cfc492648b7f28c644a100e58a0f869d9afedac330888e26a4a771c1a826
Blackmoon
d60f606659da662d17de85e801c1b7d21f1efc6aaa9c3a863da44dd4d4531770
Blackmoon
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210209-pkdnyrzwsn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
Unpacked files
SH256 hash:
e760ec49072b9dfc828e309c881014d558cde6833291e529894ee544361625fb
MD5 hash:
be02dfb55be3c0d4a70bc462979da7df
SHA1 hash:
bc7af939517d8d623c436d76d9ab0cbb54509ff4
Detections:
win_krbanker_auto
Create hunting rule
Link:
https://www.unpac.me/results/c7a93d11-b069-4035-8743-7e604a7dface/
SH256 hash:
495f31b38b87306bc7c5de00ea6ab1d292471b5ac0571e965ad3d36c403095e4
MD5 hash:
27fbb7a325a3c643144ae74dc26d8fe3
SHA1 hash:
9e9ca0e43d46aa93641a21c817c1d530ea797dd7
Link:
https://www.unpac.me/results/c7a93d11-b069-4035-8743-7e604a7dface/
SH256 hash:
cb849a97f4c8110a19e254f0a7fa13499ec97d9e3c9d645e6800e8bae45de989
MD5 hash:
678db70bf938a610ef0fe0a9b5d574f2
SHA1 hash:
ddceeb5aaded81c26202aa067ea2365c13e2cd1c
Link:
https://www.unpac.me/results/c7a93d11-b069-4035-8743-7e604a7dface/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/cb849a97f4c8110a19e254f0a7fa13499ec97d9e3c9d645e6800e8bae45de989

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/116210/

Comments