MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc1d1ef82f7887443e7902e8e91013f3308804f7143ef769e0b3e98a45aee037. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc1d1ef82f7887443e7902e8e91013f3308804f7143ef769e0b3e98a45aee037
SHA3-384 hash: 3c8661ff087b79cde59d4d24069327a81f9dbfe73834566ef81073c62fa41a931d116164a96c2ba0b6d1f09a65269c1a
SHA1 hash: 258dd76b4743da3eeb6241ac1d31eda7559a71d0
MD5 hash: ad6509463c3fe2164613c56a909807f3
humanhash: oklahoma-purple-zulu-aspen
File name:ad6509463c3fe2164613c56a909807f3
Download: download sample
File size:3'486'080 bytes
First seen:2021-06-24 01:11:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f305f7d0b252c6c9d0963a75a95795a5
ssdeep 49152:3vZR/IPBPn97UaROhBDbI4BTbR4H12IQy4cjLPbQD+QtsPn6wp/VHbdwKHyftUg:3ROPBPn9Y7bIkbp72jLT+tsPnl42g
Threatray 38 similar samples on MalwareBazaar
TLSH B4F5D042EB9144B2E8928574D1BAA3379E36BD524321C6CB53E07C61BF317E16E3D389
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ad6509463c3fe2164613c56a909807f3
Verdict:
No threats detected
Analysis date:
2021-06-24 01:12:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7e13ecfe-0c9a-4c65-965b-29b58010a78f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46514705.25959.25059.UNOFFICIAL
Create hunting rule

Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/968ac386-b704-4b8d-b269-bb5c3486ab70
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
54 / 100
Link:
https://www.joesandbox.com/analysis/807023
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
May modify the system service descriptor table (often done to hook functions)
Multi AV Scanner detection for submitted file
Uses regedit.exe to modify the Windows registry
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439432 Sample: D2o3eyDg72 Startdate: 24/06/2021 Architecture: WINDOWS Score: 54 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 May modify the system service descriptor table (often done to hook functions) 2->40 7 D2o3eyDg72.exe 3 2->7         started        process3 file4 34 C:\Windows\System32\Process.dat, PE32 7->34 dropped 42 Detected unpacking (changes PE section rights) 7->42 11 cmd.exe 1 7->11         started        14 cmd.exe 1 7->14         started        16 cmd.exe 1 7->16         started        18 2 other processes 7->18 signatures5 process6 signatures7 44 Uses regedit.exe to modify the Windows registry 11->44 20 conhost.exe 11->20         started        22 reg.exe 3 1 11->22         started        24 conhost.exe 14->24         started        26 regedit.exe 14->26         started        28 conhost.exe 16->28         started        30 conhost.exe 18->30         started        32 conhost.exe 18->32         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc1d1ef82f7887443e7902e8e91013f3308804f7143ef769e0b3e98a45aee037/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-06-18 09:27:40 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1b09e1ef7e44680e2fdd5909dbae73c46ad9d4d007f9ef077acfa102a613f908
3c492932d633ea366294ad1c6b29169805e50338f522265d5d8531aff6d77882
428280c60495d98bb323401c877783e641d21f649684fbacbb29bc8067bf6635
6038e37ba1da37980c6d1436a98e4793843e153511b8e54f8411b428d3e31ef1
6de9fe7d510845139ac7228f137e50d6caa771be883b1a1b5f2244ab04ca5b79
958085c479df4ae7ebbd407dd43f11edcb0fa4677470c819fcaf5df87191b992
a735f487179cdb2e5fb6a366750e12c774d485a6259cbdc8c0aa6f726b1992f7
e7662182c984884cdf7c0c436538bc82cb1d8f91c2d6bfe0cec1ba9b3d63c259
ed4aef67444c1b22bd8ef038a1544fbcc65b602111020db1a5a2a88e1964e4f1
fd7ee166a2ef80d3dc9668383540eade22f9cf7125a870bd0efb0f14b1239e31
+ 28 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion
Link:
https://tria.ge/reports/210624-n3p8ka625x/
Behaviour
Runs .reg file with regedit
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Launches sc.exe
Drops file in System32 directory
Stops running service(s)
Unpacked files
SH256 hash:
0f3fc3a6e714398347fda965b3f95790ee07c83e94dd5c754a2a298b1fe1064a
MD5 hash:
5cdddecf92f53516d4d03a8eb5d6cd67
SHA1 hash:
ead18e588ea4ea8b6f80cd6535065dd5cb2a42c5
Link:
https://www.unpac.me/results/c05431a6-ea65-46f2-8512-380012546a48/
SH256 hash:
f93d95e0ed476d7fd5ff5a62436e05d2e2237328789c2992f8fa8e736273753e
MD5 hash:
f5b74894dada36da5e7afcdea5979656
SHA1 hash:
259a9af6d2903977607bee0b8c887576d377f600
Link:
https://www.unpac.me/results/c05431a6-ea65-46f2-8512-380012546a48/
SH256 hash:
b28c5cc82e0a8d492939e5a0dd0da18701b2a8af5d71ad8a5d7957cc248754af
MD5 hash:
97cddd2a41cf4afbcc082a7dc84e965c
SHA1 hash:
10075a1a8f302959887a931d950bc59fa22e4984
Link:
https://www.unpac.me/results/c05431a6-ea65-46f2-8512-380012546a48/
SH256 hash:
1309b465095ff02e097992f6ea5aca0e1228294a8726c07c572ea7fa4543b704
MD5 hash:
c7a8a0a48011900e0602f0b42808820d
SHA1 hash:
d87d421602157265e8fb6506ce202eccbdf5d4f4
Link:
https://www.unpac.me/results/c05431a6-ea65-46f2-8512-380012546a48/
SH256 hash:
cc1d1ef82f7887443e7902e8e91013f3308804f7143ef769e0b3e98a45aee037
MD5 hash:
ad6509463c3fe2164613c56a909807f3
SHA1 hash:
258dd76b4743da3eeb6241ac1d31eda7559a71d0
Link:
https://www.unpac.me/results/c05431a6-ea65-46f2-8512-380012546a48/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/cc1d1ef82f7887443e7902e8e91013f3308804f7143ef769e0b3e98a45aee037

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe cc1d1ef82f7887443e7902e8e91013f3308804f7143ef769e0b3e98a45aee037

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1393158/

Comments