MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ApocalypseStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
SHA3-384 hash: f66bc55241dd4843043ece793e70036f6593c9cc9ac14160c7010e259d217a1e5d8bc3d3522cdb31e11684a33fc88e67
SHA1 hash: 8fae8984391bd9dddb7afc0ebdd87a05954a7134
MD5 hash: bd64d2e0d11093bbd84be2b6ca1c113d
humanhash: connecticut-india-harry-magazine
File name:cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
Download: download sample
Signature ApocalypseStealer
Create hunting rule
File size:6'473'744 bytes
First seen:2021-02-28 07:28:02 UTC
Last seen:2021-02-28 10:08:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a433bcf814979ada832d35d0623c6a1e (1 x ApocalypseStealer, 1 x DCRat)
ssdeep 196608:9LSllO4CkacXgXHMG3y+dqhPO74oID5LUgyl1RSBR/Cg:NSlE4YcXOxyHPO7n+peMDag
Threatray 206 similar samples on MalwareBazaar
TLSH 38663305CBCF4603E8C59AF3B88F591056244366F8BC5FF64513081FBB6DA9BB867268
Reporter JAMESWT_WT
Tags:ApocalypseStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
955
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
Verdict:
Malicious activity
Analysis date:
2021-02-28 08:20:41 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/141b4759-83f2-4700-a19e-37d9e73970fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Apocalypse
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119984/
Detection(s):
SecuriteInfo.com.Trojan.Heur.GM.04044605A0.18510.31129.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Sending a UDP request
Creating a file
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Running batch commands
Deleting a recently created file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
DCRat StormKitty Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/620768
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Yara detected StormKitty Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 359377 Sample: d1VkusfZmE Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 85 kosmetcika.online 212.109.199.100, 80 THEFIRST-ASRU Russian Federation 2->85 87 192.168.2.1 unknown unknown 2->87 107 Found malware configuration 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 Antivirus detection for dropped file 2->111 113 15 other signatures 2->113 9 d1VkusfZmE.exe 4 2->9         started        13 msiexec.exe 2->13         started        signatures3 process4 file5 61 C:\Users\user\AppData\Local\...\lxxxxxx.exe, PE32 9->61 dropped 63 C:\Users\user\AppData\Local\Temp\File.exe, PE32 9->63 dropped 65 C:\Users\user\AppData\Local\Temp\1.exe, PE32+ 9->65 dropped 127 Query firmware table information (likely to detect VMs) 9->127 129 Tries to detect sandboxes and other dynamic analysis tools (window names) 9->129 131 Hides threads from debuggers 9->131 133 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->133 15 File.exe 19 9->15         started        19 lxxxxxx.exe 1 11 9->19         started        21 1.exe 4 9->21         started        signatures6 process7 file8 67 C:\Users\user\AppData\...\@asasinalex.exe, PE32 15->67 dropped 69 C:\Users\user\AppData\Roaming\1337\1.exe, PE32+ 15->69 dropped 83 2 other files (1 malicious) 15->83 dropped 95 Multi AV Scanner detection for dropped file 15->95 97 Machine Learning detection for dropped file 15->97 23 @asasinalex.exe 15 35 15->23         started        27 1.exe 15->27         started        71 C:\Windows\appcompat\...\fontdrvhost.exe, PE32 19->71 dropped 73 C:\Users\Default\RuntimeBroker.exe, PE32 19->73 dropped 75 C:\ProgramData\...\smartscreen.exe, PE32 19->75 dropped 77 C:\ProgramData\Package Cache\...\msiexec.exe, PE32 19->77 dropped 99 Antivirus detection for dropped file 19->99 101 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->101 103 Drops PE files to the user root directory 19->103 105 2 other signatures 19->105 29 schtasks.exe 19->29         started        31 schtasks.exe 19->31         started        41 2 other processes 19->41 79 C:\ProgramData\...\SecurityHealthTray.exe, PE32+ 21->79 dropped 81 C:\ProgramData\SecurityEssentials\task.xml, XML 21->81 dropped 33 cmd.exe 1 21->33         started        35 cmd.exe 1 21->35         started        37 cmd.exe 1 21->37         started        39 schtasks.exe 1 21->39         started        signatures9 process10 dnsIp11 89 apocalypsee.fun 178.208.83.27, 49703, 80 VDSINA-ASRU Russian Federation 23->89 91 ip-api.com 208.95.112.1, 49702, 80 TUT-ASUS United States 23->91 93 3 other IPs or domains 23->93 115 Detected unpacking (changes PE section rights) 23->115 117 Detected unpacking (overwrites its own PE header) 23->117 119 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 23->119 125 5 other signatures 23->125 121 Antivirus detection for dropped file 27->121 43 conhost.exe 29->43         started        45 conhost.exe 31->45         started        123 Uses cmd line tools excessively to alter registry or file data 33->123 47 conhost.exe 33->47         started        55 3 other processes 33->55 49 conhost.exe 35->49         started        57 3 other processes 35->57 51 conhost.exe 37->51         started        53 conhost.exe 39->53         started        59 2 other processes 41->59 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427/
Threat name:
Win32.Dropper.Delfea
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 23:32:20 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zrj2ztdjwmwckbzbb2tq2hkwvkcnxy2uu73zk567daaxt2tzoqtq._file
Verdict:
malicious
Similar samples:
266f8215ba1b531f93fb7567c34088e49ad4de63d9c2726e11caaa6158be9d9a
ApocalypseStealer
8086d2b05316a9b44f55971a6c90da8ecb069d075973654f5f914229dc3070f6
ApocalypseStealer
86f57444e6f4a40378fd0959a54794c7384d04678f8c66dfb7801f3d0cfc0152
ApocalypseStealer
ae9f21e994994c7d538df1032eb81cba7c3cbff6a76e8c15d91c8fe6f78dfa28
ApocalypseStealer
af56963172182772cfb8ece6dee221898b281e8f93a62dc82a08cc188131849f
ApocalypseStealer
bf375d5c15abb5c57b0cc3371a3537b79560fe82b1aff486afde752e05971ebb
ApocalypseStealer
c6b664ffd10c03d085b36bd57b72467b6508ba736e9c8d77182e0d1518b91295
ApocalypseStealer
c7f6ad7d3e040d26e8103885756e2f720a97a16f12ef44bf6707676d26680586
ApocalypseStealer
f05d76c071555f48ff240556f6d0d3d895493c3c411e182648d256f83ad657e5
ApocalypseStealer
f213aa18c565dfcb1b7637901b57b6baa6f0d3515b3c601797b418d3d8ff5e2e
ApocalypseStealer
+ 196 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig discovery evasion miner spyware themida trojan
Link:
https://tria.ge/reports/210228-xfflmbv19n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
themida
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
MD5 hash:
0063d48afe5a0cdc02833145667b6641
SHA1 hash:
e7eb614805d183ecb1127c62decb1a6be1b4f7a8
Detections:
win_buer_auto
Create hunting rule
Link:
https://www.unpac.me/results/05d6a0fb-97b7-4970-a199-8563f141c232/
Parent samples :
5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809
02fca6ef5d9d8b1eb29f7ac8ea0573b504ea7f06c215e091791653b40fe1329a
cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
045a7318a9e2e550208c0c7e9fc805068df19fa73823ac3acaa049a46c4045ee
f2a883a0e4b01c72b0f063df3be5a0102e5c8fbaedc39c8d35c632b200599283
dffefbde27442b9095388b1871ffdc101c430b9a814138be4f962328a5b73fde
e0fb60da371912c158861c9660632d58e45cfcff12351cc9e03f497f319eb5de
904f69a4bed3844273cce1676e8920794815af4c1527e560bbc1bc44b5b8457a
SH256 hash:
24b93292dc2cb37fa8b990a0e548fbfe5d2ea88fc3b0228808915f14c5e85e86
MD5 hash:
4447f458a0cf3bedb38f5cf9897c998c
SHA1 hash:
b3975f5bf7273821190e038ef9a11a54c02b5760
Link:
https://www.unpac.me/results/05d6a0fb-97b7-4970-a199-8563f141c232/
SH256 hash:
6eee6ff03c6779f470bd3f0635fb68cb231c5c53a60888a543511d339de70e5b
MD5 hash:
d0e5709a096b1507c4d027c579875384
SHA1 hash:
c011f68b7eeb099f215285eec1bbb016b5611406
Link:
https://www.unpac.me/results/05d6a0fb-97b7-4970-a199-8563f141c232/
SH256 hash:
dbea34702c32688f055d9c56d3267a4d4da98adea992a7df123a2b3e8487018a
MD5 hash:
348865c449962bf4154b89d43640f4bb
SHA1 hash:
2079978d1f4a92402f5359c98b822f6587da9fce
Link:
https://www.unpac.me/results/05d6a0fb-97b7-4970-a199-8563f141c232/
SH256 hash:
f21977ed2d24bfb564462daad503ef5be942bab7533802cf5af39db4c2da1e6d
MD5 hash:
bbf40afd2c834b07bb60944fab83e637
SHA1 hash:
86dda968fcf73c60fccc77b1d46e377bee8b3e18
Link:
https://www.unpac.me/results/05d6a0fb-97b7-4970-a199-8563f141c232/
SH256 hash:
cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
MD5 hash:
bd64d2e0d11093bbd84be2b6ca1c113d
SHA1 hash:
8fae8984391bd9dddb7afc0ebdd87a05954a7134
Link:
https://www.unpac.me/results/05d6a0fb-97b7-4970-a199-8563f141c232/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119984/

Comments