MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cca1705d7a85fe45dce9faec5790d498427b3fa8e546d7d7b57f18a925fdfa5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Kimsuky


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash: cca1705d7a85fe45dce9faec5790d498427b3fa8e546d7d7b57f18a925fdfa5d
SHA3-384 hash: 00ae2a55c3fb1dc867a917182d99ebb04f732f221c5ae72789f31e11f3bf7075eb70f4b2935568c0a8ff4d57ff1fd746
SHA1 hash: 3671eaf95ce83f769ee2bd73f5c1c9e85b34fee1
MD5 hash: 73d2899aade924476e58addf26254c2e
humanhash: alpha-oscar-august-alpha
File name:Job Description (LM HR Division II).pdf .scr
Download: download sample
Signature Kimsuky
File size:3'367'192 bytes
First seen:2024-05-24 06:50:17 UTC
Last seen:2025-09-05 06:37:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 296bc1d77d0aae015c0fa89fbd647c05 (1 x Kimsuky)
ssdeep 49152:nbgJtzo6o0NhIKejSHGN7y4S2khW4vDq/NHuOwgKP9J3aoVDc4N:oCBjvM+c398i
Threatray 1 similar samples on MalwareBazaar
TLSH T183F5AEA28F1A284AF9F2D577CE4EB530E429F0125B7A18B23BC51E539D19781E13DF21
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e0e8323270590608 (3 x Kimsuky)
Reporter smica83
Tags:apt download-uberlingen-com exe Kimsuky signed

Code Signing Certificate

Organisation:Nexaweb, Inc.
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-09-20T00:00:00Z
Valid to:2025-09-19T23:59:59Z
Serial number: 0315e137a6e2d658f07af454c63a0af2
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 4a52830e2f9d65a5c22c980607da4e25210097ccb35f62ec2873e16050592afe
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence


File Origin
# of uploads :
4
# of downloads :
421
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cca1705d7a85fe45dce9faec5790d498427b3fa8e546d7d7b57f18a925fdfa5d.exe
Verdict:
Malicious activity
Analysis date:
2024-05-24 06:52:28 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Tags:
Encryption Static Nekark
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Creating a file in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a window
Searching for synchronization primitives
DNS request
Creating a service
Enabling autorun for a service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin masquerade overlay packed regsvr32 shell32
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
57 / 100
Signature
Creates files in alternative data streams (ADS)
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Sigma detected: Suspicious New Service Creation
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1447031 Sample: Job Description (LM HR Divi... Startdate: 24/05/2024 Architecture: WINDOWS Score: 57 44 Multi AV Scanner detection for dropped file 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Uses an obfuscated file name to hide its real file extension (double extension) 2->48 50 3 other signatures 2->50 8 Job Description (LM HR Division II).pdf .scr.exe 3 4 2->8         started        11 svchost.exe 1 1 2->11         started        14 svchost.exe 2->14         started        process3 dnsIp4 36 C:\ProgramData\desktop.ini, PE32+ 8->36 dropped 38 C:\Users\user\AppData\Local\...\msbuild.bat, ASCII 8->38 dropped 16 regsvr32.exe 1 8->16         started        20 Acrobat.exe 20 74 8->20         started        22 cmd.exe 1 8->22         started        40 127.0.0.1 unknown unknown 11->40 file5 process6 file7 34 C:\ProgramData\desktop.ini:info, data 16->34 dropped 42 Creates files in alternative data streams (ADS) 16->42 24 sc.exe 16->24         started        26 AcroCEF.exe 106 20->26         started        28 conhost.exe 22->28         started        signatures8 process9 process10 30 conhost.exe 24->30         started        32 AcroCEF.exe 26->32         started       
Threat name:
Win64.Trojan.Nekark
Status:
Malicious
First seen:
2024-05-23 19:32:38 UTC
File Type:
PE+ (Exe)
Extracted files:
52
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
zloader
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
NTFS ADS
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Launches sc.exe
Loads dropped DLL
Checks computer location settings
Deletes itself
Drops desktop.ini file(s)
Creates new service(s)
Unpacked files
SH256 hash:
cca1705d7a85fe45dce9faec5790d498427b3fa8e546d7d7b57f18a925fdfa5d
MD5 hash:
73d2899aade924476e58addf26254c2e
SHA1 hash:
3671eaf95ce83f769ee2bd73f5c1c9e85b34fee1
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Author:albertzsigovits

File information


The table below shows additional information about this malware sample such as delivery method and external references.

BLint


The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments