MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
SHA3-384 hash: a4326edb1972ff99a4502b96fc4e476420923289ada84b84d528f02f81afbaf2cdc31523507f1885b126f45d87fb9562
SHA1 hash: f2953a9ba829d6fd1e0955dbc95e55abd08234e1
MD5 hash: 3694ac62d90c1e9f89145f324dc0e204
humanhash: gee-kentucky-winter-eight
File name:3694ac62d90c1e9f89145f324dc0e204.exe
Download: download sample
File size:719'872 bytes
First seen:2021-08-08 15:21:13 UTC
Last seen:2021-08-08 16:01:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash df0bf408650a99ce9a9544d9b2764ac7 (1 x RemcosRAT)
ssdeep 12288:MZ/oQGlw+x/oF6Np91m6mJ9G2fUeiDnsmJbtM+bvKAlQrfF8h:EQhw+asfm6P2fZiDn/xXZlQ7
Threatray 649 similar samples on MalwareBazaar
TLSH T1CBE4AE22E3D14A33E1227A76DC4FA37594237F021E29791B26D61E345F39AE27C570E2
dhash icon 9874ded6d6d4c853 (1 x RemcosRAT)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3694ac62d90c1e9f89145f324dc0e204.exe
Verdict:
Malicious activity
Analysis date:
2021-08-08 15:28:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0f7d2b78-5ca5-41bf-880d-9c5e0ccd1183

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177255/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader41.4140.14823.5955.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Launching a process
Launching cmd.exe command interpreter
Deleting a recently created file
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b2f3f3e-8cc6-4037-b8dd-c957dc2927e5
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828812
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 461243 Sample: 8yfmnpkS56.exe Startdate: 08/08/2021 Architecture: WINDOWS Score: 100 74 Found malware configuration 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 Yara detected Clipboard Hijacker 2->78 80 Sigma detected: Execution from Suspicious Folder 2->80 8 8yfmnpkS56.exe 1 24 2->8         started        13 sqlcmd.exe 13 2->13         started        15 Bdojytw.exe 13 2->15         started        17 2 other processes 2->17 process3 dnsIp4 66 cdn.discordapp.com 162.159.133.233, 443, 49733, 49734 CLOUDFLARENETUS United States 8->66 68 192.168.2.1 unknown unknown 8->68 64 C:\Users\Public\Libraries\...\Bdojytw.exe, PE32 8->64 dropped 82 Detected unpacking (changes PE section rights) 8->82 84 Detected unpacking (overwrites its own PE header) 8->84 86 Uses schtasks.exe or at.exe to add and modify task schedules 8->86 88 Contains functionality to compare user and computer (likely to detect sandboxes) 8->88 19 8yfmnpkS56.exe 2 8->19         started        22 cmd.exe 1 8->22         started        24 cmd.exe 1 8->24         started        70 162.159.135.233, 443, 49742, 49749 CLOUDFLARENETUS United States 13->70 90 Multi AV Scanner detection for dropped file 13->90 92 Injects a PE file into a foreign processes 13->92 26 sqlcmd.exe 13->26         started        28 Bdojytw.exe 15->28         started        94 Sample uses process hollowing technique 17->94 30 sqlcmd.exe 13 17->30         started        34 Bdojytw.exe 17->34         started        36 sqlcmd.exe 17->36         started        file5 signatures6 process7 dnsIp8 60 C:\Users\user\AppData\Roaming\...\sqlcmd.exe, PE32 19->60 dropped 62 C:\Users\user\...\sqlcmd.exe:Zone.Identifier, ASCII 19->62 dropped 38 schtasks.exe 1 19->38         started        40 reg.exe 1 22->40         started        42 conhost.exe 22->42         started        44 cmd.exe 1 24->44         started        46 conhost.exe 24->46         started        48 schtasks.exe 1 26->48         started        72 cdn.discordapp.com 30->72 96 Injects a PE file into a foreign processes 30->96 50 sqlcmd.exe 34->50         started        file9 signatures10 process11 process12 52 conhost.exe 38->52         started        54 conhost.exe 40->54         started        56 conhost.exe 44->56         started        58 conhost.exe 48->58         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-08-08 14:34:03 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0b10f51931ebadefe515c5db78b89095df9ff47ad1bd042eace9d47047c5a09d
10f675a780a5814df0a79b673213a2ed2989816a517797df5656551b0819789c
388049273cb20d101193c3f9655123e42ba9a58593f2e1bf8818aacf6b689b22
3bcaf191db8de9ae0926e3cc6c1e64b20187b1acdda8498c7856ac569e125204
46a376d25369d059b1c149d8fb4821aa3ddb504bb381a02f3d5e4e019a41ed4d
4c0c348d5fe6d35084087f5df83a5d5f15aa75a30b1dc37204f701383a7685eb
d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee
e1686c75b6d0982c533063557289dd24d66ba74a9dd37cd5d328c3451035a01f
fad40e1841789cfbef3c9f09b4e557b928597506cd8b93d8eae51cef2ba3cf3f
+ 639 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210808-lh5e81snmn/
Behaviour
Creates scheduled task(s)
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Unpacked files
SH256 hash:
3f780c466a46983164bacea98a032b4d8626c0ed100f8a5d4ee8813c01538fae
MD5 hash:
0dd2c4e041ae3fdb5e7b1b20b6350dff
SHA1 hash:
b15f00474f67e1b67314976a6852182021b2c00f
Link:
https://www.unpac.me/results/d669e140-536b-4972-94e6-901d6276ba45/
SH256 hash:
ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
MD5 hash:
3694ac62d90c1e9f89145f324dc0e204
SHA1 hash:
f2953a9ba829d6fd1e0955dbc95e55abd08234e1
Link:
https://www.unpac.me/results/d669e140-536b-4972-94e6-901d6276ba45/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1475907/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1323338/
Cape
Cape
https://www.capesandbox.com/analysis/177255/

Comments