MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfbcf827900a5dc36d1d2ba4b4879ce703a429b1952e6e9616f498a9bde68c91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

N3ww4v3

Vendor detections: 17

Intelligence 17 IOCs YARA 20 File information Comments

SHA256 hash:	cfbcf827900a5dc36d1d2ba4b4879ce703a429b1952e6e9616f498a9bde68c91
SHA3-384 hash:	12f6424ce214f2840123946dc1d59c9e1030889e095d250552b8df1e6711bb64b919817a7bdbe1beef707ec4f4c15ca1
SHA1 hash:	931ebcaec96692ba2054379a489a4af0451bf630
MD5 hash:	68d90c681c9748e8489f3f9fc622301d
humanhash:	oscar-quiet-london-muppet
File name:	2.exe
Download:	download sample
Signature	N3ww4v3 Create hunting rule
File size:	2'457'088 bytes
First seen:	2024-05-22 10:10:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	430e92222641741f296d1e98a8abfeab (1 x N3ww4v3)
ssdeep	49152:ethZYkcxB6Zx2dMWmNfcdFanp+tPVJ7A4wsWKQKNZpOcua04w44:ethZYZxoXiYFcdip+XJiK/xu
Threatray	12 similar samples on MalwareBazaar
TLSH	T12DB5D002FBC281B2E19309749176A77F893BBB249734C5D787D01D6A8D312C26A3F7A5
TrID	68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 12.5% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	petrovic
Tags:	exe N3ww4v3

Intelligence

File Origin

# of uploads :

# of downloads :

329

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

kon.txt

Verdict:

Malicious activity

Analysis date:

2024-05-21 21:31:38 UTC

Tags:

mimic ransomware stealer

Link:

https://app.any.run/tasks/70f1c46b-dbca-43f6-840e-03202107ce05

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Ransomware.Mimic-10002067-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=664dc4e4e9e4e4d009e888cfwin7simulatehigh_evasion

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-security cmd crypto evasive evasive expand exploit explorer fingerprint keylogger lolbin packed ransomware remote

Link:

https://www.filescan.io/uploads/664dc4bec19b369e29fc0961/reports/2c6d9a2c-76fe-4d0b-9016-8229741f253f/overview

Verdict:

Malicious

Labled as:

Gen:Ransom.REntS.Generic

Link:

https://www.hybrid-analysis.com/sample/cfbcf827900a5dc36d1d2ba4b4879ce703a429b1952e6e9616f498a9bde68c91

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

N3ww4v3 Ransomware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/10205aed-c8fc-48a2-9124-f97e29856e1a

Result

Threat name:

n/a

Detection:

malicious

Classification:

rans.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1445651

Signature

Contains functionality to bypass UAC (CMSTPLUA)

Contains functionality to clear event logs

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to modify Windows User Account Control (UAC) settings

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Yara detected RansomwareGeneric18

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/cfbcf827900a5dc36d1d2ba4b4879ce703a429b1952e6e9616f498a9bde68c91

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cfbcf827900a5dc36d1d2ba4b4879ce703a429b1952e6e9616f498a9bde68c91/

Threat name:

Win32.Ransomware.Mimic

Status:

Malicious

First seen:

2024-05-22 10:11:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=z66pqj4qbjo4g3i5fosljb4444b2iknrsuxg5fqw6smktppgrsiq._file

Verdict:

malicious

N3ww4v3

a44d817c29c97f1418de7f456bd7609c37c774e90f83947b317260a87c48bedd

N3ww4v3

a9a4843ea9af569ab5ffd213ac4910898019083eb74ff8f36678092daca92f2e

N3ww4v3

c7adce3459f21a1afb62f779d8baaa2ea3e7614b8fa312ac67725d532c15c54b

N3ww4v3

cfbcf827900a5dc36d1d2ba4b4879ce703a429b1952e6e9616f498a9bde68c91

N3ww4v3

+ 2 additional samples on MalwareBazaar

Result

Malware family:

mimic

Score:

10/10

Tags:

family:mimic

Link:

https://tria.ge/reports/240522-l7xydsbe8s/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ec89734c-7049-4d3c-b954-c8aaf4827ecf

Unpacked files

SH256 hash:

cfbcf827900a5dc36d1d2ba4b4879ce703a429b1952e6e9616f498a9bde68c91

MD5 hash:

68d90c681c9748e8489f3f9fc622301d

SHA1 hash:

931ebcaec96692ba2054379a489a4af0451bf630

Detections:

Detect_Mimic_Ransomware

INDICATOR_SUSPICIOUS_ClearWinLogs

INDICATOR_SUSPICIOUS_GENRansomware

INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

INDICATOR_SUSPICIOUS_USNDeleteJournal

Link:

https://www.unpac.me/results/74e7c1e1-dd99-4ea8-b2be-3e045ecfed02/

Parent samples :

cfbcf827900a5dc36d1d2ba4b4879ce703a429b1952e6e9616f498a9bde68c91
1280eee88bc188622bceadd8a427c5f5e242ddfd175c378b3d828e5e7a0d66ca

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cfbcf827900a5dc36d1d2ba4b4879ce703a429b1952e6e9616f498a9bde68c91

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	APT_Sandworm_ArguePatch_Apr_2022_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:	https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_Mimic_Ransomware Create hunting rule
Author:	@MalGamy12
Description:	Detect_Mimic_Ransomware

Rule name:	EXE_Ransomware_Mimic Create hunting rule
Author:	Yashraj Solanki - Cyber Threat Intelligence Analyst at Bridewell
Description:	Detects Mimic ransomware samples based on the strings matched

Rule name:	INDICATOR_SUSPICIOUS_ClearWinLogs Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing commands for clearing Windows Event Logs

Rule name:	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM Create hunting rule
Author:	ditekSHen
Description:	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Rule name:	INDICATOR_SUSPICIOUS_GENRansomware Create hunting rule
Author:	ditekSHen
Description:	Detects command variations typically used by ransomware

Rule name:	INDICATOR_SUSPICIOUS_USNDeleteJournal Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing anti-forensic artifacts of deleting USN change journal. Observed in ransomware

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_TRUST_INFO	Requires Elevated Execution (uiAccess:None)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::ConvertSidToStringSidW ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW ADVAPI32.dll::CreateWellKnownSid ADVAPI32.dll::EqualSid ADVAPI32.dll::SetSecurityInfo ADVAPI32.dll::RevertToSelf
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CoInitializeSecurity
NET_SHARE_API	Can access Network Share	NETAPI32.dll::NetShareEnum
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetSecurityDescriptorDacl ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateRemoteThread KERNEL32.dll::CreateProcessW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken ADVAPI32.dll::SetThreadToken
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::FindFirstVolumeW KERNEL32.dll::FindNextVolumeW KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::AllocConsole KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::ReadConsoleA KERNEL32.dll::SetConsoleCP KERNEL32.dll::SetConsoleCtrlHandler
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileMappingW KERNEL32.dll::CreateFileMappingA KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LookupAccountSidW ADVAPI32.dll::LookupPrivilegeNameW ADVAPI32.dll::LookupPrivilegeValueW KERNEL32.dll::QueryDosDeviceW
WIN_BCRYPT_API	Can Encrypt Files	bcrypt.dll::BCryptGenRandom
WIN_CRYPT_API	Uses Windows Crypt API	CRYPT32.dll::CertDuplicateCertificateContext CRYPT32.dll::CertEnumCertificatesInStore CRYPT32.dll::CertFindCertificateInStore CRYPT32.dll::CertFreeCertificateContext CRYPT32.dll::CertGetCertificateContextProperty CRYPT32.dll::CertOpenStore
WIN_NETWORK_API	Supports Windows Networking	MPR.dll::WNetEnumResourceW MPR.dll::WNetOpenEnumW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegGetValueW ADVAPI32.dll::RegSetValueExW
WIN_SOCK_API	Uses Network to send and receive data	WS2_32.dll::WSAAddressToStringW WS2_32.dll::WSAIoctl WS2_32.dll::WSASocketW
WIN_SVC_API	Can Manipulate Windows Services	ADVAPI32.dll::ChangeServiceConfigW ADVAPI32.dll::ControlService ADVAPI32.dll::EnumDependentServicesW ADVAPI32.dll::OpenSCManagerW ADVAPI32.dll::OpenServiceW ADVAPI32.dll::QueryServiceStatusEx
WIN_USER_API	Performs GUI Actions	USER32.dll::PeekMessageW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample