MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfeca443205d577304ec09ae494c96556eb60d80bd9be772ffaeac389043bd92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfeca443205d577304ec09ae494c96556eb60d80bd9be772ffaeac389043bd92
SHA3-384 hash: b538e9d998989e38e40852016ed9b8c2c77f2e1d75de888234d30996fc953d1b5196cebc4c9dcbc7ee32e42ea1d3fac0
SHA1 hash: 19debe75d09c3be6d215e9c097f062df0fd0cbd1
MD5 hash: c7fcb7f85b5f0ff3d85dd14844ccbfbb
humanhash: nitrogen-michigan-undress-echo
File name:5ed127f78e7f0de84a49af78be57f944
Download: download sample
File size:405'868 bytes
First seen:2020-11-17 12:44:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 890e522b31701e079a367b89393329e6 (25 x Formbook, 12 x AgentTesla, 8 x Loda)
ssdeep 12288:46Wq4aaE6KwyF5L0Y2D1PqL0VtQcrhPHoP:OthEVaPqLK4
Threatray 202 similar samples on MalwareBazaar
TLSH CD8401D1F38CAD84E62026F200CE29B2C3696F766320933B601565E7A9AD1E3557F71F
Reporter seifreed

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

SecuriteInfo.com.PSW.Banker6.BTQY.1690.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Deleting a system file
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Changing the Windows explorer settings to hide files extension
Launching the process to create tasks for the scheduler
Enabling a "Do not show hidden files" option
Result
Verdict:
0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cfeca443205d577304ec09ae494c96556eb60d80bd9be772ffaeac389043bd92/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 12:50:29 UTC
AV detection:
26 of 48 (54.17%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0c958322a92b7ba746b44613adccedc2b0a246095f15a71f50fc8f5423909350
38e5fde6988bbf02467d7b59ba15a3dfbdaedfab4804c60cf3ae44db6b48a844
63e969ed05409bdcf1992ef0ad0fb143d76e808379a2070a372f77b490c83770
6c5e170ec02d30c57a8bbceb8533eb73efd7b46f8ae1cd6e552fa6a5656afb36
6ffadd114c7180e8dbbac5751036b4962884662dc5495b6f9988d9c48d26949c
8a72a55d126b69bda2f37fd88050aeed02d97733f6777759b542db8a442435bc
9129967bfcf44c87ec6eb83a30f5500a5e453c76281b7ec3b0c1caa778377e08
aff4652e2ee285a5ad71717a36e215c1eb59787d74e73a763701b0a5f68751a7
b24cb4cd3db305d5451cb3c0d0e60fe578b1fd38aca4be6032fb0ce2f0b786b4
f49e7d90e44091331a7858ff19947ab40d062a2e32bbff120b863c67118e0d83
+ 192 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence upx
Link:
https://tria.ge/reports/201117-ny1zych5se/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
UPX packed file
Modifies visibility of file extensions in Explorer
Modifies visiblity of hidden/system files in Explorer
Unpacked files
SH256 hash:
cfeca443205d577304ec09ae494c96556eb60d80bd9be772ffaeac389043bd92
MD5 hash:
c7fcb7f85b5f0ff3d85dd14844ccbfbb
SHA1 hash:
19debe75d09c3be6d215e9c097f062df0fd0cbd1
Link:
https://www.unpac.me/results/1acf7b9a-0046-463b-ae8c-b67af09235a1/
SH256 hash:
2e7eba478f5ebcc252fc087ed6acd0adc53e561836ddb279a6eca6aa4ae2a5bd
MD5 hash:
52b511f0c75f6b83f490a1c7813db6f5
SHA1 hash:
a01e63c697e85f2ce7ab8ccfe91d69cbe09b4b53
Link:
https://www.unpac.me/results/1acf7b9a-0046-463b-ae8c-b67af09235a1/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments