MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d06d7b5c4613a3d9fa020854878558325da6fd932f74b8268360d4838286d43c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d06d7b5c4613a3d9fa020854878558325da6fd932f74b8268360d4838286d43c
SHA3-384 hash: 51bfe5705772254adea43d65e186b75596e8e8825bbc69284c366c8d6f598bd22af1ff25ea20bc5b7f2dcb67a090a21b
SHA1 hash: f56b208dccc32ca59b45787969a30415936b914f
MD5 hash: a48e10fd041fc0b4cb3821bb7a53b80a
humanhash: quebec-social-friend-hamper
File name:SecuriteInfo.com.widgetinfecté.Gen.Variant.Bulz.313019.14505.28122
Download: download sample
File size:3'712'539 bytes
First seen:2021-01-23 13:56:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 81be19b89ecddb8d6e738108e9610011
ssdeep 98304:Ml843CtjyrdguKdonlmGEyhvHd66hcSRoxPuPolH:MW4KjK2jKlmGrHfcEoFCcH
Threatray 10 similar samples on MalwareBazaar
TLSH F4063311B0F1D673C040A2F24485CFB15E3A3C721B6B06EB9BC86F7D9F685D19A2A356
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
228
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.widgetinfecté.Gen.Variant.Bulz.313019.14505.28122
Verdict:
Malicious activity
Analysis date:
2021-01-23 13:57:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/28219bbe-67da-433e-bf38-667bc06e22e1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/113628/
Detection(s):
SecuriteInfo.com.widgetinfect.Gen.Variant.Bulz.313019.14505.28122.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Searching for the window
Running batch commands
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Deleting a recently created file
Possible injection to a system process
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Creating a file in the %temp% directory
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/588869
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Creates files in alternative data streams (ADS)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files with benign system names
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Renames wscript.exe to bypass HIPS
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious Csc.exe Source File Folder
Uses ipconfig to lookup or modify the Windows network settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 343455 Sample: SecuriteInfo.com.widgetinfe... Startdate: 23/01/2021 Architecture: WINDOWS Score: 100 73 Antivirus detection for dropped file 2->73 75 Antivirus / Scanner detection for submitted sample 2->75 77 Multi AV Scanner detection for dropped file 2->77 79 6 other signatures 2->79 10 SecuriteInfo.com.widgetinfect#U00e9.Gen.Variant.Bulz.313019.14505.exe 12 2->10         started        14 explorer.exe 1 2->14         started        process3 file4 67 C:\Users\user\AppData\...\events.dll:widget, PE32+ 10->67 dropped 69 C:\Users\user\AppData\Local\...\events.dll, PE32+ 10->69 dropped 91 Detected unpacking (changes PE section rights) 10->91 93 Detected unpacking (overwrites its own PE header) 10->93 95 Creates files in alternative data streams (ADS) 10->95 16 cmd.exe 1 10->16         started        97 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 14->97 18 powershell.exe 45 14->18         started        signatures5 process6 file7 22 cmd.exe 1 16->22         started        24 conhost.exe 1 16->24         started        57 C:\Windows\Branding\mediasvc.png, PE32+ 18->57 dropped 59 C:\Windows\Branding\mediasrv.png, PE32+ 18->59 dropped 61 C:\Users\user\AppData\...\bg42uffr.cmdline, UTF-8 18->61 dropped 81 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 18->81 83 Powershell drops PE file 18->83 26 csc.exe 18->26         started        29 powershell.exe 18->29         started        31 powershell.exe 18->31         started        33 2 other processes 18->33 signatures8 process9 file10 35 cmd.exe 1 22->35         started        37 conhost.exe 22->37         started        39 ipconfig.exe 1 22->39         started        49 3 other processes 22->49 71 C:\Users\user\AppData\Local\...\bg42uffr.dll, PE32 26->71 dropped 41 cvtres.exe 26->41         started        43 conhost.exe 29->43         started        45 conhost.exe 31->45         started        47 conhost.exe 33->47         started        process11 process12 51 rundll32.exe 35->51         started        process13 53 rundll32.exe 5 51->53         started        file14 63 C:\Users\user\AppData\Local\...\explorer.exe, PE32+ 53->63 dropped 65 C:\Users\user\AppData\Local\Temp\ready.ps1, ASCII 53->65 dropped 85 Renames wscript.exe to bypass HIPS 53->85 87 Creates processes via WMI 53->87 89 Drops PE files with benign system names 53->89 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d06d7b5c4613a3d9fa020854878558325da6fd932f74b8268360d4838286d43c/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2021-01-23 12:49:49 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0f12408c06ccf60608a60572d521bbc8012e6ce7e0d701781a0a33e0e1fd1519
10892007582c3c09a01a4de7ac9e2ca434704396e5cc899f26c9f83a626da2b5
1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2
261603776412fc9028feb04ba71a42c5d6bd99c0e4fbb4610d19e6d649dba700
2c8ea0f991d74146f056e4ed453e92ad1798daf2878f5520f54cf3d70d607613
32031ca4487b08af41a597da7d22c05a3d4f676c33119c057f3f4a1431217887
44c7ef261a066790a4ce332afc634fb5f89f3273c0c908ec02ab666088b27757
86ad2f1c3994571711633da05a40d2b68496ab2e5c86a4acce0be7f1957e7a1a
c2d9409c2209201334bd83a2e1257be8adc7506019a721abe359249dbd74eced
fc1b36e39f87cff2c9076a7e8316af297255a92824338b19b69022b47a47daa6
Result
Malware family:
n/a
Score:
  8/10
Tags:
ransomware upx
Link:
https://tria.ge/reports/210123-g15c2nkd32/
Behaviour
Delays execution with timeout.exe
Gathers network information
NTFS ADS
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
4aadcb7664d02ccc43cc12f80c4e6d68ef25670c02cde5a5c3f61cf929c43102
MD5 hash:
a91b3b3b7c48536ed1537884e3e8674f
SHA1 hash:
29daf8e47ccf1cfd0b0a126ceaea842019a55d57
Link:
https://www.unpac.me/results/9fabbadb-c6d9-4d4b-ae8b-0eb0ca273fbf/
SH256 hash:
d06d7b5c4613a3d9fa020854878558325da6fd932f74b8268360d4838286d43c
MD5 hash:
a48e10fd041fc0b4cb3821bb7a53b80a
SHA1 hash:
f56b208dccc32ca59b45787969a30415936b914f
Link:
https://www.unpac.me/results/9fabbadb-c6d9-4d4b-ae8b-0eb0ca273fbf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d06d7b5c4613a3d9fa020854878558325da6fd932f74b8268360d4838286d43c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d06d7b5c4613a3d9fa020854878558325da6fd932f74b8268360d4838286d43c

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/113628/
  
URLhaus
https://urlhaus.abuse.ch/url/975095/
  
Delivery method
Distributed via web download

Comments