MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0c1200f4a5094c371836004c9c4456ca1b243e0cdde1d1331434c98e0364f71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Kimsuky


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0c1200f4a5094c371836004c9c4456ca1b243e0cdde1d1331434c98e0364f71
SHA3-384 hash: 025726cebbb84527c5a511b95929f8577b5572c5fed38ef7814e56cae2081a917331df690a8417608d1b68c1f7d58013
SHA1 hash: 86f0c217a6ce589e5e1de70c94a10969b7d3dee6
MD5 hash: 1edbddc61ca01b001d6d4dda74077cc3
humanhash: kitten-potato-pasta-foxtrot
File name:d0c1200f4a5094c371836004c9c4456ca1b243e0cdde1d1331434c98e0364f71
Download: download sample
Signature Kimsuky
Create hunting rule
File size:588'800 bytes
First seen:2022-03-18 09:50:08 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 267bf2cec676a85dd54a4c64fe8bd073 (1 x Kimsuky)
ssdeep 12288:wK/LgZqs7D1uxadDwUQUjsXKYGY5lkff7xsVMNceaZ6ltTm:7/L8dZ2aVwUQUWKjY5lkff7xsVMcR+
Threatray 6'258 similar samples on MalwareBazaar
TLSH T12CC423C1AFFCA8A5E1668771851AD89CFE742402FF58C046FBDAB8A0DD52E11F89D311
Reporter JAMESWT_WT
Tags:dll Kimsuky

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/252393/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39245836.27923.1027.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed winnti
Link:
https://www.filescan.io/uploads/62345610dfdfa8501cb4e2ba/reports/0e90df20-f3f7-4ad4-8484-519992b5ab53/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b8a6421-d30d-46d3-adf5-6c156ae15519
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/959826
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Detected VMProtect packer
DLL side loading technique detected
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects files into Windows application
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sample is protected by VMProtect
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to evade analysis by execution special instruction (VM detection)
Very long command line found
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 592307 Sample: 8LPrqqXL2u Startdate: 18/03/2022 Architecture: WINDOWS Score: 100 85 us43784.org 2->85 105 Malicious sample detected (through community Yara rule) 2->105 107 Antivirus detection for URL or domain 2->107 109 Antivirus detection for dropped file 2->109 111 10 other signatures 2->111 11 loaddll32.exe 1 2->11         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        signatures3 process4 signatures5 125 Obfuscated command line found 11->125 127 Very long command line found 11->127 129 Tries to evade analysis by execution special instruction (VM detection) 11->129 131 Hides threads from debuggers 11->131 18 rundll32.exe 32 11->18         started        22 cmd.exe 1 11->22         started        24 rundll32.exe 5 11->24         started        30 3 other processes 11->30 26 rundll32.exe 18 14->26         started        28 rundll32.exe 16->28         started        process6 dnsIp7 87 us43784.org 18->87 113 Writes to foreign memory regions 18->113 115 Allocates memory in foreign processes 18->115 117 Hides threads from debuggers 18->117 32 iexplore.exe 9 18->32         started        36 iexplore.exe 18->36         started        38 iexplore.exe 18->38         started        49 9 other processes 18->49 40 rundll32.exe 7 22->40         started        43 rundll32.exe 24->43         started        89 us43784.org 26->89 119 Injects a PE file into a foreign processes 26->119 45 svchost.exe 26->45         started        91 us43784.org 28->91 47 svchost.exe 28->47         started        121 Contains functionality to inject code into remote processes 30->121 signatures8 process9 dnsIp10 71 us43784.org 32->71 95 Injects files into Windows application 32->95 73 us43784.org 36->73 75 us43784.org 38->75 67 C:\Users\user\AppData\Local\...\scecli.dll, PE32 40->67 dropped 69 C:\Users\user\...\scecli.dll:Zone.Identifier, ASCII 40->69 dropped 97 Hides threads from debuggers 40->97 51 rundll32.exe 1 19 40->51         started        77 us43784.org 43->77 55 cmd.exe 43->55         started        79 us43784.org 45->79 99 System process connects to network (likely due to code injection or exploit) 45->99 101 Tries to evade analysis by execution special instruction (VM detection) 45->101 103 DLL side loading technique detected 45->103 81 192.168.2.1 unknown unknown 49->81 83 8 other IPs or domains 49->83 file11 signatures12 process13 dnsIp14 93 us43784.org 27.255.79.232, 443, 49759, 49760 EHOSTIDC-AS-KREHOSTICTKR Korea Republic of 51->93 123 Hides threads from debuggers 51->123 57 cmd.exe 1 51->57         started        59 taskkill.exe 1 55->59         started        61 conhost.exe 55->61         started        signatures15 process16 process17 63 taskkill.exe 1 57->63         started        65 conhost.exe 57->65         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0c1200f4a5094c371836004c9c4456ca1b243e0cdde1d1331434c98e0364f71/
Threat name:
Win32.Spyware.Xegumumune
Create hunting rule
Status:
Malicious
First seen:
2022-03-15 19:06:35 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
21 of 27 (77.78%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
142dc674a687ade3bc56e2e78f0a6dc0603d81f176f8a9d794d909b6839bcc5b
Kimsuky
1db2ec499c11b096c4a468a878a9e6bb791183ca2156eb2e8c233fd7b172b607
Kimsuky
283c309822c3c69f102123a2721b61f81e303efdc249aec068b1f32179850935
Kimsuky
4f48ef3036b8e2b724cbf9ec618f35baf7cb5e2017dc5fae4825659a28b58e68
Kimsuky
67e030c1c7dd08138eb1d6a12a4d652c4a304f22db556afce411c32a23bddf23
Kimsuky
9f86527e3ca4530bb3209d8608dae083afab4ef2cf7b0ae23bcd6fdc322a0c33
Kimsuky
ae275aba1d935bd3045e9cd3f258b72636e6759506e183423341a992faf47f80
Kimsuky
aed186971032970a807b97d9bb6dcb48787e511ce7a5a0153696aa8fe4b7deca
Kimsuky
bd5c9eebb94c8738cb18f714b9b4c870b1536bd5ef3cb6dca6d905a51c553d96
Kimsuky
eee3d70ef0eb418264c10075b901845b097297613637892efb77aecb236c5e11
Kimsuky
+ 6'248 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware stealer vmprotect
Link:
https://tria.ge/reports/220318-lt1r5ahab2/
Behaviour
Enumerates processes with tasklist
Gathers network information
Gathers system information
Kills process with taskkill
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
VMProtect packed file
Unpacked files
SH256 hash:
df721232f121cc037a1fd11b5a2b4a9c5f8b381a8e57fb7db488782e9178d496
MD5 hash:
a97bf72a553344293228e02bacddb7b9
SHA1 hash:
f66144c3b0b0cea8611a2c00b4349a345a710d59
Link:
https://www.unpac.me/results/f0a7073e-6b7b-425a-97ac-da99c3018d92/
SH256 hash:
61b24c255b018acb25f17f1bd55634dd89c33f826293c0afb4d195c129cde663
MD5 hash:
465379852a69db0fb8b22b7073de0a93
SHA1 hash:
d3bfc20fa308afeb9ac53df988b6ef9b99efdf40
Link:
https://www.unpac.me/results/f0a7073e-6b7b-425a-97ac-da99c3018d92/
SH256 hash:
d0c1200f4a5094c371836004c9c4456ca1b243e0cdde1d1331434c98e0364f71
MD5 hash:
1edbddc61ca01b001d6d4dda74077cc3
SHA1 hash:
86f0c217a6ce589e5e1de70c94a10969b7d3dee6
Link:
https://www.unpac.me/results/f0a7073e-6b7b-425a-97ac-da99c3018d92/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/d0c1200f4a5094c371836004c9c4456ca1b243e0cdde1d1331434c98e0364f71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:Winnti_NlaifSvc
Create hunting rule
Author:Florian Roth
Description:Winnti sample - file NlaifSvc.dll
Reference:https://goo.gl/VbvJtL
Rule name:Winnti_NlaifSvc_RID2CFF
Create hunting rule
Author:Florian Roth
Description:Winnti sample - file NlaifSvc.dll
Reference:https://goo.gl/VbvJtL

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/252393/

Comments