MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0fddb170841c5252e6017afa8bce5e1abb61b8c0bf717744f9aa382dcdedad3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0fddb170841c5252e6017afa8bce5e1abb61b8c0bf717744f9aa382dcdedad3
SHA3-384 hash: 8607d6ca688f00dc9adf46da5a89dc43db6f5747ba903a063348ab58acef7ab92094668e83b1c47f3794ea47fc59937d
SHA1 hash: 15a435edaee301d3690b0dc24f955e9d050f7976
MD5 hash: e249abdfcc9454c51d4bfdc4cef40d2a
humanhash: fix-undress-beryllium-zulu
File name:SecuriteInfo.com.Trojan.GenericKD.37108638.5946.27649
Download: download sample
File size:1'452'886 bytes
First seen:2021-06-17 01:39:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 650ed02ca4b6baad6b24f20402b6268b (7 x RedLineStealer, 1 x CryptBot, 1 x RemcosRAT)
ssdeep 24576:t5REvpi/pMB3TUTSqmtv23r2bayflYXQnXMEH8j/Weoem1nVK9PXaVqOZYheKpUc:tARi/KB3TUKQbudAQXaZDm9VKo5geKwU
Threatray 261 similar samples on MalwareBazaar
TLSH F365121E36A1B0BAC59F32F1344DC76408956E2F0BC4C9D7639CFF0ADA7C6889A74259
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.GenericKD.37108638.5946.27649
Verdict:
Malicious activity
Analysis date:
2021-06-17 01:42:57 UTC
Tags:
autoit trojan
Link:
https://app.any.run/tasks/3256ec3e-bdc6-4741-a9db-87398f7a424a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37108638.5946.27649.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/de847be9-bcd8-43bf-99ff-78544a6c7cd0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/803428
Signature
Contains functionality to register a low level keyboard hook
Creates processes via WMI
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Drops script at startup location
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 435839 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 17/06/2021 Architecture: WINDOWS Score: 84 60 Multi AV Scanner detection for submitted file 2->60 62 Sigma detected: Drops script at startup location 2->62 64 Machine Learning detection for sample 2->64 9 SecuriteInfo.com.Trojan.GenericKD.37108638.5946.exe 7 2->9         started        12 wscript.exe 2->12         started        14 YeDhTdZYLd.exe.com 2->14         started        process3 dnsIp4 70 Contains functionality to register a low level keyboard hook 9->70 17 cmd.exe 1 9->17         started        72 Creates processes via WMI 12->72 50 FbgZxnbAfOVE.FbgZxnbAfOVE 14->50 signatures5 process6 signatures7 52 Submitted sample is a known malware sample 17->52 54 Obfuscated command line found 17->54 56 Uses ping.exe to sleep 17->56 58 Uses ping.exe to check the status of other devices and networks 17->58 20 cmd.exe 3 17->20         started        23 conhost.exe 17->23         started        process8 signatures9 66 Obfuscated command line found 20->66 68 Uses ping.exe to sleep 20->68 25 Lume.exe.com 20->25         started        28 PING.EXE 1 20->28         started        31 findstr.exe 1 20->31         started        process10 dnsIp11 74 Drops PE files with a suspicious file extension 25->74 34 Lume.exe.com 7 25->34         started        48 127.0.0.1 unknown unknown 28->48 44 C:\Users\user\AppData\Local\...\Lume.exe.com, Targa 31->44 dropped file12 signatures13 process14 dnsIp15 46 FbgZxnbAfOVE.FbgZxnbAfOVE 34->46 38 C:\Users\user\AppData\...\YeDhTdZYLd.exe.com, PE32 34->38 dropped 40 C:\Users\user\AppData\...\YeDhTdZYLd.url, MS 34->40 dropped 42 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 34->42 dropped file16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0fddb170841c5252e6017afa8bce5e1abb61b8c0bf717744f9aa382dcdedad3/
Threat name:
Win32.Trojan.Crypzip
Create hunting rule
Status:
Malicious
First seen:
2021-06-16 01:03:37 UTC
AV detection:
9 of 29 (31.03%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
03110bdd6c0d0f027422de86d47ce39cfb8cae70c04a616cbb8c325c03853ef6
03c770bfc70f92e979e48b46b0604c3254796123e48af7d611017af862321bea
28f48693be094f941f42cf263e6089d9bff7631bebfe3b2082a94dbabf306e01
3c3e0c2b6be336aa939ff9c0c9a040d1ef73ab6126e00f9d97f0995719b80229
9d03f0739a3840f5461af1d6ffa96a34c8a0df1b428b58825d95fe3a43a55d92
9f6eb963b28951006fa6254b74f58b087c4469496c8ab22cf74210510f82c186
a8f08798d07631c972e1d31bd0c696859d060fdce618eb3fc0c214b94038767b
aee541b0f2bfc27b28e779c7ddbe8a251867157844a5581295e3d9018a30a678
e31da697e1f30aca20cb88b09a69ed60bdbba9b3c4da0e67e2654ecb541964f2
f4a40d6bf3a266e83bbeb76bd3c865b8c3e925a16f890d107356c62563de3f33
+ 251 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210617-j2nj1j974a/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
d842fccf9079649e89b63c82b43fd640311b0a1bd2cf0492df180050c050ce32
MD5 hash:
ca3b99b01e064e7eb7072442dbd77501
SHA1 hash:
7a85e695c14ca5327899c406a97d9bd43c57035c
Link:
https://www.unpac.me/results/6e804c75-33db-4208-9697-70626e2eb426/
SH256 hash:
d0fddb170841c5252e6017afa8bce5e1abb61b8c0bf717744f9aa382dcdedad3
MD5 hash:
e249abdfcc9454c51d4bfdc4cef40d2a
SHA1 hash:
15a435edaee301d3690b0dc24f955e9d050f7976
Link:
https://www.unpac.me/results/6e804c75-33db-4208-9697-70626e2eb426/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0fddb170841c5252e6017afa8bce5e1abb61b8c0bf717744f9aa382dcdedad3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d0fddb170841c5252e6017afa8bce5e1abb61b8c0bf717744f9aa382dcdedad3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1104214/
  
Delivery method
Distributed via web download

Comments