MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Add tag Delete this sample Report a False Positive

SHA256 hash: d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035
SHA3-384 hash: a1e5f045244da62463a4785572821de62b9b432ed4eebfb561fec6efa6aac7f932ec06062791b7a150d8515e073abceb
SHA1 hash: 72f5ca06d840acbc9b49e4096e341c0dbaac891e
MD5 hash: 29389832e538957dc769cf709f80144a
humanhash: bluebird-victor-grey-skylark
File name:SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368
Download: download sample
Signature n/a
File size:4'255'416 bytes
First seen:2021-04-12 10:57:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3a057d8e2436bad9e0ae8c20a8d4d334
ssdeep 98304:EoT9sIWSFT79YBDTzRHjEREGL1d2YuVNR:RCIW6790vlHjEREGLK3bR
Threatray 16 similar samples on MalwareBazaar
TLSH 21169FB3077D26B0C09099FB4B5F2184B441FDE922CEB4B6BA4A7C588375F5D428AD63
Reporter @SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368
Verdict:
Malicious activity
Analysis date:
2021-04-12 11:01:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/79263a6e-3100-411e-85eb-2a4e05aecf94

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133728/
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.33370.30028.25368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Deleting a recently created file
Creating a file in the Windows subdirectories
Creating a file
Changing a file
Moving a recently created file
Replacing files
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Unauthorized injection to a recently created process
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Searching for the window
Sending a UDP request
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
DNS request
Creating a window
Adding a root certificate
Creating a process from a recently created file
Running batch commands
Stealing user critical data
Unauthorized injection to a recently created process by context flags manipulation
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
93 / 100
Link:
https://www.joesandbox.com/analysis/672913
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Detected unpacking (creates a PE file in dynamic memory)
Hides threads from debuggers
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Registers a new ROOT certificate
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 385405 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 12/04/2021 Architecture: WINDOWS Score: 93 110 Malicious sample detected (through community Yara rule) 2->110 112 Multi AV Scanner detection for submitted file 2->112 114 Machine Learning detection for sample 2->114 116 2 other signatures 2->116 8 SecuriteInfo.com.Trojan.Siggen12.33370.30028.exe 1 3 2->8         started        13 msiexec.exe 2->13         started        process3 dnsIp4 72 c431a802ff4a46b5.com 8->72 74 bdc347c728b2d94d.com 8->74 76 5 other IPs or domains 8->76 68 C:\Users\user\...\26FF190E7AE0F7C7.exe, PE32 8->68 dropped 70 C:\...\26FF190E7AE0F7C7.exe:Zone.Identifier, ASCII 8->70 dropped 118 Detected unpacking (creates a PE file in dynamic memory) 8->118 120 Installs new ROOT certificates 8->120 122 Contains functionality to infect the boot sector 8->122 124 4 other signatures 8->124 15 26FF190E7AE0F7C7.exe 26 8->15         started        20 26FF190E7AE0F7C7.exe 1 15 8->20         started        22 cmd.exe 1 8->22         started        24 msiexec.exe 4 8->24         started        file5 signatures6 process7 dnsIp8 80 c431a802ff4a46b5.com 15->80 82 bdc347c728b2d94d.com 15->82 90 11 other IPs or domains 15->90 54 C:\Users\user\AppData\...\1618257864703.exe, PE32 15->54 dropped 56 C:\Users\user\AppData\Local\Temp\xldl.dll, PE32 15->56 dropped 58 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 15->58 dropped 66 7 other files (none is malicious) 15->66 dropped 94 Multi AV Scanner detection for dropped file 15->94 96 Machine Learning detection for dropped file 15->96 98 Contains functionality to infect the boot sector 15->98 100 Contains functionality to detect sleep reduction / modifications 15->100 26 cmd.exe 15->26         started        29 1618257864703.exe 2 15->29         started        32 ThunderFW.exe 1 15->32         started        84 c431a802ff4a46b5.com 20->84 86 bdc347c728b2d94d.com 20->86 92 5 other IPs or domains 20->92 60 C:\Users\user\AppData\...\Secure Preferences, UTF-8 20->60 dropped 62 C:\Users\user\AppData\Local\...\Preferences, ASCII 20->62 dropped 102 Tries to harvest and steal browser information (history, passwords, etc) 20->102 34 cmd.exe 1 20->34         started        36 cmd.exe 1 20->36         started        88 127.0.0.1 unknown unknown 22->88 104 Uses ping.exe to sleep 22->104 106 Uses ping.exe to check the status of other devices and networks 22->106 38 conhost.exe 22->38         started        40 PING.EXE 1 22->40         started        64 C:\Users\user\AppData\Local\...\MSI429C.tmp, PE32 24->64 dropped file9 108 Tries to resolve many domain names, but no domain seems valid 82->108 signatures10 process11 dnsIp12 42 conhost.exe 26->42         started        44 PING.EXE 26->44         started        78 192.168.2.1 unknown unknown 29->78 126 Uses ping.exe to sleep 34->126 46 conhost.exe 34->46         started        48 PING.EXE 1 34->48         started        50 taskkill.exe 1 36->50         started        52 conhost.exe 36->52         started        signatures13 process14
Detection:
n/a
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035/
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2021-03-10 04:05:16 UTC
AV detection:
31 of 48 (64.58%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a
344b323928698d9982c7577e5405a1cb587c45f94a0f6745827648381397f255
3bd0eb640c37fb31423b560aeb5bf4f9f6117cb60c2a9e4509b7a0db80e0a092
6a9b454b620677ea11f4f69156969468b0f43ebdfe27dabfb0cf16572f9379eb
6d2db66a98ec5730bdcbc41dc7c78210fe24fe48bf7e44b59ab01c2084900456
772062075a6ce77768bd462428eb6554ccaefec146f2f79cf22032614364d800
a546a1f257585e2f4c093db2b7eeb6413a314ffb1296d97fd31d0363e827cc65
a8fefe8e1f92a30d1cdd4e2e2afaacf08a02c8961f496ee16e89062417ec5f28
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19
e2b766a5e694e0fd5756ef168bbd5b436f1baba2e8b74c356dbd6f0e63184bdd
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
bootkit evasion macro persistence spyware stealer trojan xlm
Link:
https://tria.ge/reports/210412-18rncq2e5j/
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Suspicious Office macro
Nirsoft
Unpacked files
SH256 hash:
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444
MD5 hash:
84878b1a26f8544bda4e069320ad8e7d
SHA1 hash:
51c6ee244f5f2fa35b563bffb91e37da848a759c
Link:
https://www.unpac.me/results/caf88fc8-edc7-43d1-a4ea-82d181869142/
SH256 hash:
b00af7b84651725bc4b2ac9a05f78a1913869d09563b20f56fb1536dbeef35d8
MD5 hash:
4f01d45a598ba53a2820bff6ff8e16be
SHA1 hash:
08c72e664d1594a9bc02417e2a01c61b0b876397
Link:
https://www.unpac.me/results/caf88fc8-edc7-43d1-a4ea-82d181869142/
SH256 hash:
c0dda4bbf2986f7b4e39a41a44b04217d823275695c18db47f50f841aeadb6c5
MD5 hash:
db9efb5b07b51da66b17cc0e36447ffd
SHA1 hash:
2808c7e9bcdd67128570c7d8a5d59eecb7637cda
Detections:
win_9002_g0
Create hunting rule
Link:
https://www.unpac.me/results/caf88fc8-edc7-43d1-a4ea-82d181869142/
Parent samples :
7a79f0c95e891b939e275fa19e641b676f2eb70471945fb3b15d6a649cafe071
a8fefe8e1f92a30d1cdd4e2e2afaacf08a02c8961f496ee16e89062417ec5f28
6d2db66a98ec5730bdcbc41dc7c78210fe24fe48bf7e44b59ab01c2084900456
2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a
344b323928698d9982c7577e5405a1cb587c45f94a0f6745827648381397f255
5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5
cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19
6a9b454b620677ea11f4f69156969468b0f43ebdfe27dabfb0cf16572f9379eb
d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035
SH256 hash:
a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a
MD5 hash:
79cb6457c81ada9eb7f2087ce799aaa7
SHA1 hash:
322ddde439d9254182f5945be8d97e9d897561ae
Link:
https://www.unpac.me/results/caf88fc8-edc7-43d1-a4ea-82d181869142/
SH256 hash:
bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56
MD5 hash:
89f6488524eaa3e5a66c5f34f3b92405
SHA1 hash:
330f9f6da03ae96dfa77dd92aae9a294ead9c7f7
Link:
https://www.unpac.me/results/caf88fc8-edc7-43d1-a4ea-82d181869142/
SH256 hash:
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb
MD5 hash:
ca2f560921b7b8be1cf555a5a18d54c3
SHA1 hash:
432dbcf54b6f1142058b413a9d52668a2bde011d
Link:
https://www.unpac.me/results/caf88fc8-edc7-43d1-a4ea-82d181869142/
SH256 hash:
c5546c63e9f72c415143ac85cf32bf48eb9ff8269465282c792f2b17cad59a65
MD5 hash:
3b01e45b211d498bd3745b5e63fd1776
SHA1 hash:
8d80d01e54a1161f04d007b6f6ee36d22450f8b4
Link:
https://www.unpac.me/results/caf88fc8-edc7-43d1-a4ea-82d181869142/
SH256 hash:
66b2acfb5c526c869a68649d96eb90495226a0c46855a0296f74ce1dae8e966e
MD5 hash:
1e14873c6f50d5094f5aa6f4a3a8e9a1
SHA1 hash:
91a91dea091e3f0ac7ce61cd0cfa1ced98da0846
Link:
https://www.unpac.me/results/caf88fc8-edc7-43d1-a4ea-82d181869142/
SH256 hash:
6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9
MD5 hash:
a94dc60a90efd7a35c36d971e3ee7470
SHA1 hash:
f936f612bc779e4ba067f77514b68c329180a380
Link:
https://www.unpac.me/results/caf88fc8-edc7-43d1-a4ea-82d181869142/
SH256 hash:
55830708fff87877f0a0a901342dbac35842fb6481dffb8e7d7e74de80792c5a
MD5 hash:
7545bd5623e363791d1b039b2123b5b8
SHA1 hash:
fcd1d9889113fe0c86a5b8c60bce90261e0d0936
Link:
https://www.unpac.me/results/caf88fc8-edc7-43d1-a4ea-82d181869142/
SH256 hash:
ea252bdcf744330bf1bb326d474d1fec231f6446d1de07f8fe19c797eb3429e8
MD5 hash:
d24dec47b02d74ab3d51f8a3273256b6
SHA1 hash:
415abf30889b6df200f24008605c4da9fffccd1a
Link:
https://www.unpac.me/results/caf88fc8-edc7-43d1-a4ea-82d181869142/
SH256 hash:
e7c02d9f66bbc38625f659ff3fbed32a125b402d8196621d08637f57a8f33b05
MD5 hash:
7f666437306af8caf8ed85facdbace59
SHA1 hash:
86bcd4d34996e8b5f79cb9bb3b04c668b8c37817
Link:
https://www.unpac.me/results/caf88fc8-edc7-43d1-a4ea-82d181869142/
SH256 hash:
d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035
MD5 hash:
29389832e538957dc769cf709f80144a
SHA1 hash:
72f5ca06d840acbc9b49e4096e341c0dbaac891e
Link:
https://www.unpac.me/results/caf88fc8-edc7-43d1-a4ea-82d181869142/
AV coverage:
75.36%
AV detections:
52 / 69
Link:
https://www.virustotal.com/gui/file/d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035/detection/f-d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035-1618218675
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d6d2e00343a3cad48cc2f4799ce87d27acc3ce154aed286c07f226de2e9c4035

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1107188/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/133728/

Comments


Avatar
Karlo Licudine commented on 2021-04-14 15:16:05 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [C0052] File System Micro-objective::Writes File
2) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
3) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
4) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
5) [C0041] Process Micro-objective::Set Thread Local Storage Value