MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6e1c4c9090d58d498162d834efa18bc54e0a25809ba10821fe21f689946f0e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


KeyBase


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6e1c4c9090d58d498162d834efa18bc54e0a25809ba10821fe21f689946f0e5
SHA3-384 hash: 5fef407562a9f6dfaba831e94746d359581b7c3d7423f1997bc46723480f703676460dc5a1db49e2bd6f5d5a113c38b2
SHA1 hash: eb9fbd70ba26fad887f18f9d76137a2156341ab7
MD5 hash: 0f9f8a4e9ae47093d35616a97003639f
humanhash: potato-december-kansas-equal
File name:docugatary.exe
Download: download sample
Signature KeyBase
Create hunting rule
File size:1'777'664 bytes
First seen:2020-08-04 09:30:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:iHX8kTEsogPgbpod2P3WLBcBnu5l03rJlJ88tbjYW8jd8gLf+Ahr2Oa9n2O:iHLTogPEA2vWetW21lJhhSygDQB9n
Threatray 466 similar samples on MalwareBazaar
TLSH 1185083B758E4018C87556BD846996C17A5C3E5A3BD18B1E20DA320C4EF3B5BBF32D4A
Reporter abuse_ch
Tags:exe KeyBase


Avatar
abuse_ch
Malspam distributing KeyBase:

HELO: mail.pharmasquare.gr
Sending IP: 5.172.196.35
From: info <info@gateline.gr>
Subject: 05129-DIG19001_ docs URGENT
Attachment: docugatay.7z (contains "docugatary.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38412/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Running batch commands
Launching a process
Creating a file
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Threat name:
MailPassView
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/408981
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Writes to foreign memory regions
Yara detected MailPassView
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256725 Sample: docugatary.exe Startdate: 04/08/2020 Architecture: WINDOWS Score: 84 48 Malicious sample detected (through community Yara rule) 2->48 50 Yara detected MailPassView 2->50 52 .NET source code contains very large array initializations 2->52 54 Contains functionality to log keystrokes (.Net Source) 2->54 9 docugatary.exe 7 2->9         started        13 pcalua.exe 1 2->13         started        15 pcalua.exe 1 1 2->15         started        process3 file4 36 C:\Users\user\system32.exe, PE32 9->36 dropped 38 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 9->38 dropped 40 C:\Users\user\system32.exe:Zone.Identifier, ASCII 9->40 dropped 60 Drops PE files to the user root directory 9->60 17 system32.exe 2 9->17         started        20 cmd.exe 1 9->20         started        22 system32.exe 3 13->22         started        signatures5 process6 signatures7 42 Writes to foreign memory regions 17->42 44 Allocates memory in foreign processes 17->44 46 Injects a PE file into a foreign processes 17->46 24 AddInProcess32.exe 17->24         started        27 reg.exe 1 1 20->27         started        29 conhost.exe 20->29         started        process8 signatures9 56 Injects a PE file into a foreign processes 24->56 31 AddInProcess32.exe 24->31         started        58 Creates an autostart registry key pointing to binary in C:\Windows 27->58 process10 signatures11 62 Injects a PE file into a foreign processes 31->62 34 AddInProcess32.exe 31->34         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6e1c4c9090d58d498162d834efa18bc54e0a25809ba10821fe21f689946f0e5/
Threat name:
ByteCode-MSIL.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 04:18:58 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=23q4jsijbvmnjgawfwbu56qyxrkobisybg5bbaq74ipwrgkg6dsq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
emotet
Create hunting rule
Similar samples:
006c01ecec6a14ad6038b988764b9cebc4f75cdccd4ccedc5b962bdd3cc994bd
KeyBase
12f341bc0f65e96848b4dd440afc7f653e883e740adcb677fc4f8b5ba5c38ef2
KeyBase
13c555d2bc29bc384b7c496c0aefadfbe38d7b415e11c43bdbcfdf702062d1f3
KeyBase
2b8072cf7b0c14a4f9c662d66cf5f6a64c7defb73fb6b0fcc9cd5d32ff004101
KeyBase
4aff31bec64048fdf3913ac6ac61d5670cc351a3054500e6dcf25779b1a2e54b
KeyBase
9666c06b6da42bc3cc7ae265a46cd4d137c74a1be711151efe9a44c31a894a78
KeyBase
a2afda47f4169023bca3c730a48e58d6c40e84236b959a871e883ded3304d5fb
KeyBase
bd2bf7c79dda8208f9ec0c2199d1ec61058aa43bbe6f8548623444fc143a3aec
KeyBase
d87c321887e33a1f90a29b21be81459835a725d9a056916b1cafaaacc06169f5
KeyBase
efa7f245a35c85568d26690f149f992e77c007fa1fbb7c2f4f050cea7fcca930
KeyBase
+ 456 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200804-lnatyz2yvn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6e1c4c9090d58d498162d834efa18bc54e0a25809ba10821fe21f689946f0e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:KeyBase
Create hunting rule
Author:@bartblaze
Description:Identifies KeyBase aka Kibex.
Rule name:MALW_KeyBase
Create hunting rule
Author:@bartblaze
Description:Identifies KeyBase aka Kibex.
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:win_keybase_w0
Create hunting rule
Author:@bartblaze
Description:Identifies KeyBase aka Kibex.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

KeyBase

zip 782f93e5d91d7000ce8353a947cdfee9f11b98312861aee7c7eca8dec4b526ac

KeyBase

Executable exe d6e1c4c9090d58d498162d834efa18bc54e0a25809ba10821fe21f689946f0e5

(this sample)

  
Dropped by
MD5 04c9a0ee5f547b0f84ba15ec2a0b6216
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 782f93e5d91d7000ce8353a947cdfee9f11b98312861aee7c7eca8dec4b526ac
Cape
Cape
https://www.capesandbox.com/analysis/38412/

Comments