MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7e6580054525d3f21f86edfc9f30b7a75ffa829a1eb67ee3cab33f0040dba4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7e6580054525d3f21f86edfc9f30b7a75ffa829a1eb67ee3cab33f0040dba4e
SHA3-384 hash: 84afac0609840e637a14b86e2d5934c74d5ac0dd92703c3298708e7b0113cb1b88b333642d0eda422b161a42fe70e5c8
SHA1 hash: bd4c956186f33c92eb4469f7e5675510d0790e99
MD5 hash: 9c352d2ce0c0bdc40c72f52ce3480577
humanhash: august-cat-six-oven
File name:Bonzify.exe
Download: download sample
File size:6'702'080 bytes
First seen:2022-02-28 10:05:49 UTC
Last seen:2022-02-28 11:48:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0bee32f8779ce7af7a869e923f1dd6fb
ssdeep 196608:/dAMaWetTeAkLIdx751qFTkub//73lc6u7b5VJ2Yx5xIdk3:naWedh+Idx75QYub//73lc6u7bLMYxD
Threatray 10'968 similar samples on MalwareBazaar
TLSH T117661212BB82A810C460D7332D6AE9E16635FF955FA3970E2B1B7A3C2532574E53B313
File icon (PE):PE icon
dhash icon 71e0e0c8c8c2f098
Reporter Anonymous
Tags:exe test


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
2
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
WinUpdate.exe
Verdict:
Malicious activity
Analysis date:
2020-10-16 20:06:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b3c0b102-67df-4d28-b107-3bab6bd72a63

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/245273/
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.5661.10594.7468.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Running batch commands
Creating a file in the Windows directory
Using the Windows Management Instrumentation requests
Searching for the window
Launching a process
Sending a custom TCP request
Creating a window
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7606/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll evasive expand.exe explorer.exe keylogger packed shell32.dll
Link:
https://www.filescan.io/uploads/621c9e90b94fb38cb4234619/reports/4028c60a-1932-443c-a145-70460dbef5f0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/913c013a-c84c-4c31-aadc-3e333f9c9f72
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/947284
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Extracts suspicious resources from PE file (packer detected)
Found evasive API chain (may stop execution after checking mutex)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 579761 Sample: Bonzify.exe Startdate: 28/02/2022 Architecture: WINDOWS Score: 88 65 Antivirus detection for dropped file 2->65 67 Antivirus / Scanner detection for submitted sample 2->67 69 Multi AV Scanner detection for dropped file 2->69 71 Multi AV Scanner detection for submitted file 2->71 7 Bonzify.exe 15 2->7         started        11 AgentSvr.exe 2->11         started        13 explorer.exe 2->13         started        process3 file4 41 C:\Users\user\AppData\Local\...\INSTALLER.exe, PE32 7->41 dropped 43 C:\HookDLL.dll, PE32 7->43 dropped 73 Creates an undocumented autostart registry key 7->73 75 Extracts suspicious resources from PE file (packer detected) 7->75 15 INSTALLER.exe 48 7->15         started        19 INSTALLER.exe 7->19         started        21 cmd.exe 1 7->21         started        signatures5 process6 file7 45 C:\Windows\msagent\mslwvtts.dll (copy), PE32 15->45 dropped 47 C:\Windows\msagent\intl\SET9B6F.tmp, PE32 15->47 dropped 49 C:\Windows\msagent\intl\Agt0409.dll (copy), PE32 15->49 dropped 57 33 other files (none is malicious) 15->57 dropped 61 Found evasive API chain (may stop execution after checking mutex) 15->61 63 Drops executables to the windows directory (C:\Windows) and starts them 15->63 23 regsvr32.exe 190 15->23         started        25 regsvr32.exe 15 15->25         started        27 AgentSvr.exe 174 15->27         started        37 6 other processes 15->37 51 C:\Windows\lhsp\tv\tvenuax.dll (copy), PE32 19->51 dropped 53 C:\Windows\lhsp\tv\tv_enua.dll (copy), PE32 19->53 dropped 55 C:\Windows\lhsp\tv\SETE8C9.tmp, PE32 19->55 dropped 59 8 other files (none is malicious) 19->59 dropped 39 3 other processes 19->39 29 icacls.exe 1 21->29         started        31 taskkill.exe 1 21->31         started        33 conhost.exe 21->33         started        35 takeown.exe 1 21->35         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d7e6580054525d3f21f86edfc9f30b7a75ffa829a1eb67ee3cab33f0040dba4e/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2019-03-28 21:19:00 UTC
File Type:
PE (Exe)
Extracted files:
119
AV detection:
32 of 43 (74.42%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
427abc2035bd94beb2512e021757f81b9fbac201eb72018296889a8509e56072
48f9b4bc2bf75c03449857ff0d6b47c35ab97ed8ba444890ccdd4128d9ae1027
55ded456339aef89e7d891f0c7f494c11d8983233106d64069bc767ab06ceb71
819c9d8c88fc1ffbfeae1797646f7b90f930fef4dae513fe8e43fad3bf475bf0
911860ba2f0c1d6b668bc865e77cdd09ef29682fa0ea39846b0affef39fa9e61
991d4dc612ff80ab2506510dba31531db995fe3f64318fbffd4e327d77b36c3f
9d2c9620d231cab41fd8a87797cb8f67ed96b79231473e728b72e17b055653db
cfa1ef201a4dec456d4d6ffddc96267fcbf212f45616223fc8b3c675639f055b
e3c2d04c155b63a71d10e42a3c81199a6627a60363e3c978228ab14a8897bf9d
+ 10'958 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery exploit persistence
Link:
https://tria.ge/reports/220228-l43pgadhh6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Modifies AppInit DLL entries
Modifies Installed Components in the registry
Possible privilege escalation attempt
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
d7e6580054525d3f21f86edfc9f30b7a75ffa829a1eb67ee3cab33f0040dba4e
MD5 hash:
9c352d2ce0c0bdc40c72f52ce3480577
SHA1 hash:
bd4c956186f33c92eb4469f7e5675510d0790e99
Link:
https://www.unpac.me/results/573f68b6-89ae-4fce-b36c-6d4ec9f046e6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d7e6580054525d3f21f86edfc9f30b7a75ffa829a1eb67ee3cab33f0040dba4e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

Executable exe d7e6580054525d3f21f86edfc9f30b7a75ffa829a1eb67ee3cab33f0040dba4e

(this sample)

anyrun
any.run
https://app.any.run/tasks/1
anyrun
any.run
https://app.any.run/tasks/2
Joe
Joe Sandbox
https://www.joesecurity.org/reports/1
Joe
Joe Sandbox
https://www.joesecurity.org/reports/2
Malpedia
Malpedia
https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi
  
X
https://twitter.com/abuse_ch/status/1224269018506330112
  
Link
https://urlhaus.abuse.ch/url/306613/
  
Dropped by
MD5 68b329da9893e34099c7d8ad5cb9c940
  
Dropped by
SHA256 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
  
Dropped by
SHA256 4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865
  
Dropped by
Gozi
  
Delivery method
Distributed via e-mail attachment
  
URLhaus
https://urlhaus.abuse.ch/url/185/
  
URLhaus
https://urlhaus.abuse.ch/url/250/
  
URLhaus
https://urlhaus.abuse.ch/url/632/
  
URLhaus
https://urlhaus.abuse.ch/url/299/
  
URLhaus
https://urlhaus.abuse.ch/url/959/
  
URLhaus
https://urlhaus.abuse.ch/url/2267/
  
URLhaus
https://urlhaus.abuse.ch/url/2296/
  
URLhaus
https://urlhaus.abuse.ch/url/859/
  
URLhaus
https://urlhaus.abuse.ch/url/2535/
  
URLhaus
https://urlhaus.abuse.ch/url/2560/
  
URLhaus
https://urlhaus.abuse.ch/url/2004/
  
URLhaus
https://urlhaus.abuse.ch/url/1910/
  
URLhaus
https://urlhaus.abuse.ch/url/2255/
  
URLhaus
https://urlhaus.abuse.ch/url/725/
  
URLhaus
https://urlhaus.abuse.ch/url/7391/
  
URLhaus
https://urlhaus.abuse.ch/url/8079/
  
URLhaus
https://urlhaus.abuse.ch/url/8168/
  
URLhaus
https://urlhaus.abuse.ch/url/3160/
  
URLhaus
https://urlhaus.abuse.ch/url/4006/
  
URLhaus
https://urlhaus.abuse.ch/url/3959/
  
URLhaus
https://urlhaus.abuse.ch/url/893/
  
URLhaus
https://urlhaus.abuse.ch/url/7376/
  
URLhaus
https://urlhaus.abuse.ch/url/13445/
  
URLhaus
https://urlhaus.abuse.ch/url/13246/
  
URLhaus
https://urlhaus.abuse.ch/url/588/
  
URLhaus
https://urlhaus.abuse.ch/url/14138/
  
URLhaus
https://urlhaus.abuse.ch/url/13739/
  
URLhaus
https://urlhaus.abuse.ch/url/16482/
  
URLhaus
https://urlhaus.abuse.ch/url/15188/
  
URLhaus
https://urlhaus.abuse.ch/url/10989/
  
URLhaus
https://urlhaus.abuse.ch/url/9505/
  
URLhaus
https://urlhaus.abuse.ch/url/16604/
  
URLhaus
https://urlhaus.abuse.ch/url/16504/
  
URLhaus
https://urlhaus.abuse.ch/url/8621/
  
URLhaus
https://urlhaus.abuse.ch/url/16257/
  
URLhaus
https://urlhaus.abuse.ch/url/14587/
  
URLhaus
https://urlhaus.abuse.ch/url/20366/
  
URLhaus
https://urlhaus.abuse.ch/url/20767/
  
URLhaus
https://urlhaus.abuse.ch/url/22808/
  
URLhaus
https://urlhaus.abuse.ch/url/22626/
  
URLhaus
https://urlhaus.abuse.ch/url/24594/
  
URLhaus
https://urlhaus.abuse.ch/url/24379/
  
URLhaus
https://urlhaus.abuse.ch/url/25740/
  
URLhaus
https://urlhaus.abuse.ch/url/26033/
  
URLhaus
https://urlhaus.abuse.ch/url/25671/
  
URLhaus
https://urlhaus.abuse.ch/url/24097/
  
URLhaus
https://urlhaus.abuse.ch/url/26448/
  
URLhaus
https://urlhaus.abuse.ch/url/25492/
  
URLhaus
https://urlhaus.abuse.ch/url/22956/
  
URLhaus
https://urlhaus.abuse.ch/url/20972/
  
URLhaus
https://urlhaus.abuse.ch/url/20866/
  
URLhaus
https://urlhaus.abuse.ch/url/18823/
  
URLhaus
https://urlhaus.abuse.ch/url/18542/
Cape
Cape
https://www.capesandbox.com/analysis/245273/

Comments