MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d88cb891d36dc09bb88fcef9fcb8ba6efe6f5034ae76e5b630ab86e54afff1cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d88cb891d36dc09bb88fcef9fcb8ba6efe6f5034ae76e5b630ab86e54afff1cc
SHA3-384 hash: 2e9bd27b769f4bb98890caaa6108e32dbefb2ff2138d280290addbc80372f2cca65d4c86d4e383cb368dc87093e9dd22
SHA1 hash: b2b465baee22889403ba48c0745d5d9643a45555
MD5 hash: 094312be0a71a292a4670bcda23b2500
humanhash: neptune-mockingbird-low-kentucky
File name:d88cb891d36dc09bb88fcef9fcb8ba6efe6f5034ae76e5b630ab86e54afff1cc.bin
Download: download sample
File size:53'248 bytes
First seen:2020-11-20 15:22:09 UTC
Last seen:2020-11-20 17:00:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:Z4W3Dr5u1s1Xrhja8ayrwmN3jY0t85x0AV+54A:N3DrMCzzzY0tWxh+
Threatray 6 similar samples on MalwareBazaar
TLSH D0337D029796A110F5479475B6F6FABEF61B18F0131890FB1981C7D68E70AD3AE70E0A
Reporter Arkbird_SOLG
Tags:VKeylogger


Avatar
ArkbirdDevil
Unpacked after multiple cryptor (c#/c++)

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP POST request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/544240
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to register a low level keyboard hook
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Found C&C like URL pattern
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: MSHTA Spawning Windows Shell
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321218 Sample: IKatdK48H3.bin Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 5 other signatures 2->49 10 IKatdK48H3.exe 2->10         started        process3 signatures4 57 Contains functionality to register a low level keyboard hook 10->57 59 Maps a DLL or memory area into another process 10->59 13 explorer.exe 4 10->13         started        process5 dnsIp6 41 rackz.su 170.106.35.220, 49727, 49738, 80 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN Singapore 13->41 63 System process connects to network (likely due to code injection or exploit) 13->63 65 Creates autostart registry keys with suspicious values (likely registry only malware) 13->65 67 Creates multiple autostart registry keys 13->67 69 3 other signatures 13->69 17 explorer.exe 5 13->17 injected signatures7 process8 process9 19 mshta.exe 19 17->19         started        22 mshta.exe 19 17->22         started        24 IKatdK48H3.exe 17->24         started        26 IKatdK48H3.exe 17->26         started        signatures10 51 Suspicious powershell command line found 19->51 53 Very long command line found 19->53 28 powershell.exe 22 19->28         started        31 powershell.exe 18 22->31         started        55 Maps a DLL or memory area into another process 24->55 33 explorer.exe 24->33         started        35 explorer.exe 26->35         started        process11 signatures12 37 conhost.exe 28->37         started        61 Found suspicious powershell code related to unpacking or dynamic code loading 31->61 39 conhost.exe 31->39         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d88cb891d36dc09bb88fcef9fcb8ba6efe6f5034ae76e5b630ab86e54afff1cc/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-11-20 12:50:44 UTC
File Type:
PE (Exe)
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1bf6e25f5655dd96b13058e02e864b038a96cb2ddfb805c551b3df33c5782dae
3fd662d7caf82ecc8b61b4fa261bc51510851aa36099a85f66c2689c507e11d7
68be2ba319d445f1a1d7da73d9ad26b894f55f85f1b943ab5b5251ddfc0bc439
82b3bc554c3ed5e698153da5badfd3973e337c49ee8477847b2ca0fdda98b895
99c1b2c7ec27b36fbc1978048266d739f8efc003af325fd9a00d0399d7d16b48
fe6e78fc04cc85915c056447a608233c7094caf911cc8de0e0491184cdaf056b
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/201120-rysr497qee/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
d88cb891d36dc09bb88fcef9fcb8ba6efe6f5034ae76e5b630ab86e54afff1cc
MD5 hash:
094312be0a71a292a4670bcda23b2500
SHA1 hash:
b2b465baee22889403ba48c0745d5d9643a45555
Link:
https://www.unpac.me/results/cd739b7c-cbcb-47b1-9c25-a13b58de79c0/
SH256 hash:
c36ebf9f194203f9263ce2cc302de1e0913340b63bd2c99557cc6342cc3a72ec
MD5 hash:
3ff9f0a0ebc05015a9c13b8e0358c1b7
SHA1 hash:
303fe6f742c20be4b75fe313f4e1c9553985e868
Link:
https://www.unpac.me/results/cd739b7c-cbcb-47b1-9c25-a13b58de79c0/
SH256 hash:
c26e823ed9cca15c98481611678d1ac54357a15bd306764bf5ec9b729dbcc9a3
MD5 hash:
ab1a95003a5c99e44dc88782ce340171
SHA1 hash:
8099501508d3842dad00e8590d9ce21ca7452467
Link:
https://www.unpac.me/results/cd739b7c-cbcb-47b1-9c25-a13b58de79c0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d88cb891d36dc09bb88fcef9fcb8ba6efe6f5034ae76e5b630ab86e54afff1cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Executable exe 99c1b2c7ec27b36fbc1978048266d739f8efc003af325fd9a00d0399d7d16b48

Executable exe d88cb891d36dc09bb88fcef9fcb8ba6efe6f5034ae76e5b630ab86e54afff1cc

(this sample)

  
X
https://twitter.com/JAMESWT_MHT/status/1329739368408489987
  
Dropped by
SHA256 99c1b2c7ec27b36fbc1978048266d739f8efc003af325fd9a00d0399d7d16b48
  
Delivery method
Other

Comments