MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8cc40274f38a3ed47c394003dc5f25969dd2e15b76dd300f9fa6ff794a08967. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8cc40274f38a3ed47c394003dc5f25969dd2e15b76dd300f9fa6ff794a08967
SHA3-384 hash: b3b96dfc3aa24992e5bd034480e954102449f603f07e37b443985e0e6010a459ac4824c9955ab3640b5fdce2aaa75405
SHA1 hash: 1ceeea39f8c7ceb44aa3e9c6fda821030e95ac7c
MD5 hash: 291bd6607b37772b64dd825c81a39cac
humanhash: florida-fifteen-massachusetts-failed
File name:SecuriteInfo.com.Program.Unwanted.4747.12641.32408
Download: download sample
File size:2'528'272 bytes
First seen:2022-03-15 07:53:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1d1577d864d2da06952f7affd8635371 (10 x Gamaredon, 4 x UltraVNC, 3 x QuasarRAT)
ssdeep 49152:Hj9q54Jxhqx9902+8i5euw3f7fKWPFgMIkrhGOOw60lIYQgHsYIFJ1PvNlVovEx:Hj/Jxhia225/WuMXGHJ02YZjk1PHWm
Threatray 337 similar samples on MalwareBazaar
TLSH T19AC501FDEC439F62DD4EFDB047385174B3A089400E0811BEA155E6E997732A2D7BA382
File icon (PE):PE icon
dhash icon 61c89ca2b0acf071
Reporter SecuriteInfoCom
Tags:exe signed

Code Signing Certificate

Organisation:Kuzyakov Artur Vyacheslavovich IP
Issuer:Symantec Class 3 SHA256 Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2015-02-17T00:00:00Z
Valid to:2016-02-17T23:59:59Z
Serial number: 257beac53aa38b99fd1b541811f6ee8f
Thumbprint Algorithm:SHA256
Thumbprint: 4ed5c52210cf8a684e3b7c240132256e0f2abac7dbf48c5d1afc1b3f10c0d451
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Program.Unwanted.4747.12641.32408
Verdict:
Malicious activity
Analysis date:
2022-03-15 08:09:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/db3747c8-01e4-475c-83ba-beea7f4801e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/250589/
Detection(s):
SecuriteInfo.com.Program.Unwanted.4747.12641.32408.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Searching for the window
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
DNS request
Connecting to a non-recommended domain
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Forced system process termination
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Running batch commands
Changing the Zone.Identifier stream
Creating a file
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9253/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger overlay packed shell32.dll virus
Link:
https://www.filescan.io/uploads/6230461eb94fb38cb4829e0a/reports/a1c897ad-6372-4a0c-b5b7-538853a56c7c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b97b9c7f-77f9-4e35-9c40-03ee25fc2dc3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/956789
Signature
Contains functionality to register a low level keyboard hook
Creates HTA files
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Application Executed Non-Executable Extension
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Submitted sample is a known malware sample
Uses cmd line tools excessively to alter registry or file data
Writes or reads registry keys via WMI
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 589270 Sample: SecuriteInfo.com.Program.Un... Startdate: 15/03/2022 Architecture: WINDOWS Score: 84 64 www-google-analytics.l.google.com 2->64 66 update.drp.su 2->66 68 2 other IPs or domains 2->68 76 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 Sigma detected: Mshta Spawning Windows Shell 2->80 82 6 other signatures 2->82 11 SecuriteInfo.com.Program.Unwanted.4747.12641.exe 310 2->11         started        signatures3 process4 file5 56 C:\Users\user\...\DriverPackSolution.exe, PE32 11->56 dropped 58 C:\Users\user\AppData\Local\...\streams-d.cmd, ASCII 11->58 dropped 60 C:\Users\user\AppData\Local\Temp\...\run.hta, HTML 11->60 dropped 62 6 other files (2 malicious) 11->62 dropped 94 Submitted sample is a known malware sample 11->94 96 Contains functionality to register a low level keyboard hook 11->96 98 Creates HTA files 11->98 15 wscript.exe 2 11->15         started        signatures6 process7 process8 17 DriverPackSolution.exe 1 15->17         started        process9 19 mshta.exe 1 31 17->19         started        dnsIp10 70 mc.yandex.ru 77.88.21.119, 443, 49836 YANDEXRU Russian Federation 19->70 72 update.drp.su 37.9.8.75, 49805, 80 SELECTELRU Russian Federation 19->72 74 5 other IPs or domains 19->74 48 C:\Users\user\...\DriverPack-17-Online.exe, PE32 19->48 dropped 84 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->84 86 Uses cmd line tools excessively to alter registry or file data 19->86 88 Writes or reads registry keys via WMI 19->88 24 DriverPack-17-Online.exe 19->24         started        28 cmd.exe 19->28         started        30 cmd.exe 19->30         started        32 9 other processes 19->32 file11 signatures12 process13 file14 50 C:\Users\user\AppData\...\InstallOptions.dll, PE32 24->50 dropped 52 C:\...\driverpack-wget.exe, PE32 24->52 dropped 90 Multi AV Scanner detection for dropped file 24->90 92 Submitted sample is a known malware sample 24->92 54 DriverPack-17-Online.exe:Zone.Identifier, ASCII 28->54 dropped 34 conhost.exe 28->34         started        36 conhost.exe 30->36         started        38 taskkill.exe 30->38         started        40 conhost.exe 32->40         started        42 conhost.exe 32->42         started        44 conhost.exe 32->44         started        46 5 other processes 32->46 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8cc40274f38a3ed47c394003dc5f25969dd2e15b76dd300f9fa6ff794a08967/
Threat name:
Win32.PUA.DriverPack
Create hunting rule
Status:
Malicious
First seen:
2015-09-15 22:26:32 UTC
File Type:
PE (Exe)
Extracted files:
503
AV detection:
8 of 27 (29.63%)
Threat level:
  1/5
Verdict:
unknown
Similar samples:
46568a18ee0442990b28d41b4a9c8a96ee257eb85fd22ea6ab9f8325d6f30f7b
473574ab9286caa551c88e2a3ac32e8b7975baac765bf084fd8c6ccb89737666
4bc74f0c9c8b45502fa4989b3e25808db909cf5239034951b6ab343d90678470
8facf32116a5f68467c71032d3a207abaa20fbcc56fcab6a3db650b4d30ad115
9431f9d5bf8a3d2ee34dc7624d8996e87af05e91ecb27b50843d5ddcb2f8f6bd
9e7dfceb92306a6a5f8317840bd2614130973d14c04a88e4bf5a755b583e4ccb
9fc5081ba3c1a4473ac1ffa3d653096afa16684a3e819ce6745bc22d38bb97f9
d1783d29c7835eba758f19e3d999c8d2244a650ba2c7614e6cbcf7895c358c61
e33456c26d161b3464acdc104271289dced8f4e5f5b35786635ec111501c1405
fdec7bb225d252d1a257304a2e8dd58aa5ef1828f9ac653924c4e54bf71725a6
+ 327 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220315-jrka9ahah3/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies system certificate store
NTFS ADS
Script User-Agent
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
f0b2f102be3bb3ae53e9805e8c0c2e62686def8c29997f4e3ef43cbbf54128f2
MD5 hash:
562d0f719a936c83b01d9e287741495e
SHA1 hash:
f8b792912a5ee628ca1fa7a721a1d2a952b566ff
Link:
https://www.unpac.me/results/42deb4cf-8a82-4d8e-a0f0-968115035976/
SH256 hash:
f66d8db30f19310f36afa6c775739f65d7ce87ace8b8039129c65250d3f1c7cd
MD5 hash:
8dcd8af92e859d6a47a4c22991790baf
SHA1 hash:
c5b06b68fbd0dbd7f6f381ae0a2af9650fc7e72c
Link:
https://www.unpac.me/results/42deb4cf-8a82-4d8e-a0f0-968115035976/
SH256 hash:
1edb3e53e1603c1b25ac388f71038d894fe6385c2bf42cd153eef5a0f2af337f
MD5 hash:
5f6531ee009473c72c785bb19122648e
SHA1 hash:
8bff4bada62f617bf4408e4da7cc4a44e516120a
Link:
https://www.unpac.me/results/42deb4cf-8a82-4d8e-a0f0-968115035976/
SH256 hash:
d8cc40274f38a3ed47c394003dc5f25969dd2e15b76dd300f9fa6ff794a08967
MD5 hash:
291bd6607b37772b64dd825c81a39cac
SHA1 hash:
1ceeea39f8c7ceb44aa3e9c6fda821030e95ac7c
Link:
https://www.unpac.me/results/42deb4cf-8a82-4d8e-a0f0-968115035976/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d8cc40274f38a3ed47c394003dc5f25969dd2e15b76dd300f9fa6ff794a08967

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_SFX_RunProgram_WScript
Create hunting rule
Author:Florian Roth
Description:Detects suspicious SFX as used by Gamaredon group
Reference:Internal Research
Rule name:SUSP_SFX_RunProgram_WScript_RID3143
Create hunting rule
Author:Florian Roth
Description:Detects suspicious SFX as used by Gamaredon group
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/250589/

Comments