MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78
SHA3-384 hash: dd25a51c2bb1bce4da96540f4019f9fa498319dff0fe34ab4f51e018944d95d9d670cfaecc1d7407c03d0ef36f5f3bc2
SHA1 hash: 975e5ac0f82b26eb4df8c718207c61dd8afee9ff
MD5 hash: 469c0460e4c1fefd01db4ae9f79c53c7
humanhash: august-single-fifteen-spring
File name:d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78.bin
Download: download sample
File size:2'544'128 bytes
First seen:2020-12-29 00:48:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6f334a045bb093e7fd964a3205e903b5 (1 x StrongPity)
ssdeep 49152:z7wxcNt/KX/jgSVIGzloZ/oQqSBnpyuFQvByitX:z3n0viGzlyqinUuyJp
TLSH 53C52274B7C444F5F4AA8E35E762C2363F1A7DD1169044BBA3F9360E9E323428997907
Reporter Arkbird_SOLG
Tags:APT-C-41

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109672/
Detection(s):
Win.Trojan.StrongPity3-8208368-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Creating a window
Reading critical registry keys
Enabling the 'hidden' option for files in the %temp% directory
Delayed writing of the file
DNS request
Sending a custom TCP request
Sending a UDP request
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
evad
Score:
28 / 100
Link:
https://www.joesandbox.com/analysis/571093
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 334609 Sample: zCxcoHu0U5.exe Startdate: 29/12/2020 Architecture: WINDOWS Score: 28 64 Multi AV Scanner detection for submitted file 2->64 66 Machine Learning detection for sample 2->66 8 zCxcoHu0U5.exe 1 4 2->8         started        11 svchost.exe 2->11         started        14 svchost.exe 9 1 2->14         started        17 10 other processes 2->17 process3 dnsIp4 46 C:\Users\user\AppData\Local\...\winmsism.exe, PE32 8->46 dropped 48 C:\Users\user\AppData\Local\...\nvwmisrv.exe, PE32 8->48 dropped 50 C:\Users\user\AppData\Local\...\fnmsetup.exe, PE32 8->50 dropped 19 fnmsetup.exe 2 8->19         started        22 nvwmisrv.exe 1 8->22         started        68 Changes security center settings (notifications, updates, antivirus, firewall) 11->68 25 MpCmdRun.exe 11->25         started        62 127.0.0.1 unknown unknown 14->62 27 conhost.exe 17->27         started        29 conhost.exe 17->29         started        file5 signatures6 process7 dnsIp8 44 C:\Users\user\AppData\Local\...\fnmsetup.tmp, PE32 19->44 dropped 31 fnmsetup.tmp 23 158 19->31         started        60 uppertrainingtool.com 185.242.180.213, 443, 49722 ASSERVEREASYIT Italy 22->60 34 winmsism.exe 16 22->34         started        36 conhost.exe 22->36         started        38 conhost.exe 25->38         started        file9 process10 file11 52 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 31->52 dropped 54 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 31->54 dropped 56 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 31->56 dropped 58 112 other files (none is malicious) 31->58 dropped 40 FindAndMount.exe 6 31->40         started        42 WerFault.exe 23 9 34->42         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78/
Threat name:
Win32.Trojan.Udochka
Create hunting rule
Status:
Malicious
First seen:
2020-12-24 17:39:00 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201229-qah8m1hey2/
Unpacked files
SH256 hash:
01dc4a7d3551ffb20477a6b4243af063e8404bbbd27edff4e1237ad4a85d33c0
MD5 hash:
4fe0ac4c5eea3dd0b8f58b057a55e6b4
SHA1 hash:
2616a7d4a83ad25e1bbc270b10547e1c7eb967c6
Link:
https://www.unpac.me/results/9cfdd88e-e866-4b7c-9692-9eceae9cdae6/
SH256 hash:
43439166a1cae7fccf98354dd8a91b389287047d4ef1b57e20ab5ae906276b27
MD5 hash:
b067c53e872c21313bb0ee4c1c7d2593
SHA1 hash:
297f23c4009da24aaeeb88c37acb4635d8a24610
Link:
https://www.unpac.me/results/9cfdd88e-e866-4b7c-9692-9eceae9cdae6/
SH256 hash:
7a36f3c6ba436c708fb2138b373d5beb8eb96591b7803e0a72db84f12cabefd1
MD5 hash:
20c87844d42a7190633d007ef79f5ccc
SHA1 hash:
c0abdc49d64734518df9aaaac05d9cdb6c3d2e44
Link:
https://www.unpac.me/results/9cfdd88e-e866-4b7c-9692-9eceae9cdae6/
SH256 hash:
0b8cad1cb9a0c1b373c9984d08e839b53050290104f100ba4e64c2eba702ef86
MD5 hash:
1e67532197a20d9019844c3744d6def7
SHA1 hash:
cdd3cf8fe5d981473fd4c52ceef13bfbd689bdb0
Link:
https://www.unpac.me/results/9cfdd88e-e866-4b7c-9692-9eceae9cdae6/
SH256 hash:
9b499b3945d8f979fdbb46342e1fd3dd5b2b5aa4322e9447df13598817c670e1
MD5 hash:
8c24dd49d037121212985c722e1c7d03
SHA1 hash:
6080cf16925c33fb0edbeeaf2a549a3749d99c9b
Link:
https://www.unpac.me/results/9cfdd88e-e866-4b7c-9692-9eceae9cdae6/
SH256 hash:
b43b899f195e9002a384c4d3e0c6c07012a0bd167b018ef0cf224b6b57c02dfe
MD5 hash:
0892ce7f20c8447bf8f79f1bf1309cd8
SHA1 hash:
8498879ba6ba00575764ae2e32838bd922533ab1
Link:
https://www.unpac.me/results/9cfdd88e-e866-4b7c-9692-9eceae9cdae6/
SH256 hash:
d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78
MD5 hash:
469c0460e4c1fefd01db4ae9f79c53c7
SHA1 hash:
975e5ac0f82b26eb4df8c718207c61dd8afee9ff
Link:
https://www.unpac.me/results/9cfdd88e-e866-4b7c-9692-9eceae9cdae6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9120629675b34e1a33b9bd34fadd0249ce1a903d510045565c31769e4881e78

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/BaoshengbinCumt/status/1343414265605066752
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/109672/

Comments