MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9f117fe6e61f896f07f9e03cb598ad4679ce891e764f0a1ee05307546bc7679. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9f117fe6e61f896f07f9e03cb598ad4679ce891e764f0a1ee05307546bc7679
SHA3-384 hash: 6a09e1c4530efcbda19091f02d04b6c9911a03666957dbca33d10dc93b0d990b94cb81371c8b358a931881c28a051d53
SHA1 hash: e4e732e915d658008eed07909d2981acf8ce31b7
MD5 hash: 7e16ed7d161bbcc761410e9d9e5909cd
humanhash: nuts-thirteen-friend-hawaii
File name:d9f117fe6e61f896f07f9e03cb598ad4679ce891e764f0a1ee05307546bc7679
Download: download sample
File size:963'560 bytes
First seen:2020-11-04 08:34:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c769210c368165fcb9c03d3f832f55eb (8 x RemoteManipulator, 1 x QuasarRAT)
ssdeep 24576:ioGwQPvwq7YuypXCpuyDQzkk2/LT9mr+8RZC/04Ih2XI9q:R8vwqYDYubk19V8Xr4qq
Threatray 27 similar samples on MalwareBazaar
TLSH 122523167BE65A75F7E21B3249A29B6493F9F270073186CBF38C45059F207C69E3930A
Reporter JAMESWT_WT
Tags:signed Umbor LLC

Code Signing Certificate

Organisation:AAA Certificate Services
Issuer:AAA Certificate Services
Algorithm:sha1WithRSAEncryption
Valid from:Jan 1 00:00:00 2004 GMT
Valid to:Dec 31 23:59:59 2028 GMT
Serial number: 01
Intelligence: 369 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/82488/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
DNS request
Delayed writing of the file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Creating a file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
54 / 100
Link:
https://www.joesandbox.com/analysis/519935
Signature
Drops PE files with a suspicious file extension
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Certutil Command
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 309065 Sample: ZLX1RRRKWp Startdate: 04/11/2020 Architecture: WINDOWS Score: 54 63 Multi AV Scanner detection for submitted file 2->63 65 Sigma detected: Drops script at startup location 2->65 67 Uses ping.exe to sleep 2->67 69 2 other signatures 2->69 9 ZLX1RRRKWp.exe 8 2->9         started        12 wscript.exe 2->12         started        process3 file4 47 QNDlDVvYgfnGnZwSZJ...bikcLGmlTQMSJGkUUtR, COM 9->47 dropped 14 cmd.exe 1 9->14         started        16 cmd.exe 1 9->16         started        19 cmd.exe 1 9->19         started        process5 signatures6 21 cmd.exe 2 14->21         started        25 conhost.exe 14->25         started        61 Drops PE files with a suspicious file extension 16->61 27 conhost.exe 16->27         started        29 conhost.exe 19->29         started        process7 file8 45 C:\Users\user\AppData\Local\...\explorer.com, PE32 21->45 dropped 71 Uses ping.exe to sleep 21->71 31 explorer.com 21->31         started        34 PING.EXE 1 21->34         started        37 PING.EXE 1 21->37         started        39 3 other processes 21->39 signatures9 process10 dnsIp11 73 Drops PE files with a suspicious file extension 31->73 41 explorer.com 6 31->41         started        53 127.0.0.1 unknown unknown 34->53 55 192.168.2.1 unknown unknown 34->55 57 ktM.rHV 37->57 signatures12 process13 dnsIp14 59 EhdjOuFDIs.EhdjOuFDIs 41->59 49 C:\Users\user\AppData\...\tOrzyuUEky.com, PE32 41->49 dropped 51 C:\Users\user\AppData\...\tOrzyuUEky.url, MS 41->51 dropped file15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9f117fe6e61f896f07f9e03cb598ad4679ce891e764f0a1ee05307546bc7679/
Threat name:
Win32.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2020-11-03 20:55:52 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1b00cf03f26724d9e9cff35a8d3d2e42f2518827e9564513b348fc163de153b6
31e0d8d290cef40450e8afb88a58749155645f4f702bdec51a81290d0230de09
380a0d5b3d5ae9eb9a53cf5bb4fe1737de62020e4f0ec5f56ee601bf8a884d1b
841419d6c404a4baf5287348cbf0fce17fccbae5b64310fddbfc8bc356a1bae1
845f1bcb80321f9183258fdcd714a4ca61a26b02590dd02cf4bd4cb07c757cdd
9431f9d5bf8a3d2ee34dc7624d8996e87af05e91ecb27b50843d5ddcb2f8f6bd
9fc5081ba3c1a4473ac1ffa3d653096afa16684a3e819ce6745bc22d38bb97f9
d17d90fd24419ddb868f945754b80e7da8eb570179e2dc867beeb769b7136745
e33456c26d161b3464acdc104271289dced8f4e5f5b35786635ec111501c1405
fdec7bb225d252d1a257304a2e8dd58aa5ef1828f9ac653924c4e54bf71725a6
+ 17 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/201104-qedylpved6/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Drops startup file
Loads dropped DLL
Checks BIOS information in registry
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
d9f117fe6e61f896f07f9e03cb598ad4679ce891e764f0a1ee05307546bc7679
MD5 hash:
7e16ed7d161bbcc761410e9d9e5909cd
SHA1 hash:
e4e732e915d658008eed07909d2981acf8ce31b7
Link:
https://www.unpac.me/results/9d64f9da-a3fe-4bcf-bd24-7c8636f84a12/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_stresspaint_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d9f117fe6e61f896f07f9e03cb598ad4679ce891e764f0a1ee05307546bc7679

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/82488/
  
URLhaus
https://urlhaus.abuse.ch/url/785648/
  
Delivery method
Distributed via web download

Comments