MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db18e23bebb8581ba5670201cea98ccf71ecea70d64856b96c56c63c61b91bbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Kimsuky


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db18e23bebb8581ba5670201cea98ccf71ecea70d64856b96c56c63c61b91bbe
SHA3-384 hash: 12f139e740ef4541550cf74c559ae863987262439350a5cddaad2962ec9145bed1e821caf3e9d38e54bb02f32aebd935
SHA1 hash: 39a61c4d9d25c8ed1b38b1a51a8ef0b5cf51ce10
MD5 hash: 12539ac37a81cc2e19338a67d237f833
humanhash: artist-uncle-lamp-rugby
File name:db18e23bebb8581ba5670201cea98ccf71ecea70d64856b96c56c63c61b91bbe
Download: download sample
Signature Kimsuky
Create hunting rule
File size:6'254'878 bytes
First seen:2023-02-01 06:39:29 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24576:VFZTwQ66V/O3yDlkG/O3yDlka/O3yDlka/O3yDlka/O3yDlka/O3yDlka/O3yDl8:L5hlnltltltltltltltltlE
Threatray 4'048 similar samples on MalwareBazaar
TLSH T1E156E4F5133A3ACB4545B51AD7E2F6B374F8C276BA61EDAA3AE70A13CC7D4D12011206
Reporter AzakaSekai
Tags:Kimsuky vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
203
Origin country :
JP JP
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/358877/
Detection(s):
SecuriteInfo.com.VBS.Heur.ObfDldr.32.CC60307F.Gen.28376.10192.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
appleseed javascript kimsuky
Link:
https://www.filescan.io/uploads/63da0944fcc41339192efee5/reports/a7759c74-22e9-40e5-be53-b57bf2478037/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1162932
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Powershell drops PE file
Suspicious command line found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 795687 Sample: r4XjQ2O6Dz.vbs Startdate: 01/02/2023 Architecture: WINDOWS Score: 100 47 qwert.mine.bz 2->47 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for dropped file 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 4 other signatures 2->57 9 wscript.exe 4 2->9         started        signatures3 process4 file5 41 C:\ProgramData\wg5Du.iWJ446.bat, ASCII 9->41 dropped 43 C:\ProgramData\wg5Du.iWJ446.b64, ASCII 9->43 dropped 45 SW          (     ..._v2.0_beta.xlsm.b64, ASCII 9->45 dropped 67 Wscript starts Powershell (via cmd or directly) 9->67 13 cmd.exe 1 9->13         started        16 cmd.exe 1 9->16         started        18 powershell.exe 21 9->18         started        20 cmd.exe 1 1 9->20         started        signatures6 process7 signatures8 69 Suspicious command line found 13->69 22 cmd.exe 1 13->22         started        25 regsvr32.exe 1 13->25         started        28 conhost.exe 13->28         started        71 Suspicious powershell command line found 16->71 73 Wscript starts Powershell (via cmd or directly) 16->73 30 conhost.exe 16->30         started        75 Powershell drops PE file 18->75 32 conhost.exe 18->32         started        34 conhost.exe 20->34         started        process9 dnsIp10 59 Suspicious powershell command line found 22->59 61 Wscript starts Powershell (via cmd or directly) 22->61 36 powershell.exe 8 22->36         started        49 qwert.mine.bz 25->49 63 System process connects to network (likely due to code injection or exploit) 25->63 65 Creates an autostart registry key pointing to binary in C:\Windows 25->65 signatures11 process12 file13 39 C:\ProgramData\wg5Du.iWJ446, PE32+ 36->39 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db18e23bebb8581ba5670201cea98ccf71ecea70d64856b96c56c63c61b91bbe/
Threat name:
Script-WScript.Trojan.Kimsuky
Create hunting rule
Status:
Suspicious
First seen:
2022-08-24 07:53:42 UTC
File Type:
Text (VBS)
AV detection:
12 of 39 (30.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3mmoeo7lxbmbxjlhaia45kmmz5y6z2tq2zefnolmk3ddyynzdo7a._file
Verdict:
malicious
Similar samples:
26be0ba3533703f5eeea8489e6a8881461dab7f597f33e546182ba1910953d09
Kimsuky
32b0a9f36ce1bf7c1922971009dede68dac4b2b68daca1f2ed917c9e6a02703f
Kimsuky
4f92c52595317660db7ca9e07ea073e95a29dbbea6b9ef9052bdfa4a99d973c1
Kimsuky
525506888bb98ca00dc2af7187011383ed22a1511a11468e7808c3a90cb14a15
Kimsuky
72feedd4e621f3cef4b529d6d8e8547eaacc1c276dc4d1ade2fe0d3e44cfee67
Kimsuky
a44a8a9525057352a85936d8ea31408f2c5403a5f383bcab9e39fb10e99b628b
Kimsuky
a6aba3c4bc9f9f70b86e8f41874887115b61f9b0592c1602d0b309eb75497225
Kimsuky
c0976a1fbc3dd938f1d2996a888d0b3a516b432a2c38d788831553d81e2f5858
Kimsuky
e52e6bbf7705f9b90e4a20f2935cb86ee6078035f14d873d1c126c6ba9ccc551
Kimsuky
+ 4'038 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230201-hjl97scc28/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Deletes itself
Loads dropped DLL
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/db18e23bebb8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/db18e23bebb8581ba5670201cea98ccf71ecea70d64856b96c56c63c61b91bbe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/358877/

Comments