MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dceef11f380d4082b9e67accef94ff1eaf6ba3eb6be59b861a11f084b29a1c7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dceef11f380d4082b9e67accef94ff1eaf6ba3eb6be59b861a11f084b29a1c7c
SHA3-384 hash: e2fa32e78f5edb4b8848da9f49bfa8265a493d6a29e903e0f123fc7701a7383f9633f96b7bd518153a52cd7b4a8ce094
SHA1 hash: bd5e6868ca558a953edbc24c0392c595c7cc793b
MD5 hash: db32d4d3f109a9b1f4c6e3fe9d0fb55b
humanhash: comet-kitten-carbon-earth
File name:feinaio.exe
Download: download sample
File size:2'120'704 bytes
First seen:2022-01-17 17:42:49 UTC
Last seen:2022-01-17 19:56:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 820ab24e53af2dbafc74d24f87e40262
ssdeep 49152:xHaUTvLygANNrZV8MuLhnI8r7ZDJxsFPOR0c9cQBLci:x6CL3WNj8MuL1Ic9XsFPORpB
Threatray 18 similar samples on MalwareBazaar
TLSH T1D5A52324BEEAF601E0C86BBB5CD346F4C5AED647E33539242F95093A7C125DAFA0152C
File icon (PE):PE icon
dhash icon e2e6a6a28a96b2aa
Reporter r3dbU7z
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
feinaio.exe
Verdict:
No threats detected
Analysis date:
2022-01-17 17:47:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/76d81fe2-76c7-4e02-8506-cd17cf3d73b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/219897/
Detection(s):
PUA.Win.Packer.Pespin-39
Create hunting rule

PUA.Win.Packer.Pespin-40
Create hunting rule

PUA.Win.Packer.PESpin-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Creating a file
Creating a process from a recently created file
Сreating synchronization primitives
Searching for analyzing tools
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Searching for synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Enabling autorun for a service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61e5aaae0f8c757253c54663/reports/7bcd96c6-4cd4-4b0c-ac6c-8215aeeb6717/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/17ab592b-79ff-419b-8461-0e7271812ae4
Result
Threat name:
GhostRat Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/921950
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected GhostRat
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 554428 Sample: feinaio.exe Startdate: 17/01/2022 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 4 other signatures 2->55 8 feinaio.exe 2 2->8         started        12 SkWcsk.exe 2->12         started        14 svchost.exe 1 2->14         started        16 3 other processes 2->16 process3 file4 41 C:\Users\user\Desktop#jwhukahjg.exe, PE32 8->41 dropped 67 Drops PE files to the user root directory 8->67 69 Tries to evade analysis by execution special instruction which cause usermode exception 8->69 18 Desktop#jwhukahjg.exe 1 1 8->18         started        22 cmd.exe 1 8->22         started        71 Antivirus detection for dropped file 12->71 73 Detected unpacking (changes PE section rights) 12->73 75 Tries to detect sandboxes and other dynamic analysis tools (window names) 12->75 77 3 other signatures 12->77 24 SkWcsk.exe 1 12->24         started        signatures5 process6 dnsIp7 39 C:\Windows\SysWOW64\SkWcsk.exe, PE32 18->39 dropped 57 Antivirus detection for dropped file 18->57 59 Detected unpacking (changes PE section rights) 18->59 61 Machine Learning detection for dropped file 18->61 63 Tries to evade analysis by execution special instruction which cause usermode exception 18->63 27 cmd.exe 1 18->27         started        30 conhost.exe 22->30         started        32 PING.EXE 1 22->32         started        45 206.119.81.145, 49775, 8086 COGENT-174US United States 24->45 47 192.168.2.1 unknown unknown 24->47 65 Hides threads from debuggers 24->65 file8 signatures9 process10 signatures11 79 Uses ping.exe to sleep 27->79 81 Uses ping.exe to check the status of other devices and networks 27->81 34 PING.EXE 1 27->34         started        37 conhost.exe 27->37         started        process12 dnsIp13 43 127.0.0.1 unknown unknown 34->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dceef11f380d4082b9e67accef94ff1eaf6ba3eb6be59b861a11f084b29a1c7c/
Threat name:
Win32.Trojan.Cyclun
Create hunting rule
Status:
Malicious
First seen:
2022-01-16 18:42:38 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
03cf1ab083083cb0b7bc90d18f9f8e3f78504f288daece26bfc0ec96aadd2947
1bd4eeb7f7ae8a4ca1fb2fcf673cbb810ca123d6672a1d6d10ed317688ffcfac
944163147cc3579183fd8e7aae63772e52952d6afb7ae8a9f1205876c6914559
c39ba723990f9e09ecd5f43562fe5626060450dd290b85670412f5be85c727a9
c6af3ecd4095b7625da3136f209818c4d96689289eddfc3dcff444db9d4ca9c1
cbc999b807e96106a2aa4d457dd51afac52cee174e5f7ed04a5f3a0b74150f5e
f769926334ff93842429c7eda5c7ba1dedf3fb39a4b7b47decd0cbe7b9454170
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220117-waklxabef3/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates connected drives
Deletes itself
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
dceef11f380d4082b9e67accef94ff1eaf6ba3eb6be59b861a11f084b29a1c7c
MD5 hash:
db32d4d3f109a9b1f4c6e3fe9d0fb55b
SHA1 hash:
bd5e6868ca558a953edbc24c0392c595c7cc793b
Link:
https://www.unpac.me/results/a4e545df-3bec-4e18-a810-7051f30236f1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.13
Link:
https://yomi.yoroi.company/submissions/dceef11f380d4082b9e67accef94ff1eaf6ba3eb6be59b861a11f084b29a1c7c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe dceef11f380d4082b9e67accef94ff1eaf6ba3eb6be59b861a11f084b29a1c7c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/219897/

Comments