MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e85230a1b9b9c364056b1a2674cb85304cceb0769c6897a45ee498984973da8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e85230a1b9b9c364056b1a2674cb85304cceb0769c6897a45ee498984973da8c
SHA3-384 hash: 1b5d165799ee703d1787f1f1ed517613c1bb674c2e501c6bd194183edfd7aa48504d596cb34f80766d09a9d0b3b75318
SHA1 hash: a20b104a011d1faeb6c285356db44a6287b49487
MD5 hash: 584390dc2e152c9145d0af6f1be7729a
humanhash: mirror-hamper-march-summer
File name:e85230a1b9b9c364056b1a2674cb85304cceb0769c6897a45ee498984973da8c
Download: download sample
File size:11'123'104 bytes
First seen:2021-03-29 08:17:52 UTC
Last seen:2021-03-29 08:44:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bdc5a9caae3c3cac8c0aed5418f3c304
ssdeep 196608:x9berPbnq5FqSG0A4qnyk7eHno7SC8XKVM4:snqXVAp+oYXwD
Threatray 598 similar samples on MalwareBazaar
TLSH 3AB6F101EE858473D4B3013452B79BBB597AA9202B25C5D3A7943C787A707C16A3B3EF
Reporter JAMESWT_WT
Tags:Bisoyetutu Ltd Ltd signed

Code Signing Certificate

Organisation:Bisoyetutu Ltd Ltd
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-03-18T00:00:00Z
Valid to:2022-03-18T23:59:59Z
Serial number: 262ca7ae19d688138e75932832b18f9d
Intelligence: 9 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 55dd0f160ab77ef1feff218774fe4760ed9f7b87ce650e95c76c04e15cd00b2a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e85230a1b9b9c364056b1a2674cb85304cceb0769c6897a45ee498984973da8c
Verdict:
Malicious activity
Analysis date:
2021-03-29 08:25:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a3e79631-c542-4189-a0df-be2b91e77c6c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127521/
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.56824.20426.32067.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/656625
Signature
Allocates memory in foreign processes
Found potential dummy code loops (likely to delay analysis)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 377243 Sample: w20EN3nkAR Startdate: 29/03/2021 Architecture: WINDOWS Score: 80 15 Multi AV Scanner detection for submitted file 2->15 17 PE file has nameless sections 2->17 6 w20EN3nkAR.exe 2->6         started        process3 signatures4 19 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 6->19 21 Hijacks the control flow in another process 6->21 23 Writes to foreign memory regions 6->23 25 4 other signatures 6->25 9 calc.exe 6->9         started        11 calc.exe 6->11         started        13 calc.exe 6->13         started        process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e85230a1b9b9c364056b1a2674cb85304cceb0769c6897a45ee498984973da8c/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-27 02:07:05 UTC
File Type:
PE (Exe)
Extracted files:
58
AV detection:
7 of 29 (24.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
04c950e9fb1cf6ff2de10fd17f04191f8e938189766482ef856efa2581df8dbb
064cad19bee4580a82bc4ee3558e8510100ebba8da83720749f553cc411d5cb3
06fa1b160e322bd7710c9110b1e4e873795b5c2680b8bbe70bbaf23484533459
173240b443fdb5cc7ed97cf6eedeb0d823924df3dab6d468c9da2898443f3ac6
1bceb4e84115eabb8bf3df704b5cc014834ca08b126451ae95d60a968e66d666
3816722f95463c51bb6203427a2c1947332e231bea0cd1297abfb8b89d109326
3a64941353e52a3d8fb3bc898189a0d684b1a88a9c5fdbc496ef58738f42c444
67b662f28ef6c6a148443ebece272e63e7eeb9d366032b4366fe459b7c5c41f8
7e88f1c425154e6fff6d031aaaa4d8bb4c8ff131e429f44310fd936bfc08b357
b06ce74a41d1cfd7bc73dc8b67417f1c17c85d9570f88fb842e124c9eb0c29ea
+ 588 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210329-kdepv8e5bx/
Behaviour
Checks processor information in registry
GoLang User-Agent
Modifies data under HKEY_USERS
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
053d23cb2bc1580e445ad01557f737ca37341bbdf1aacdbd9b5659e800ff8259
MD5 hash:
c49e1fd7a604709aba73dea76479768d
SHA1 hash:
07f2e83b453e11b77410039621f8cc43687aadf5
Link:
https://www.unpac.me/results/045b3aaa-887f-4dc8-9862-731434f7ad35/
SH256 hash:
e85230a1b9b9c364056b1a2674cb85304cceb0769c6897a45ee498984973da8c
MD5 hash:
584390dc2e152c9145d0af6f1be7729a
SHA1 hash:
a20b104a011d1faeb6c285356db44a6287b49487
Link:
https://www.unpac.me/results/045b3aaa-887f-4dc8-9862-731434f7ad35/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e85230a1b9b9c364056b1a2674cb85304cceb0769c6897a45ee498984973da8c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/127521/

Comments