MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e87d665a4fbec30fcb5bd5d5203c4736810d638e9b82fb06257ae8a4087cbc17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e87d665a4fbec30fcb5bd5d5203c4736810d638e9b82fb06257ae8a4087cbc17
SHA3-384 hash: b4a1c946fc920a6ba69d5d25ff7ec174de2aaa01243f6447d4c9488c1da3ad4978d9757e87cbdd8091f769e21385add8
SHA1 hash: 123a219c31bc9cbc518e214be29b9f59279984c3
MD5 hash: 0e7ee1cd8dd93cd7937b425d2af5d081
humanhash: mountain-yellow-maryland-social
File name:Far Cry 6.exe
Download: download sample
File size:6'203'507 bytes
First seen:2021-10-23 23:52:05 UTC
Last seen:2021-10-24 14:46:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep 98304:1aatmYdqiCDOgrCe/Y2h7gThEx0MlBtWLcW5XA38pYh:wQPGgThfcMc+w38ih
Threatray 109 similar samples on MalwareBazaar
TLSH T1765633BA507399AFEDD46B386287A704420C4019869E8F737E4A570FDE578DE87F021B
Reporter JaffaCakes118
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
516
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Far Cry 6.exe
Verdict:
Malicious activity
Analysis date:
2021-10-23 23:51:51 UTC
Tags:
trojan rat redline
Link:
https://app.any.run/tasks/5aefa043-5380-4d1d-8cfa-34e70b49b446

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199613/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.31391.1890.13986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching a service
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% directory
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed warp
Link:
https://www.filescan.io/uploads/6174f362db358dd15ed90d36/reports/5d15d863-3eba-4077-be6e-e12f59d02205/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/da9e3fcf-fa46-4beb-ad10-11a660609b5f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/875720
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Drops PE files to the user root directory
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 508153 Sample: Far Cry 6.exe Startdate: 24/10/2021 Architecture: WINDOWS Score: 100 104 Antivirus / Scanner detection for submitted sample 2->104 106 Multi AV Scanner detection for submitted file 2->106 108 Detected unpacking (changes PE section rights) 2->108 110 7 other signatures 2->110 12 Far Cry 6.exe 15 7 2->12         started        17 services32.exe 2->17         started        process3 dnsIp4 100 185.215.113.83, 49748, 60722 WHOLESALECONNECTIONSNL Portugal 12->100 102 cdn.discordapp.com 162.159.129.233, 443, 49751 CLOUDFLARENETUS United States 12->102 90 C:\Users\user\AppData\Local\Temp\bild.exe, PE32+ 12->90 dropped 92 C:\Users\user\AppData\...\Far Cry 6.exe.log, ASCII 12->92 dropped 156 Query firmware table information (likely to detect VMs) 12->156 158 Tries to harvest and steal browser information (history, passwords, etc) 12->158 160 Hides threads from debuggers 12->160 162 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->162 19 bild.exe 12->19         started        164 Multi AV Scanner detection for dropped file 17->164 166 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->166 168 Writes to foreign memory regions 17->168 170 2 other signatures 17->170 22 conhost.exe 3 17->22         started        file5 signatures6 process7 signatures8 112 Multi AV Scanner detection for dropped file 19->112 114 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->114 116 Writes to foreign memory regions 19->116 120 2 other signatures 19->120 24 conhost.exe 4 19->24         started        118 Adds a directory exclusion to Windows Defender 22->118 28 sihost32.exe 22->28         started        30 cmd.exe 22->30         started        32 cmd.exe 22->32         started        process9 file10 88 C:\Users\user\services32.exe, PE32+ 24->88 dropped 136 Drops PE files to the user root directory 24->136 138 Adds a directory exclusion to Windows Defender 24->138 34 cmd.exe 1 24->34         started        36 cmd.exe 1 24->36         started        39 cmd.exe 1 24->39         started        140 Writes to foreign memory regions 28->140 142 Allocates memory in foreign processes 28->142 144 Creates a thread in another existing process (thread injection) 28->144 41 conhost.exe 28->41         started        43 conhost.exe 30->43         started        45 powershell.exe 30->45         started        47 powershell.exe 30->47         started        49 conhost.exe 32->49         started        51 taskkill.exe 32->51         started        signatures11 process12 signatures13 53 services32.exe 34->53         started        56 conhost.exe 34->56         started        122 Uses schtasks.exe or at.exe to add and modify task schedules 36->122 124 Adds a directory exclusion to Windows Defender 36->124 58 powershell.exe 23 36->58         started        60 conhost.exe 36->60         started        62 powershell.exe 36->62         started        64 conhost.exe 39->64         started        66 schtasks.exe 1 39->66         started        process14 signatures15 126 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 53->126 128 Writes to foreign memory regions 53->128 130 Allocates memory in foreign processes 53->130 132 Creates a thread in another existing process (thread injection) 53->132 68 conhost.exe 53->68         started        process16 dnsIp17 94 github.com 140.82.121.3, 443, 49800 GITHUBUS United States 68->94 96 raw.githubusercontent.com 185.199.108.133, 443, 49801 FASTLYUS Netherlands 68->96 98 2 other IPs or domains 68->98 86 C:\Users\user\AppData\...\sihost32.exe, PE32+ 68->86 dropped 134 Adds a directory exclusion to Windows Defender 68->134 73 sihost32.exe 68->73         started        76 cmd.exe 68->76         started        file18 signatures19 process20 signatures21 146 Multi AV Scanner detection for dropped file 73->146 148 Writes to foreign memory regions 73->148 150 Allocates memory in foreign processes 73->150 152 Creates a thread in another existing process (thread injection) 73->152 78 conhost.exe 73->78         started        154 Adds a directory exclusion to Windows Defender 76->154 80 conhost.exe 76->80         started        82 powershell.exe 76->82         started        84 powershell.exe 76->84         started        process22
Gathering data
Threat name:
Win32.Packed.Themida
Create hunting rule
Status:
Malicious
First seen:
2021-10-23 23:53:05 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
010e5cf08f24b0b769747b20d38324e7ea5b3633cc72832a07cb8769b126dd0f
108cad79cd5bd2a947c5b877a55b7d3a6a4ce579aae3f298c0618154c27eb3d4
37882a4a0aaf84e2f3c063de493fedbf2233c31c7bd146c79059dd1ae914e2f4
6dbd32bc93ae550752cb2f00a9b7d9a2e0d7146dcaa0b5a9b93a1351f93cc419
89e3b00acfc8b0904398665280312cf9a2b426db3eb77b2e5303131de48a2dde
9708b8a58045c4dad1f6c86881bdb78825a80d7ee35310ab7642260e232a663b
e04732a7a7207be7219222c607009220d68c047fc3eeed1d5925f790b1c7cd63
f4f37faf7b52b7544ee58a029dcc54a71941aedcdd2b4eacda2f39c3217aad48
+ 99 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion spyware stealer themida trojan vmprotect
Link:
https://tria.ge/reports/211023-3xahsacee8/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/a83023f4-6368-43f6-8b6a-ce75a297e9fb/
SH256 hash:
e87d665a4fbec30fcb5bd5d5203c4736810d638e9b82fb06257ae8a4087cbc17
MD5 hash:
0e7ee1cd8dd93cd7937b425d2af5d081
SHA1 hash:
123a219c31bc9cbc518e214be29b9f59279984c3
Link:
https://www.unpac.me/results/a83023f4-6368-43f6-8b6a-ce75a297e9fb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e87d665a4fbe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/e87d665a4fbec30fcb5bd5d5203c4736810d638e9b82fb06257ae8a4087cbc17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e87d665a4fbec30fcb5bd5d5203c4736810d638e9b82fb06257ae8a4087cbc17

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/199613/

Comments