MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eca5123a9c6fac8fa6d93a9f12ed7009ab816177eeb100e5ff27c3b4ff79d4a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eca5123a9c6fac8fa6d93a9f12ed7009ab816177eeb100e5ff27c3b4ff79d4a2
SHA3-384 hash: 227fab77285451c5616f2f72806683b34c282bb0b2febf4283ca6a31e55a39fada7c0f8c5051e7d62d54e0fd4341790f
SHA1 hash: 6fc58661137c259ecbb94691b737d462bbfbde68
MD5 hash: 3ff9ea6914b5e01a471296402dca325c
humanhash: pluto-helium-massachusetts-hotel
File name:SecuriteInfo.com.Variant.Ulise.127420.2462.30160
Download: download sample
File size:1'027'722 bytes
First seen:2020-10-23 19:09:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6544a94130ba48ef4970b72bf8d39186 (1 x CryptBot)
ssdeep 24576:Wowv+W5l2sdaGVhpszmSb40JIj7mHXleMAxfpgfY:WXZUsdvpszmSMui7mHXxAbQY
Threatray 39 similar samples on MalwareBazaar
TLSH 0825232237C48DB5E9626B30BCF4A9251EB7F7326D21C593776E84089FB0642F51932B
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/75127/
Detection(s):
SecuriteInfo.com.Variant.Ulise.127420.2462.30160.UNOFFICIAL
Create hunting rule

PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
DNS request
Sending a UDP request
Delayed writing of the file
Creating a process from a recently created file
Deleting a recently created file
Creating a file
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/508422
Signature
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Delayed program exit found
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Certutil Command
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 303327 Sample: SecuriteInfo.com.Variant.Ul... Startdate: 23/10/2020 Architecture: WINDOWS Score: 100 96 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->96 98 Antivirus detection for URL or domain 2->98 100 Multi AV Scanner detection for submitted file 2->100 102 7 other signatures 2->102 14 SecuriteInfo.com.Variant.Ulise.127420.2462.exe 7 2->14         started        17 SmartClock.exe 2->17         started        19 SmartClock.exe 2->19         started        process3 file4 86 LFdyFnIncUeQBeeoNb...sWkaTPFgPIqcXxNMnNM, PE32 14->86 dropped 21 cmd.exe 1 14->21         started        23 cmd.exe 1 14->23         started        process5 signatures6 26 cmd.exe 2 21->26         started        30 conhost.exe 21->30         started        104 Drops PE files with a suspicious file extension 23->104 32 conhost.exe 23->32         started        process7 file8 82 C:\Users\user\AppData\Local\...\explorer.com, PE32 26->82 dropped 112 Uses ping.exe to sleep 26->112 34 explorer.com 26->34         started        36 PING.EXE 1 26->36         started        39 PING.EXE 1 26->39         started        41 certutil.exe 2 26->41         started        signatures9 process10 dnsIp11 43 explorer.com 1 34->43         started        90 127.0.0.1 unknown unknown 36->90 92 Bdvq.WAxja 39->92 process12 dnsIp13 94 TuMZsrS.TuMZsrS 43->94 84 C:\Users\user\AppData\Local\...\ipconfig.exe, PE32 43->84 dropped 114 Writes to foreign memory regions 43->114 116 Maps a DLL or memory area into another process 43->116 48 ipconfig.exe 18 43->48         started        file14 signatures15 process16 dnsIp17 88 xerrrload03.top 8.211.23.107, 49738, 49739, 49740 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 48->88 72 C:\Users\user\AppData\...\wwluubyxiwx.exe, PE32 48->72 dropped 74 C:\Users\user\AppData\...\piygqfvngvj.exe, PE32 48->74 dropped 76 C:\Users\user\AppData\Local\...\6[1].exe, PE32 48->76 dropped 78 C:\Users\user\AppData\Local\...\4[1].exe, PE32 48->78 dropped 52 cmd.exe 1 48->52         started        54 cmd.exe 1 48->54         started        file18 process19 process20 56 piygqfvngvj.exe 1 52->56         started        59 conhost.exe 52->59         started        61 wwluubyxiwx.exe 1 54->61         started        63 conhost.exe 54->63         started        signatures21 106 Injects a PE file into a foreign processes 56->106 108 Delayed program exit found 56->108 65 piygqfvngvj.exe 56->65         started        110 Machine Learning detection for dropped file 61->110 68 wwluubyxiwx.exe 3 61->68         started        process22 file23 80 C:\Users\user\AppData\...\SmartClock.exe, PE32 65->80 dropped 70 SmartClock.exe 65->70         started        process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eca5123a9c6fac8fa6d93a9f12ed7009ab816177eeb100e5ff27c3b4ff79d4a2/
Threat name:
Win32.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 17:26:23 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
92ffcaa512f2f1fe06c8d381f9fdf80a8f9d28fce269544d6a66afc02601d1a0
9431f9d5bf8a3d2ee34dc7624d8996e87af05e91ecb27b50843d5ddcb2f8f6bd
94dc4632159764895ff15118dacc7c5b4c3f84722b4ae5c89b9b120adeec92bf
a06a77bd973a602f49aff3fa3a116c62d38f0e0c1842e9dca97531a68d1a3884
a356d92ade4d8d537ea6dfabe765d4cd2ff851faae1d4551b91e50b47aac216f
c84d98524bf72eac034a406063c9d25b3bceb254d3d03f1d68e018320c2fb506
e832fe2b9251b58442d1c9e380ae5f5d338af57a43329f79786e333c15507ec4
ec855bf0f35b2f38db047587591d3963f2836dfb73c4894590df75378ed7ebfa
f5acccf9cda0f0ff2063de3983bc8964b9020d30feff2e3a8b20800d3c4fe034
fdec7bb225d252d1a257304a2e8dd58aa5ef1828f9ac653924c4e54bf71725a6
+ 29 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/201023-71dpcw2ky2/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Gathers network information
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
eca5123a9c6fac8fa6d93a9f12ed7009ab816177eeb100e5ff27c3b4ff79d4a2
MD5 hash:
3ff9ea6914b5e01a471296402dca325c
SHA1 hash:
6fc58661137c259ecbb94691b737d462bbfbde68
Link:
https://www.unpac.me/results/e11b4ed3-25b2-4c67-9588-ce50613cc07b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eca5123a9c6fac8fa6d93a9f12ed7009ab816177eeb100e5ff27c3b4ff79d4a2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe eca5123a9c6fac8fa6d93a9f12ed7009ab816177eeb100e5ff27c3b4ff79d4a2

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/75127/
  
URLhaus
https://urlhaus.abuse.ch/url/740717/
  
Delivery method
Distributed via web download

Comments