MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f12f4f8064e33f458acd1cb2c6c0aed335987385cf8541e71c096fe22a7b7e9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f12f4f8064e33f458acd1cb2c6c0aed335987385cf8541e71c096fe22a7b7e9c
SHA3-384 hash: abdf7047a11f176dce72b0e132bfed13714302225bcea67e52e713de481a13435f5980f0ffbcc3b09bfcd6284845b5bd
SHA1 hash: 9b237f521b1cf648366486dab35493154b01f00f
MD5 hash: c0191f7905947b8ac0ab62ac70c2118d
humanhash: vermont-montana-quiet-comet
File name:c0191f7905947b8ac0ab62ac70c2118d
Download: download sample
File size:2'467'840 bytes
First seen:2021-10-13 05:36:57 UTC
Last seen:2021-10-13 06:54:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 08ce2bb5c289c22487015109b09aeba3 (8 x CoinMiner)
ssdeep 49152:BeVq3A99F62ZyjzWH9AasGFlnwMs5bGLLWRKXFKKc6HOP8qtP1MVh68UfGrMnAh0:YV79Ou2+nwMsgLLWYXgK4t2VI8U+rMnQ
Threatray 6'475 similar samples on MalwareBazaar
TLSH T13DB5336FEF00B836F6440A7278E8766552468D1BE68B397E32D117F01B492728D12E7B
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c0191f7905947b8ac0ab62ac70c2118d
Verdict:
No threats detected
Analysis date:
2021-10-13 05:40:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b70373d3-1e24-4469-9e1c-df5b7828238a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197075/
Detection(s):
SecuriteInfo.com.Trojan.Heur.GM.0000426180.30287.19656.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Running batch commands
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
nitol packed virus
Link:
https://www.filescan.io/uploads/61667082fd35fe780c3c7505/reports/f3c0d1bd-9bb5-49b6-9182-c9a952ff129e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c60b7dda-88f3-49ec-a1f2-76d46d510d76
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/869311
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Hides threads from debuggers
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f12f4f8064e33f458acd1cb2c6c0aed335987385cf8541e71c096fe22a7b7e9c/
Threat name:
Win32.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2021-10-12 18:18:55 UTC
AV detection:
15 of 45 (33.33%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
0f5d2516bb90d08755178e51a894001e6a1c14912e0e990d7ac8e4f935df7a39
329903818d07ba0d9e6e77b1a334e7adc0be9ca594d122ee592257b34d4e8208
370623f3b732194c8497a12cfc2e906755f145c61ab8715c22d98f6fd7cf66d4
597e518506fbbb5477ee2982b80e6c451d23a2b88ab006de22eb869b6890ad5f
5e2466c2ee0d8606af62731cc0501e87a3be51f1eadbafb35c0818fc7e236e1b
73c1188d93bd4318a830cb6d891aae7580a61c396ce37ba3676a321bbd3a137e
7feb71e0bcd24d21e20f423434b4c9971c174c9e1aafedab36e2ecab1ff3a5bf
a0c86be7bbd36ce47ea9f012fe868411819bf695472cc2b3f860bd604e082445
bdbf24537950b4bb8ca32e92dc5934fd651792db3452c748d7893da61aca1710
e7b94b42550145f6653edad5a47879f3bad1abe865f065d7036ca942c572e842
+ 6'465 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion suricata themida trojan
Link:
https://tria.ge/reports/211013-ga6f2sdddj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Malware Config
Dropper Extraction:
https://cdn.discordapp.com/attachments/896029859665575966/896799743114633306/ali.exe
Unpacked files
SH256 hash:
463203193ea3378742cc0c96c2d19b4697eead509d3a88beb2d157fb864bcedc
MD5 hash:
27bdc9b59dbfcf998ac788ba4c869fc8
SHA1 hash:
9cad1477677d5fbb2e74477c61175c0ff0aa57e5
Link:
https://www.unpac.me/results/2b4067da-a378-4994-bc2a-495fcef6890d/
SH256 hash:
f12f4f8064e33f458acd1cb2c6c0aed335987385cf8541e71c096fe22a7b7e9c
MD5 hash:
c0191f7905947b8ac0ab62ac70c2118d
SHA1 hash:
9b237f521b1cf648366486dab35493154b01f00f
Link:
https://www.unpac.me/results/2b4067da-a378-4994-bc2a-495fcef6890d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f12f4f8064e33f458acd1cb2c6c0aed335987385cf8541e71c096fe22a7b7e9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe f12f4f8064e33f458acd1cb2c6c0aed335987385cf8541e71c096fe22a7b7e9c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197075/

Comments


Avatar
zbet commented on 2021-10-13 05:36:58 UTC

url : hxxp://project113.icu/gimp-2.10.24-setup-3.exe