MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 f3d5013578835436d8cc1f82b7dcfd44e18737535f54fadcb4ea5ad18d8aee0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 7
| SHA256 hash: | f3d5013578835436d8cc1f82b7dcfd44e18737535f54fadcb4ea5ad18d8aee0c |
|---|---|
| SHA3-384 hash: | 7b3a9b76cd9a4a145a2219a73725f72818d2c32fffd298962697acc7879218e094ad4f966225981e7cc7a875152598bb |
| SHA1 hash: | a779843a8f713e34c5be29fe4246e56b1d6b40c3 |
| MD5 hash: | ed2cca37dd060c89cdcb9823e0b7be02 |
| humanhash: | minnesota-hawaii-dakota-december |
| File name: | sms.exe |
| Download: | download sample |
| File size: | 3'722'950 bytes |
| First seen: | 2021-05-04 09:13:18 UTC |
| Last seen: | 2021-05-04 10:02:27 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport) |
| ssdeep | 98304:EF+WVtifrnekQTYTBT5t+md9cC1dbTT21TX0CYWwSdY:fKASUlT5t+md+i1TT6TkCYn |
| TLSH | 84063362B3F6D1B1D8171030ECB9D6319679FD310B915E8AFFE05A6E7EB4092832A705 |
| Reporter | Anonymous |
| Tags: | exe |
Anonymous
Retrieved from https://disk.yandex.ru/d/Vm2Q4omyiHm98Intelligence
File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
sms.exe
Verdict:
Malicious activity
Analysis date:
2021-05-04 09:08:21 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Using the Windows Management Instrumentation requests
Forced system process termination
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Sending a UDP request
Running batch commands
Launching a tool to kill processes
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Blocking a possibility to launch for the Windows registry editor (regedit.exe)
Enabling autorun
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Signature
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Found PHP interpreter
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: System File Execution Location Anomaly
Uses taskkill to terminate AV processes
Behaviour
Behavior Graph:
Threat name:
Win32.Ransomware.FileCoder
Status:
Malicious
First seen:
2021-05-04 09:14:10 UTC
AV detection:
15 of 47 (31.91%)
Threat level:
5/5
Verdict:
suspicious
Result
Malware family:
n/a
Score:
10/10
Tags:
evasion persistence
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Modifies WinLogon
Loads dropped DLL
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Executes dropped EXE
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
ba08971fed8f4929b73a0230083a5813142e5500298ccafb8851a46c163a541e
MD5 hash:
77aea15647348291a38886a0cd215854
SHA1 hash:
1bc2d3a7fedd10329cacc4f6c5495e1f323eac10
SH256 hash:
ba8d6375e6d70162f27815d92a9d7f17979215d9458aafb249cc9cb71bad4481
MD5 hash:
9ad9adf8b3e6f8d4985379955b0c36de
SHA1 hash:
c8d42a514fb2c9267d72c12191ee9f952b294618
SH256 hash:
da6a1ed6e65c48e053547b4eee513fd5e19e5dca77211da38e877c76c7d96dad
MD5 hash:
52a5a3a239d2264992b1390954befc90
SHA1 hash:
8e8979a1cd784bd2e16eafffcd1e3fc9ac0758d0
SH256 hash:
83b9e576cb8aa126bd40d14e180a0a45b5e6658cba49a9eb7de9f12a04b7af85
MD5 hash:
0f8adc2b8bb43e7a6e170c509766e0d7
SHA1 hash:
7e38136b4b37e2f0566a525ef1459041b6b41685
SH256 hash:
c4c984b56bfaccbb1d6dc4b1fdd9b149475eb7e0eb743e81c5cb5fc319651d5d
MD5 hash:
b3f40926f514c65ec9a59f3ca0c29e66
SHA1 hash:
778708c0e94a7fa3b5db75fa855e3640b542045a
SH256 hash:
c32477ec192ca0360c3cad9564742d3a6b428e9865e73e76d7158c9d4a0a97f2
MD5 hash:
1c06ebe97597adefc8caab1719a5f3e9
SHA1 hash:
2429644714c47700d1784955894dd691448765ca
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
SH256 hash:
f3d5013578835436d8cc1f82b7dcfd44e18737535f54fadcb4ea5ad18d8aee0c
MD5 hash:
ed2cca37dd060c89cdcb9823e0b7be02
SHA1 hash:
a779843a8f713e34c5be29fe4246e56b1d6b40c3
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
LockScreen
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | AlternativesExample1 |
|---|
| Rule name: | Ping_Del_method_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | cmd ping IP nul del |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
exe f3d5013578835436d8cc1f82b7dcfd44e18737535f54fadcb4ea5ad18d8aee0c
(this sample)
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
2) [C0029.002] Cryptography Micro-objective::SHA1::Cryptographic Hash
3) [C0029.003] Cryptography Micro-objective::SHA256::Cryptographic Hash
4) [C0031.001] Cryptography Micro-objective::AES::Decrypt Data
5) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
6) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
7) [C0032.001] Data Micro-objective::CRC32::Checksum
8) [C0026.002] Data Micro-objective::XOR::Encode Data
9) [C0030.001] Data Micro-objective::MurmurHash::Non-Cryptographic Hash
11) [C0046] File System Micro-objective::Create Directory
12) [C0048] File System Micro-objective::Delete Directory
13) [C0047] File System Micro-objective::Delete File
14) [C0049] File System Micro-objective::Get File Attributes
15) [C0051] File System Micro-objective::Read File
16) [C0050] File System Micro-objective::Set File Attributes
17) [C0052] File System Micro-objective::Writes File
18) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
19) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
20) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
21) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
22) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
23) [C0040] Process Micro-objective::Allocate Thread Local Storage
24) [C0017] Process Micro-objective::Create Process
25) [C0038] Process Micro-objective::Create Thread
26) [C0041] Process Micro-objective::Set Thread Local Storage Value
27) [C0018] Process Micro-objective::Terminate Process