MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f442ad7ecf750caad3de8f8109768782532bfcb7a09221a72a7afc6519f79cfc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f442ad7ecf750caad3de8f8109768782532bfcb7a09221a72a7afc6519f79cfc
SHA3-384 hash: 18200ffc466c59feb2b54227c05988f5056e0eeec075d844f68d7cd3f9c5e278ecfca3bd983401548c92217922b4327a
SHA1 hash: 426cd5d1b966326ea1e894b3d935c74be13d822c
MD5 hash: 6904608bf1b22eb9aeca9d6bda4c99ad
humanhash: lima-lima-may-five
File name:mPw295QW0uX0MCBxL71452ie
Download: download sample
File size:6'247'424 bytes
First seen:2021-06-28 20:35:04 UTC
Last seen:2021-06-28 21:35:16 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash c0cc37fe3d7bd00205e28204da1ea30c
ssdeep 98304:ckkdyPhfS4IN9o108VyaYixBlGt5TkA+Y/EPRCfEJNTEZZGHec06usWLtX:ckpJa78u8VAirlircPRC8b6c0WEt
Threatray 48 similar samples on MalwareBazaar
TLSH 5856236362994109D0FDC93A8A337EE132F6072AC3836479BDED2AC630E59F4E513957
Reporter Anonymous
Tags:dll

Intelligence

File Origin
# of uploads :
3
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168625/
Detection(s):
SecuriteInfo.com.Heur.Kelios.1.28532.24814.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc6faa84-77b2-48ba-bac6-5ced95a158f6
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/809018
Signature
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 441429 Sample: mPw295QW0uX0MCBxL71452ie Startdate: 28/06/2021 Architecture: WINDOWS Score: 100 41 onedrive.live.com 2->41 43 nred0q.dm.files.1drv.com 2->43 45 dm-files.fe.1drv.com 2->45 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Machine Learning detection for sample 2->59 61 2 other signatures 2->61 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 69 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->69 71 Obfuscated command line found 9->71 73 Very long command line found 9->73 75 3 other signatures 9->75 12 rundll32.exe 9->12         started        15 rundll32.exe 3 4 9->15         started        19 rundll32.exe 9->19         started        21 5 other processes 9->21 process6 dnsIp7 77 System process connects to network (likely due to code injection or exploit) 12->77 79 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->79 81 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->81 89 2 other signatures 12->89 23 WerFault.exe 23 9 12->23         started        49 onedrive.live.com 15->49 51 nred0q.dm.files.1drv.com 15->51 53 dm-files.fe.1drv.com 15->53 37 C:\Windows\SysWOW64\outlook64.exe, PE32+ 15->37 dropped 39 C:\Windows\SysWOW64\outlook32.exe, PE32 15->39 dropped 83 Drops executables to the windows directory (C:\Windows) and starts them 15->83 85 Hides threads from debuggers 15->85 26 outlook64.exe 1 1 15->26         started        87 Overwrites code with function prologues 19->87 28 rundll32.exe 21->28         started        30 WerFault.exe 9 21->30         started        33 WerFault.exe 9 21->33         started        file8 signatures9 process10 dnsIp11 63 Tries to evade analysis by execution special instruction which cause usermode exception 23->63 65 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->65 67 Hides threads from debuggers 28->67 35 WerFault.exe 2 9 28->35         started        47 192.168.2.1 unknown unknown 30->47 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f442ad7ecf750caad3de8f8109768782532bfcb7a09221a72a7afc6519f79cfc/
Threat name:
Win32.Trojan.Kelios
Create hunting rule
Status:
Malicious
First seen:
2021-06-28 20:36:12 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
22a49fd2468178e5b33cad08985adde50f0530a33260affc58bee6b2401005a9
2448bed4db497e26e9def8dc20369bfd843bcb0e73dab435fe61ead1cc2f869a
3e5bbf9fcae918011ec4eee75ac6402fddf20d09fef95b362d0e226d56b80f1d
477ea4ac94a63aa7e55baf53f5a0fba0e264f3c155f413edc03da1f5181d9999
790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd
bfe5a7e03d6d57dae9d1eb74e5a1d837a04ac3c9c9822e1ee26c6a586c6a7342
eebd330208d3021ba7caf06e78588daaa3e9de826c373025aad1bea09a94865d
f822a951f06c56d5b907aa500c60a832faccbcb603a38a330cd53ad683a7adda
fb8a2b78f0d3139d8192dbeb925e8e8d13bf370540f2c7853107a8e4b3beac38
fc0eee220cef0c364edb4cb6ff45e12b2d3c035b2be1072c627e40c4a298ea72
+ 38 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210628-xm293yrfne/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
2fbf78cd1972924c7516b0ddd04f8db23fe092ef583bb39df57d254ef1951702
MD5 hash:
5c08479d80d4424a0ac9c370acca49c4
SHA1 hash:
1401a5ad8059938afd977678db8489784dd98603
Link:
https://www.unpac.me/results/f60296a1-08fa-4cbb-8d54-043d90283951/
SH256 hash:
f442ad7ecf750caad3de8f8109768782532bfcb7a09221a72a7afc6519f79cfc
MD5 hash:
6904608bf1b22eb9aeca9d6bda4c99ad
SHA1 hash:
426cd5d1b966326ea1e894b3d935c74be13d822c
Link:
https://www.unpac.me/results/f60296a1-08fa-4cbb-8d54-043d90283951/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f442ad7ecf750caad3de8f8109768782532bfcb7a09221a72a7afc6519f79cfc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Batch (bat) bat 07b823d46608cb550c01e93deef903cf3f311228a668bc93cfc69aec216d18a9

DLL dll f442ad7ecf750caad3de8f8109768782532bfcb7a09221a72a7afc6519f79cfc

(this sample)

  
Dropped by
SHA256 07b823d46608cb550c01e93deef903cf3f311228a668bc93cfc69aec216d18a9
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/168625/

Comments