MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6ef3e58813125018e32f84cc5d176716308c74e73472d0afef3e8d9ecd34060. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CMSBrute

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments 1

SHA256 hash:	f6ef3e58813125018e32f84cc5d176716308c74e73472d0afef3e8d9ecd34060
SHA3-384 hash:	58702af6adedfeb823b0d5ca3f009073ecb7a7df4f6612c16b12897e74334f2e3d1d57d86afdd401c7fd54f886d14239
SHA1 hash:	ef6b103f38204f4e5b24c82d7febf2008901884b
MD5 hash:	1260a7727e55fc5852445e83cf622ed2
humanhash:	venus-bulldog-washington-cat
File name:	1260a7727e55fc5852445e83cf622ed2
Download:	download sample
Signature	CMSBrute Create hunting rule
File size:	1'716'224 bytes
First seen:	2021-11-19 21:32:53 UTC
Last seen:	2021-11-21 04:14:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d8d57c6d7c1f3570e93e87f831cb3f7a (2 x RedLineStealer, 1 x Formbook, 1 x CMSBrute)
ssdeep	49152:uxBKV53CIAXUQu1DB4AngQmoNDZOYxnNesoRIG:kKV53JbQoDBVkoNDZFxnTm
TLSH	T13A85333472A1D8E1F4996A3494719FE825ECF5A12366508F1BFC238A2D71ED00F797B2
File icon (PE):
dhash icon	fcfcf4f4d4d4d8c0 (12 x RedLineStealer, 12 x RaccoonStealer, 3 x Smoke Loader)
Reporter	zbetcheckin
Tags:	32 CMSBrute exe

Intelligence

File Origin

# of uploads :

# of downloads :

144

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1260a7727e55fc5852445e83cf622ed2

Verdict:

Malicious activity

Analysis date:

2021-11-19 21:34:16 UTC

Tags:

trojan opendir

Link:

https://app.any.run/tasks/ab14c1e2-6160-4b2b-829d-507fb2d664c6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

SecuriteInfo.com.Trojan.Siggen15.46460.6660.13189.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Enabling the 'hidden' option for recently created files

Creating a file in the %temp% subdirectories

Moving a file to the %temp% subdirectory

DNS request

Sending a custom TCP request

Delayed writing of the file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Sending a TCP request to an infection source

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6198181243e8f62b669af84e/reports/5d227a9c-ff54-4632-a12a-22266484ba26/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/730d494f-c338-41cc-afbf-6c23ffbe0292

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/892941

Signature

Connects to many different private IPs (likely to spread or exploit)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to inject code into remote processes

Delayed program exit found

Drops PE files with benign system names

Found Tor onion address

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

May use the Tor software to hide its network traffic

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: System File Execution Location Anomaly

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to resolve many domain names, but no domain seems valid

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f6ef3e58813125018e32f84cc5d176716308c74e73472d0afef3e8d9ecd34060/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-11-19 13:33:44 UTC

AV detection:

22 of 27 (81.48%)

Threat level:

5/5

Verdict:

malicious

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence upx

Link:

https://tria.ge/reports/211119-1d6qrsefe4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

UPX packed file

Unpacked files

SH256 hash:

470fbd6b2f1d7bdc0d42693817e089dcad9040b9faec229bc64a1acd3e9a61dc

MD5 hash:

6aeccb3b2ace81ecca8b5214de9ca039

SHA1 hash:

dc94ca10e836a231dc6abad725b9c4f4a9e98ce7

Link:

https://www.unpac.me/results/044a0f37-08a8-4ef8-94bd-bc95a118b1b2/

SH256 hash:

f6ef3e58813125018e32f84cc5d176716308c74e73472d0afef3e8d9ecd34060

MD5 hash:

1260a7727e55fc5852445e83cf622ed2

SHA1 hash:

ef6b103f38204f4e5b24c82d7febf2008901884b

Link:

https://www.unpac.me/results/044a0f37-08a8-4ef8-94bd-bc95a118b1b2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

CMSBrute

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f6ef3e58813125018e32f84cc5d176716308c74e73472d0afef3e8d9ecd34060

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Havex Create hunting rule

Rule name:	Netwalker Create hunting rule
Author:	Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:	Detects Netwalker Ransomware
Reference:	https://github.com/f0wl/configwalker