MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Kimsuky


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3
SHA3-384 hash: df7c7efa43cba328f81328459441b06e582475f7fc9c270ee8bfed5ade9eb5febb565869ec911ceabe1150210147a0cd
SHA1 hash: 4eea45c22881a092ac7a8b0a5379076d5803e83e
MD5 hash: 7b6d02a459fdaa4caa1a5bf741c4bd42
humanhash: steak-august-robert-bluebird
File name:7b6d02a459fdaa4caa1a5bf741c4bd42.exe
Download: download sample
Signature Kimsuky
Create hunting rule
File size:24'609'176 bytes
First seen:2024-01-09 09:29:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6d1a6e157cb22b9fb75e1d61b4881eb5 (1 x Kimsuky)
ssdeep 393216:zCTLRrqyYTljCQppkgSGlNoggc7k18J1unrY+M4ZtquYfZZrjMaDF1i:zCTLI3TZCQKGlZgc7k181W7fFOjMQ1i
Threatray 1 similar samples on MalwareBazaar
TLSH T1324723F8BA5E6C62EE2F8878E45265411D14B934D7AC8DF3024AE1F066723E017375EB
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
dhash icon cc92a6b2b2b2aed4 (3 x Kimsuky)
Reporter smica83
Tags:apt exe Kimsuky signed

Code Signing Certificate

Organisation:D2innovation Co.,LTD
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2023-03-02T00:00:00Z
Valid to:2025-04-03T23:59:59Z
Serial number: 8890cab1cd510cd20dab4ce5948cbc3a
Intelligence: 8 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 37320e24baa50e63b0a1dfe513922333d5a622254a4b2bcd116a24f43e52a101
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
424
Origin country :
HU HU
Vendor Threat Intelligence
Detection(s):
MiscreantPunch.SingleXOR.EXE.204.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Creating a file
Running batch commands
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
Searching for the window
DNS request
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin obfuscated overlay packed redcap
Link:
https://www.filescan.io/uploads/659d121fe1815911f167f791/reports/8ceb1c8c-e421-465f-8c00-b77e59bd0ddf/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3
Result
Threat name:
HackBrowserData Tool
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
58 / 100
Link:
https://www.joesandbox.com/analysis/1371687
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Detected VMProtect packer
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Execute DLL with spoofed extension
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected HackBrowserData Tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1371687 Sample: y7r6p7Z15U.exe Startdate: 09/01/2024 Architecture: WINDOWS Score: 58 70 qi.limsjo.p-e.kr 2->70 72 ai.limsjo.p-e.kr 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Antivirus detection for URL or domain 2->76 78 Antivirus / Scanner detection for submitted sample 2->78 80 5 other signatures 2->80 10 y7r6p7Z15U.exe 10 2->10         started        signatures3 process4 file5 60 C:\Users\user\Desktop60XTPKIENTS.exe, PE32 10->60 dropped 62 C:\Users\user\AppData\...\hc-18c4c7a8.png, PE32+ 10->62 dropped 13 rundll32.exe 6 10->13         started        17 NXTPKIENTS.exe 2 10->17         started        19 cmd.exe 1 10->19         started        process6 file7 66 C:\Users\user\.tmp\863648820.ps1, Unicode 13->66 dropped 82 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->82 84 Bypasses PowerShell execution policy 13->84 86 Uses schtasks.exe or at.exe to add and modify task schedules 13->86 88 Tries to detect virtualization through RDTSC time measurements 13->88 21 powershell.exe 11 13->21         started        23 schtasks.exe 1 13->23         started        25 schtasks.exe 1 13->25         started        68 C:\Users\user\AppData\...68XTPKIENTS.tmp, PE32 17->68 dropped 27 NXTPKIENTS.tmp 3 11 17->27         started        30 conhost.exe 19->30         started        signatures8 process9 file10 32 conhost.exe 21->32         started        34 conhost.exe 23->34         started        36 conhost.exe 25->36         started        64 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 27->64 dropped 38 taskkill.exe 1 27->38         started        40 taskkill.exe 1 27->40         started        42 taskkill.exe 1 27->42         started        44 5 other processes 27->44 process11 process12 46 conhost.exe 38->46         started        48 conhost.exe 40->48         started        50 conhost.exe 42->50         started        52 conhost.exe 44->52         started        54 conhost.exe 44->54         started        56 conhost.exe 44->56         started        58 2 other processes 44->58
Score:
79%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3
Gathering data
Threat name:
Win64.Trojan.TrollAgent
Create hunting rule
Status:
Malicious
First seen:
2024-01-08 04:26:52 UTC
File Type:
PE+ (Exe)
Extracted files:
1796
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7cvxryo3hi6mg6j7o2aksdob3dhaq4rg55mzkc32zvv3dpx723rq._file
Verdict:
malicious
Similar samples:
f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3
Kimsuky
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240109-lghe1sdcdr/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8ab78e1db3a3cc3793f7680a90dc1d8ce087226ef59950b7acd6bb1beffd6e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/asdasd13asbz/status/1744279858778456325?t=Fy-r5uup4kcH8F0Ip7brZA&s=19

Comments