MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 fa1462d4e6fce1dbb5c4813cd596555e3a583face9932e173af9913a421fb428. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
QQPass
Vendor detections: 8
| SHA256 hash: | fa1462d4e6fce1dbb5c4813cd596555e3a583face9932e173af9913a421fb428 |
|---|---|
| SHA3-384 hash: | d1f9080c52ab1ff0aa937e28cd4713f269cd4431533d2e50ab8541c49a589369454f967c2a94a5f6994ffad7bd36ddea |
| SHA1 hash: | cb4525243f5489c17bd010445efc80a1e38afc76 |
| MD5 hash: | b5e5b774f5228a39349ce7562d885f5f |
| humanhash: | leopard-mars-potato-oven |
| File name: | XMToolBox.exe |
| Download: | download sample |
| Signature | QQPass |
| File size: | 5'725'232 bytes |
| First seen: | 2021-05-04 14:47:24 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 9306ecff6336b7eb91842185ceec62b2 (1 x QQPass) |
| ssdeep | 98304:SilGHlG4hCogJBAUZLGa6gayGklp45Qktpfu0eT+cXJwF5FLILc3zugm:ClDgJVR9lRUVy9JmdbjuT |
| Threatray | 19 similar samples on MalwareBazaar |
| TLSH | A7460202F782C4B2E11705704976573EEA31DE765B218E83B7A4FE696D333E1522B21E |
| Reporter |  vm001cn |
| Tags: | exe QQPass |
Intelligence
File Origin
# of uploads :
1
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fa1462d4e6fce1dbb5c4813cd596555e3a583face9932e173af9913a421fb428
Verdict:
Malicious activity
Analysis date:
2021-05-04 14:38:20 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Creating a file
Searching for the window
DNS request
Sending an HTTP POST request
Sending a UDP request
Searching for many windows
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to infect the boot sector
Drops PE files to the document folder of the user
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Wacatac
Status:
Malicious
First seen:
2021-05-04 14:48:12 UTC
AV detection:
27 of 47 (57.45%)
Threat level:
5/5
Verdict:
malicious
Similar samples:
+ 9 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
9/10
Tags:
upx
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Loads dropped DLL
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Unpacked files
SH256 hash:
10ff1f898a987d5b44e8c4b44e14e721f889602bad3072ee3dd53acae6ec3306
MD5 hash:
e8aa6b307362e4a32ccf8bff71061896
SHA1 hash:
d6899a07976cb96eac3a4e4bf57dc263f064217e
SH256 hash:
cd8cf18dd06090db34393a7809675120dd4a7f1c44162fd3e018fe2f936925b8
MD5 hash:
c267f929da4d43a0e241449fd88ca891
SHA1 hash:
b2c0abef3c34eba7fa3c970e835c41fd8aa69a04
SH256 hash:
b581fcc82c0462d60286a80912ab2ce5aca7d7b11c5cff0b5f74716dbb7dc453
MD5 hash:
b60da4e2e5aceba3ce3d87ee2cd872ee
SHA1 hash:
9bbdbf1f3ce2c000a86e0473da756a4b1031db41
SH256 hash:
fa1462d4e6fce1dbb5c4813cd596555e3a583face9932e173af9913a421fb428
MD5 hash:
b5e5b774f5228a39349ce7562d885f5f
SHA1 hash:
cb4525243f5489c17bd010445efc80a1e38afc76
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | suspicious_packer_section |
|---|---|
| Author: | @j0sm1 |
| Description: | The packer/protector section names/keywords |
| Reference: | http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/ |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
No further information available
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.034] Anti-Behavioral Analysis::Anti-debugging Instructions
1) [B0001.025] Anti-Behavioral Analysis::Software Breakpoints
2) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
3) [B0001.033] Anti-Behavioral Analysis::Timing/Delay Check QueryPerformanceCounter
4) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
5) [B0009.025] Anti-Behavioral Analysis::Unique Hardware/Firmware Check - I/O Communication Port
6) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
7) [B0012.001] Anti-Static Analysis::Argument Obfuscation
8) [F0001.002] Anti-Behavioral Analysis::Standard Compression
9) [F0002.002] Collection::Polling
11) [B0030.002] Command and Control::Receive Data
12) [B0030.001] Command and Control::Send Data
13) [C0011.001] Communication Micro-objective::Resolve::DNS Communication
14) [C0002.009] Communication Micro-objective::Connect to Server::HTTP Communication
15) [C0002.012] Communication Micro-objective::Create Request::HTTP Communication
16) [C0002.017] Communication Micro-objective::Get Response::HTTP Communication
17) [C0002.003] Communication Micro-objective::Send Request::HTTP Communication
18) [C0001.011] Communication Micro-objective::Create TCP Socket::Socket Communication
19) [C0001.012] Communication Micro-objective::Get Socket Status::Socket Communication
20) [C0001.009] Communication Micro-objective::Initialize Winsock Library::Socket Communication
21) [C0001.006] Communication Micro-objective::Receive Data::Socket Communication
22) [C0001.007] Communication Micro-objective::Send Data::Socket Communication
23) [C0001.001] Communication Micro-objective::Set Socket Config::Socket Communication
24) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
25) [C0028.002] Cryptography Micro-objective::RC4 KSA::Encryption Key
26) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
27) [C0019] Data Micro-objective::Check String
28) [C0060] Data Micro-objective::Compression Library
29) [C0026.001] Data Micro-objective::Base64::Encode Data
30) [C0026.002] Data Micro-objective::XOR::Encode Data
32) [B0023] Execution::Install Additional Program
33) [C0046] File System Micro-objective::Create Directory
34) [C0049] File System Micro-objective::Get File Attributes
35) [C0051] File System Micro-objective::Read File
36) [C0050] File System Micro-objective::Set File Attributes
37) [C0052] File System Micro-objective::Writes File
38) [E1510] Impact::Clipboard Modification
39) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
40) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
41) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
42) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
43) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
44) [C0040] Process Micro-objective::Allocate Thread Local Storage
45) [C0042] Process Micro-objective::Create Mutex
46) [C0017] Process Micro-objective::Create Process
47) [C0038] Process Micro-objective::Create Thread
48) [C0054] Process Micro-objective::Resume Thread
49) [C0041] Process Micro-objective::Set Thread Local Storage Value
50) [C0018] Process Micro-objective::Terminate Process
51) [C0039] Process Micro-objective::Terminate Thread