MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd8d0936c29133e62a9bbfdbe89ebffa45f2601a62ff5bb931e6a172f40108d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd8d0936c29133e62a9bbfdbe89ebffa45f2601a62ff5bb931e6a172f40108d8
SHA3-384 hash: 54b8f440004d4a3d453d3e220f8d565bf2125aca55854ee61ad957731aac8f7b2539fcfed2df53a3130d0ab7f69a3764
SHA1 hash: 14698cb142c5665ea10b9b4817f3705f67f9baee
MD5 hash: 26d3d8794ffbd75579a8a5d8d079fa84
humanhash: sixteen-undress-potato-carolina
File name:26d3d8794ffbd75579a8a5d8d079fa84.exe
Download: download sample
File size:1'014'006 bytes
First seen:2021-01-15 15:42:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:Y2G/nvxW3WsTIWzqlqaHbpbkF6nXyho5L4qEfCW4KF6PXyGo5pq1f03w:YbA3DzzI/JkwGULhE7w1UE183w
Threatray 366 similar samples on MalwareBazaar
TLSH 9E251242BDC199B3D2710C31555DAB2161BDBC211F14AFEBA3D06E9DE6302C0AB35BA7
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112229/
Detection(s):
PUA.Win.File.Generic-7109589-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Sending a UDP request
Running batch commands
Sending an HTTP GET request
Reading critical registry keys
Changing a file
Replacing files
Creating a file
Deleting a recently created file
Unauthorized injection to a recently created process
Delayed reading of the file
Moving a recently created file
Launching a tool to kill processes
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/582589
Signature
Antivirus detection for URL or domain
Modifies Chrome's extension installation force list
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: MSHTA Spawning Windows Shell
Uses known network protocols on non-standard ports
Uses regedit.exe to modify the Windows registry
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 340332 Sample: kkToaAZ6Mm.exe Startdate: 15/01/2021 Architecture: WINDOWS Score: 80 63 Antivirus detection for URL or domain 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Uses known network protocols on non-standard ports 2->67 69 2 other signatures 2->69 11 kkToaAZ6Mm.exe 24 2->11         started        process3 file4 43 C:\Users\user\AppData\Local\Temp\...\main.exe, PE32+ 11->43 dropped 45 C:\Users\user\AppData\Local\...\chrome64.bat, DOS 11->45 dropped 47 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 11->47 dropped 14 main.exe 1 11->14         started        process5 dnsIp6 57 35.220.162.170, 49713, 49731, 8070 GOOGLEUS United States 14->57 59 www.deekqon35bs0.com 172.67.193.215, 49714, 49722, 80 CLOUDFLARENETUS United States 14->59 61 2 other IPs or domains 14->61 73 Multi AV Scanner detection for dropped file 14->73 18 regedit.exe 3 14->18         started        21 cmd.exe 1 14->21         started        23 taskkill.exe 1 14->23         started        25 regedit.exe 4 14->25         started        signatures7 process8 signatures9 71 Modifies Chrome's extension installation force list 18->71 27 mshta.exe 21 21->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        process10 process11 33 cmd.exe 1 27->33         started        process12 35 chrome.exe 13 463 33->35         started        38 conhost.exe 33->38         started        dnsIp13 49 239.255.255.250 unknown Reserved 35->49 40 chrome.exe 21 35->40         started        process14 dnsIp15 51 googlehosted.l.googleusercontent.com 216.58.215.225, 443, 49733 GOOGLEUS United States 40->51 53 192.168.2.6, 443, 49448, 49678 unknown unknown 40->53 55 clients2.googleusercontent.com 40->55
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd8d0936c29133e62a9bbfdbe89ebffa45f2601a62ff5bb931e6a172f40108d8/
Threat name:
Win32.Trojan.Rasftuby
Create hunting rule
Status:
Malicious
First seen:
2021-01-08 08:28:17 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
048066b8f8dcf8a74e78e458a727edf50094a5849dbaae9cc80df053deae7c47
3d84d2ad35397d5b2b3d482886e2a15551053e903de3fb446704754b48ffa925
83591d8a19e792f771276deb5ed430ab1192b51f605a9ca7386161eaf520d0fa
85f68c16519e6f833c593ed0e6b735366c061bb808c6228d730b48e3f025a9a5
9e7babad53c8a852391f9ea81a511f97a925935e537b02b45585880ef13f7aee
a408e65fa77a4eded318a05af68fe27f522ec61b0c3e30aa34a5703b06fe2cf8
ad581fb309576256ec7a088553b885a068180541d310513acdcd985e47c04731
bf64131372e368ffb93f50038fca0362b3694c5b59e5285ba23b65326098e6e3
ca3ee4fd6ee1ac062b9120a3aebea22568bf1271c9894ec4914b9c29bbf1c853
f40e7197d3a05897876bf66b6da7a138f7afdcc9b73aac6e5dd46949a46ede24
+ 356 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/210115-ytkbmyem2x/
Behaviour
Kills process with taskkill
Modifies Internet Explorer settings
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
fd8d0936c29133e62a9bbfdbe89ebffa45f2601a62ff5bb931e6a172f40108d8
MD5 hash:
26d3d8794ffbd75579a8a5d8d079fa84
SHA1 hash:
14698cb142c5665ea10b9b4817f3705f67f9baee
Link:
https://www.unpac.me/results/82fd020a-a377-47f5-8a32-a454ed15102d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/fd8d0936c29133e62a9bbfdbe89ebffa45f2601a62ff5bb931e6a172f40108d8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe fd8d0936c29133e62a9bbfdbe89ebffa45f2601a62ff5bb931e6a172f40108d8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/942372/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/112229/

Comments