MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff550d834cbad023b595e724c47cb9fe47ba66af9a22992a9ea89a686fcbb66a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff550d834cbad023b595e724c47cb9fe47ba66af9a22992a9ea89a686fcbb66a
SHA3-384 hash: 84d40db810ce8b1ab07b0b649a96f7d324eb2bb864a8df050845adb58f8f09ff0234f1106b4909d291905075f2934a2c
SHA1 hash: 5632bf4a127c114b51de7805b80eed89b4b96a15
MD5 hash: c6b9737dd5705a2ac1920c5cbac89abf
humanhash: carolina-burger-enemy-romeo
File name:c6b9737dd5705a2ac1920c5cbac89abf.exe
Download: download sample
File size:1'322'682 bytes
First seen:2021-05-11 07:12:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 24576:v1qUuXZrleK2Jsz7vYTF6TdpnF1eVJix3wq8OZ9+aLTeX0OWBF:v1qUuXeTc7gTsT/ugww99Pey
Threatray 133 similar samples on MalwareBazaar
TLSH 065523B177C740BAC9A63A74089DB7A90779EB500F249BC7D3A40802BD71BD14BBD2D6
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/154893/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Jacard.184087.14432.10100.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Creating a process from a recently created file
DNS request
Deleting a recently created file
Sending a UDP request
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Sending an HTTP GET request
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/778466
Signature
Connects to many ports of the same IP (likely port scanning)
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Obfuscated command line found
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Submitted sample is a known malware sample
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 410862 Sample: ez1GrEltKk.exe Startdate: 11/05/2021 Architecture: WINDOWS Score: 100 83 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 Connects to many ports of the same IP (likely port scanning) 2->87 10 ez1GrEltKk.exe 7 2->10         started        13 xNBSMJllYe.exe.com 2->13         started        process3 signatures4 101 Contains functionality to register a low level keyboard hook 10->101 15 cmd.exe 1 10->15         started        18 makecab.exe 1 10->18         started        103 Drops PE files with a suspicious file extension 13->103 20 xNBSMJllYe.exe.com 6 13->20         started        process5 dnsIp6 109 Submitted sample is a known malware sample 15->109 111 Obfuscated command line found 15->111 113 Uses ping.exe to sleep 15->113 115 Uses ping.exe to check the status of other devices and networks 15->115 24 cmd.exe 3 15->24         started        27 conhost.exe 15->27         started        29 conhost.exe 18->29         started        73 KxYGnlNPQkvockntKh.KxYGnlNPQkvockntKh 20->73 59 C:\Windows\SysWOW64\...\xNBSMJllYe.exe.com, PE32 20->59 dropped 61 C:\Windows\SysWOW64\RegAsm.exe, PE32 20->61 dropped 31 schtasks.exe 1 20->31         started        file7 signatures8 process9 signatures10 97 Obfuscated command line found 24->97 99 Uses ping.exe to sleep 24->99 33 Diritto.exe.com 24->33         started        36 findstr.exe 1 24->36         started        39 PING.EXE 1 24->39         started        42 conhost.exe 31->42         started        process11 dnsIp12 79 Drops PE files with a suspicious file extension 33->79 81 Uses schtasks.exe or at.exe to add and modify task schedules 33->81 44 Diritto.exe.com 6 33->44         started        57 C:\Users\user\AppData\...\Diritto.exe.com, Targa 36->57 dropped 49 conhost.exe 36->49         started        75 127.0.0.1 unknown unknown 39->75 file13 signatures14 process15 dnsIp16 77 KxYGnlNPQkvockntKh.KxYGnlNPQkvockntKh 44->77 63 C:\Users\user\AppData\...\xNBSMJllYe.exe.com, PE32 44->63 dropped 65 C:\Users\user\AppData\Roaming\...\RegAsm.exe, PE32 44->65 dropped 105 Writes to foreign memory regions 44->105 107 Injects a PE file into a foreign processes 44->107 51 RegAsm.exe 15 4 44->51         started        55 schtasks.exe 1 44->55         started        file17 signatures18 process19 dnsIp20 67 116.203.253.214, 15647, 49720 HETZNER-ASDE Germany 51->67 69 eth0.me 5.132.162.27, 49721, 80 INTERNEX-ASAT Austria 51->69 71 192.168.2.1 unknown unknown 51->71 89 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 51->89 91 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 51->91 93 Tries to harvest and steal browser information (history, passwords, etc) 51->93 95 Queries memory information (via WMI often done to detect virtual machines) 51->95 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff550d834cbad023b595e724c47cb9fe47ba66af9a22992a9ea89a686fcbb66a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-04-23 20:17:52 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0868a2a7b5e276d3a4a40cdef994de934d33d62a689d7207a31fd57d012ef948
207be23ccd62d0e3d9aefe12f5c2ab142a42a25b1e246e27e0ae9087c2fe96d3
2cad1d5cd3e145f720e3da8825183d78545b834fe146a8d1ec26c0e876980a66
364bcd3b0a74ff15848f1e2c286922fb84ac88a85785e7821544b0539f4e1ff9
3f3ce1f91c8f439a2c903fa08544b08e21704a53c3ab260d3a0b8d3dea425020
830c5c98b459bc47ddb319f2262cb248fb9999a6115182b199bb4421f0897051
83c713b4f6938fb03c8ddbbfd0830b90aa9dc33cc8309f8866396860e4b59243
90a286ac5b49100aeb8038af277dbabc3853e6fe5557c19d5a64885f015596b1
ecee44992b84f86f98c14b5af66451c9e6306e7db33d038cef6d7292988da559
ff1441aa587cc6b6591a65bf0cc3bfee0902dc68816e861eaf4d6223e994b790
+ 123 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210511-x7lge47932/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff550d834cbad023b595e724c47cb9fe47ba66af9a22992a9ea89a686fcbb66a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ff550d834cbad023b595e724c47cb9fe47ba66af9a22992a9ea89a686fcbb66a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1219501/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/154893/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-11 08:10:05 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
1) [F0002.001] Collection::Application Hook
2) [F0002.002] Collection::Polling
3) [C0029.003] Cryptography Micro-objective::SHA256::Cryptographic Hash
4) [C0032.001] Data Micro-objective::CRC32::Checksum
5) [C0026.002] Data Micro-objective::XOR::Encode Data
7) [C0046] File System Micro-objective::Create Directory
8) [C0048] File System Micro-objective::Delete Directory
9) [C0047] File System Micro-objective::Delete File
10) [C0049] File System Micro-objective::Get File Attributes
11) [C0051] File System Micro-objective::Read File
12) [C0050] File System Micro-objective::Set File Attributes
13) [C0052] File System Micro-objective::Writes File
14) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
15) [C0017] Process Micro-objective::Create Process
16) [C0038] Process Micro-objective::Create Thread
17) [C0054] Process Micro-objective::Resume Thread
18) [C0018] Process Micro-objective::Terminate Process