MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b6888d30e34ab5f977345c962d76f352483f6138a89079061839af1f553ca18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Generic


Vendor detections: 3


Intelligence 3 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b6888d30e34ab5f977345c962d76f352483f6138a89079061839af1f553ca18
SHA3-384 hash: 4392a991c3a23d80f5a413f369d27aba183dd9be30a39610c32f3121f32ab907ef03ca043a403b15d6149cdb7cf56812
SHA1 hash: 7a2901ebc4eb5fdf7ea6ad87b269fb5f8f14c7d0
MD5 hash: 4218c067f33afee9b1b50b2e9b077b45
humanhash: single-may-summer-yellow
File name:3b6888d30e34ab5f977345c962d76f352483f6138a89079061839af1f553ca18
Download: download sample
Signature Adware.Generic
Create hunting rule
File size:16'795'835 bytes
First seen:2020-06-03 09:30:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 41d4c56009e4f7c74b5cb4a5919d9f05 (7 x CoinMiner, 1 x Adware.Generic)
ssdeep 196608:ylTPemknGzwHdOgEPHd9BYX/nivPlTXTYP:a3jz0E52/iv1
Threatray 63 similar samples on MalwareBazaar
TLSH 32070222B65084B1D1CA017055FB5B37AAB976190B24F5CFB79CCD6A2F32390EE36319
Reporter raashidbhatt
Tags:Adware.Generic exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

Win.Exploit.EQGRP-6322722-0
Create hunting rule

Win.Dropper.Gh0stRAT-6989861-0
Create hunting rule

Win.Dropper.Gh0stRAT-6991075-0
Create hunting rule

Win.Exploit.ChinaChopper-1-7122825-1
Create hunting rule

PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

PUA.Win.Malware.Generic-6718284-0
Create hunting rule

PUA.Win.Adware.Hpdefender-6725853-0
Create hunting rule

Win.Exploit.EQGRP-6322721-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Equationdrug
Create hunting rule
Status:
Malicious
First seen:
2020-06-04 04:29:39 UTC
AV detection:
40 of 48 (83.33%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
071c9ef8d382452d6bcaa4a46eeb4a0e71562097201d228caf15229fd2b68ac9
Adware.Generic
0f1f333f34d4ab91907ca6a0ad8d3360d5324623e9c885ab228127bce34932e5
Adware.Generic
2a214959e1a85a4d11444053d4262961ee29e2cc53c3f4ae8f1a59152e5d67f3
Adware.Generic
48b9908bc98ae2903ee34167224b402fe5eb3a6c9b853ab17e728de52e2639a0
Adware.Generic
82385c5627675bb1a2f760238c766d1b8d3c31e109e067334959c084d62e5d55
Adware.Generic
8f327b1ce9510b718d832e0d0d38caf1aa73c3af31f6a915442f5b90015e7e6e
Adware.Generic
bd668ef292ae01d2ed9a32b1ea054e2acb484f61e86481f306669637ba31ce82
Adware.Generic
e162d29d0ba895e3ea7d75000c41c843225c7d29147b323ed9a72f4de3c1f6f0
Adware.Generic
f309d3820c2f40109825f3ebf2e00f84f0eb8d97e3b78cc74e751b69ba738435
Adware.Generic
fde7c52c166cd76fea454bbb539e7eba9ce704f5b442534bf5c4163213215426
Adware.Generic
+ 53 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion persistence upx
Link:
https://tria.ge/reports/201109-rzpkfabb4n/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Runs net.exe
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
NSIS installer
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Modifies service
Checks installed software on the system
JavaScript code in executable
Looks up external IP address via web service
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
Sets file execution options in registry
ServiceHost packer
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT32_KerrDown
Create hunting rule
Rule name:ccrewQAZ
Create hunting rule
Author:AlienVault Labs
Rule name:Choice_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Datper
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Datper in memory
Reference:https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Rule name:Embedded_PE
Create hunting rule
Rule name:IceID_Bank_trojan
Create hunting rule
Author:unixfreaxjp
Description:Detects IcedID..adjusted several times
Rule name:mimikatz
Create hunting rule
Author:Benjamin DELPY (gentilkiwi)
Description:mimikatz
Rule name:Mimikatz_Strings
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set
Rule name:Ping_Command_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an suspicious ping command execution in an executable
Reference:Internal Research
Rule name:win_mimikatz_w0
Create hunting rule
Author:Benjamin DELPY (gentilkiwi)
Description:mimikatz

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments