MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fb20cca77d85fedf3653f24c8109d985c946955ad50ffd18bff9e33d64bc5ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fb20cca77d85fedf3653f24c8109d985c946955ad50ffd18bff9e33d64bc5ef
SHA3-384 hash: a0557ee4f1a85315d4c1e5ba421086e051256584f332b23a25bd7cd1d69e8f94eb510b56b4c64d76bc14e12ceb8708b7
SHA1 hash: a716ed5e7506e0c5f166c2635de55cc4a700c4c9
MD5 hash: 9450249ae964853a51d6b55cd55c373e
humanhash: early-friend-coffee-jupiter
File name:tq.exe
Download: download sample
File size:701'440 bytes
First seen:2020-07-20 10:23:18 UTC
Last seen:2020-07-21 09:56:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fc4211025d2823f78625f41e8016b470 (1 x CoinMiner)
ssdeep 12288:/mA7JUqGkJOUJdWwJwnTT9/QyzfJtws4YSrraj1gXna6aCPcLojbcf8FZ:FvJZr6B/lgYbdCPcIy
Threatray 711 similar samples on MalwareBazaar
TLSH 07E423C5D9144017E01E4378BDD3B6D1341A3E360E69054E2AE4FAFE79B93DB60607AD
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
2
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28926/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Win.Exploit.CVE_2017_0213-6306933-0
Create hunting rule

Win.Trojan.Generic-6305873-0
Create hunting rule

Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391326
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 248050 Sample: tq.exe Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 99 pool.usa-138.com 2->99 101 www.362com.com 2->101 111 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->111 113 Multi AV Scanner detection for domain / URL 2->113 115 Malicious sample detected (through community Yara rule) 2->115 117 8 other signatures 2->117 10 tq.exe 4 2->10         started        13 RunDllExe.exe 2 2->13         started        16 RunDllExe.exe 2 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 83 C:\Users\user\Desktop\SQLA.exe, PE32 10->83 dropped 85 C:\Users\user\Desktop\MS20.exe, PE32+ 10->85 dropped 87 C:\Users\user\Desktop\MS19.exe, PE32+ 10->87 dropped 89 C:\Users\user\Desktop\MS17.exe, PE32 10->89 dropped 20 SQLA.exe 2 19 10->20         started        25 MS19.exe 1 10->25         started        27 MS20.exe 1 10->27         started        29 MS17.exe 7 10->29         started        137 Antivirus detection for dropped file 13->137 139 Contains functionality to inject code into remote processes 13->139 141 Writes to foreign memory regions 13->141 31 svchost.exe 2 13->31         started        91 C:\Windows\Logs\RunDllExe_New.dll, PE32+ 16->91 dropped 93 C:\Windows\Logs\RunDllExe_New, PE32 16->93 dropped 95 C:\Windows\Logs\RunDllExe.dll, PE32+ 16->95 dropped 97 C:\Windows\Logs\RunDllExe, PE32 16->97 dropped 143 Allocates memory in foreign processes 16->143 145 Injects a PE file into a foreign processes 16->145 33 svchost.exe 16->33         started        signatures6 process7 dnsIp8 103 124.160.126.238, 49722, 80 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN China 20->103 105 down.362com.com 20->105 77 C:\Windows\Logs\RunDllExe.exe, PE32 20->77 dropped 79 C:\Users\user\Desktop\x64.exe, PE32 20->79 dropped 81 C:\Users\user\AppData\Local\...\11[1].exe, PE32 20->81 dropped 127 Multi AV Scanner detection for dropped file 20->127 129 Machine Learning detection for dropped file 20->129 35 x64.exe 3 2 20->35         started        39 cacls.exe 1 20->39         started        107 127.0.0.1 unknown unknown 25->107 131 Antivirus detection for dropped file 25->131 41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        109 ssh.362com.com 59.46.53.214, 22 CHINANET-BACKBONENo31Jin-rongStreetCN China 31->109 133 System process connects to network (likely due to code injection or exploit) 31->133 135 Contains functionality to detect sleep reduction / modifications 31->135 file9 signatures10 process11 file12 73 C:\Windows\Help\active_desktop_render.dll, PE32 35->73 dropped 75 C:\Windows\Cursors\WUDFhosts.exe, PE32+ 35->75 dropped 119 Antivirus detection for dropped file 35->119 121 Multi AV Scanner detection for dropped file 35->121 123 Machine Learning detection for dropped file 35->123 125 Creates a Windows Service pointing to an executable in C:\Windows 35->125 47 netsh.exe 33 3 35->47         started        49 netsh.exe 3 35->49         started        51 netsh.exe 7 3 35->51         started        57 7 other processes 35->57 53 conhost.exe 39->53         started        55 conhost.exe 43->55         started        signatures13 process14 process15 59 conhost.exe 47->59         started        61 conhost.exe 49->61         started        63 conhost.exe 51->63         started        65 conhost.exe 57->65         started        67 conhost.exe 57->67         started        69 conhost.exe 57->69         started        71 3 other processes 57->71
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5fb20cca77d85fedf3653f24c8109d985c946955ad50ffd18bff9e33d64bc5ef/
Threat name:
Win32.PUA.FlyStudio
Create hunting rule
Status:
Malicious
First seen:
2020-05-29 11:33:56 UTC
File Type:
PE (Exe)
Extracted files:
53
AV detection:
27 of 29 (93.10%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
39c531db99d46a4b3906a41e6e1afdb2523106c795b11eecaf75bc3a1fbff57b
3e9bb2ac28ce3eddd3d78d47c7af51ccc143bdfe09faa32752c67fa126edabc3
59d1d791b7fa9ee1614c83e54a56e0ef4f028027696a06087d1c587f02e1a4ac
5d31ded12c6a8943f96522d5353af0d3bbb9a5ee81cef07db1c14c7cc0f117c6
8d8f0c6fdcd021f11d41e3da7521ec78e5460def24bd61f7eb15879788fafcc2
9b6c23ee51101f9e2542bb697e7b218e0a57d51ac6b577998cba351581aa7491
a0c49ccef1033cbd0119355f93a8109dccf48d53f0fc155e152efaa7ebf44a5a
ae8a8ca63a358e0c9cd1ce5100464f1c1dbd2b7724632fffc5e15152c67dc6fb
b254d7faa603b46c4c63f6d1f88d65767fb80638a000967fe527b9572b956e35
d7a340421f260de130a285233b110130fbccd2f26f1f70fc1600bf2855073017
+ 701 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/200720-3jpnn9z3vn/
Behaviour
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5fb20cca77d85fedf3653f24c8109d985c946955ad50ffd18bff9e33d64bc5ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 5fb20cca77d85fedf3653f24c8109d985c946955ad50ffd18bff9e33d64bc5ef

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/415162/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/28926/

Comments