MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 001b1e6a60f512808cbaea7d6be9d2303ede9e1effc6451724f5d69d68ceaa14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 13


Intelligence 13 IOCs YARA 47 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 001b1e6a60f512808cbaea7d6be9d2303ede9e1effc6451724f5d69d68ceaa14
SHA3-384 hash: a97d65546c6a34b754e94c2c6a30ae0f65d26b7bcdee2b1348a42cc5e84fe2d2dc2fc7b35eef01bc7a87127b8a7c1df1
SHA1 hash: ab1112be6099078c62bca22f44aa91d727084a04
MD5 hash: d2c8ae12e59a4a4ea508db4c6fa036b8
humanhash: item-september-asparagus-mango
File name:001b1e6a60f512808cbaea7d6be9d2303ede9e1effc6451724f5d69d68ceaa14
Download: download sample
Signature CoinMiner
Create hunting rule
File size:41'236'031 bytes
First seen:2025-02-21 13:04:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 72c4e339b7af8ab1ed2eb3821c98713a (50 x BlankGrabber, 26 x PythonStealer, 7 x LunaStealer)
ssdeep 786432:0DIjXH0oq+wzHhIm9/P3J7qoQYFjfrsZ7Iz8+lBOde6fBBrZ:0DAX0lzB/9/vJ7XJTsNIJB8BBrZ
Threatray 40 similar samples on MalwareBazaar
TLSH T1EA973358A3847E94F1F956B9A46745A6F3F3761043E0D3B31F8987800EAF658182BF1B
TrID 70.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.9% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.ICL) Windows Icons Library (generic) (2059/9)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 92e0b496a6cada72 (12 x RedLineStealer, 7 x RaccoonStealer, 5 x BlankGrabber)
Reporter JAMESWT_WT
Tags:CoinMiner exe Lorem ipsum

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
001b1e6a60f512808cbaea7d6be9d2303ede9e1effc6451724f5d69d68ceaa14.exe
Verdict:
No threats detected
Analysis date:
2025-02-21 13:11:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/98950a44-0608-4656-bea4-d33ef98c45c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b87a1aa0fd713c335c3864
Tags:
autorun cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Running batch commands
Creating a process from a recently created file
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process with a hidden window
DNS request
Connection attempt
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Sending an HTTP GET request
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin microsoft_visual_cc obfuscated overlay packed packer_detected
Link:
https://www.filescan.io/uploads/67b87a1552e8f3661551b4ac/reports/3af7a673-54d2-4e4f-bf07-5362ba04253a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/001b1e6a60f512808cbaea7d6be9d2303ede9e1effc6451724f5d69d68ceaa14
Result
Verdict:
UNKNOWN
Result
Threat name:
HackBrowser, DCRat, Discord Token Steale
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1620959
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Creates processes via WMI
Detected unpacking (creates a PE file in dynamic memory)
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Infects executable files (exe, dll, sys, html)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries Google from non browser process on port 80
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Removes signatures from Windows Defender
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Stop multiple services
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Sigma detected: WScript or CScript Dropper
Stops critical windows services
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Amnesia Stealer
Yara detected Costura Assembly Loader
Yara detected DCRat
Yara detected Discord Token Stealer
Yara detected Millenuim RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1620959 Sample: 3Lw8TDhz3z.exe Startdate: 21/02/2025 Architecture: WINDOWS Score: 100 151 api.telegram.org 2->151 153 www.google.com 2->153 155 3 other IPs or domains 2->155 181 Suricata IDS alerts for network traffic 2->181 183 Found malware configuration 2->183 185 Malicious sample detected (through community Yara rule) 2->185 189 35 other signatures 2->189 15 3Lw8TDhz3z.exe 13 2->15         started        19 kVro2ol299K.exe 2->19         started        21 powershell.exe 2->21         started        23 2 other processes 2->23 signatures3 187 Uses the Telegram API (likely for C&C communication) 151->187 process4 file5 143 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 15->143 dropped 145 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 15->145 dropped 147 C:\Users\user\AppData\Local\...\python312.dll, PE32+ 15->147 dropped 149 8 other malicious files 15->149 dropped 165 Found pyInstaller with non standard icon 15->165 25 3Lw8TDhz3z.exe 15->25         started        167 Antivirus detection for dropped file 19->167 169 Multi AV Scanner detection for dropped file 19->169 171 Found direct / indirect Syscall (likely to bypass EDR) 19->171 173 Loading BitLocker PowerShell Module 21->173 27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        31 sc.exe 23->31         started        33 sc.exe 23->33         started        35 3 other processes 23->35 signatures6 process7 process8 37 cmd.exe 1 25->37         started        40 Conhost.exe 25->40         started        signatures9 221 Wscript starts Powershell (via cmd or directly) 37->221 223 Modifies Windows Defender protection settings 37->223 225 Adds a directory exclusion to Windows Defender 37->225 227 Stops critical windows services 37->227 42 Build.exe 6 37->42         started        46 conhost.exe 37->46         started        48 Conhost.exe 37->48         started        process10 file11 139 C:\ProgramData\Microsoft\hacn.exe, PE32+ 42->139 dropped 141 C:\ProgramData\Microsoft\based.exe, PE32+ 42->141 dropped 233 Multi AV Scanner detection for dropped file 42->233 50 hacn.exe 13 42->50         started        54 based.exe 22 42->54         started        235 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 46->235 signatures12 process13 file14 97 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 50->97 dropped 99 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 50->99 dropped 101 C:\Users\user\AppData\Local\Temp\...\s.exe, PE32 50->101 dropped 109 8 other malicious files 50->109 dropped 191 Antivirus detection for dropped file 50->191 193 Multi AV Scanner detection for dropped file 50->193 56 hacn.exe 50->56         started        103 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 54->103 dropped 105 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 54->105 dropped 107 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 54->107 dropped 111 15 other malicious files 54->111 dropped 195 Modifies Windows Defender protection settings 54->195 197 Adds a directory exclusion to Windows Defender 54->197 199 Removes signatures from Windows Defender 54->199 58 based.exe 2 54->58         started        signatures15 process16 dnsIp17 62 cmd.exe 1 56->62         started        157 api.telegram.org 149.154.167.220, 443, 49948, 49979 TELEGRAMRU United Kingdom 58->157 159 discord.com 162.159.136.232, 443, 49942 CLOUDFLARENETUS United States 58->159 237 Found many strings related to Crypto-Wallets (likely being stolen) 58->237 239 Tries to harvest and steal browser information (history, passwords, etc) 58->239 241 Modifies Windows Defender protection settings 58->241 243 2 other signatures 58->243 64 cmd.exe 58->64         started        67 cmd.exe 58->67         started        signatures18 process19 signatures20 69 s.exe 7 62->69         started        73 conhost.exe 62->73         started        175 Wscript starts Powershell (via cmd or directly) 64->175 177 Adds a directory exclusion to Windows Defender 64->177 75 powershell.exe 64->75         started        77 conhost.exe 64->77         started        179 Modifies Windows Defender protection settings 67->179 79 powershell.exe 67->79         started        81 conhost.exe 67->81         started        process21 file22 131 C:\ProgramData\svchost.exe, PE32 69->131 dropped 133 C:\ProgramData\setup.exe, PE32+ 69->133 dropped 135 C:\ProgramData\main.exe, PE32 69->135 dropped 137 C:\ProgramData\crss.exe, PE32+ 69->137 dropped 229 Drops PE files with benign system names 69->229 83 svchost.exe 69->83         started        87 crss.exe 69->87         started        89 setup.exe 69->89         started        91 main.exe 69->91         started        231 Loading BitLocker PowerShell Module 75->231 signatures23 process24 dnsIp25 113 C:\Users\user\...\ChainComServermonitor.exe, PE32 83->113 dropped 127 2 other malicious files 83->127 dropped 201 Antivirus detection for dropped file 83->201 203 Multi AV Scanner detection for dropped file 83->203 94 wscript.exe 83->94         started        115 C:\Users\...\_wrappers.cp310-win_amd64.pyd, PE32+ 87->115 dropped 117 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 87->117 dropped 129 27 other malicious files 87->129 dropped 205 Detected unpacking (creates a PE file in dynamic memory) 87->205 207 Queries Google from non browser process on port 80 87->207 119 C:\Users\user\AppData\...\wxyubnjmnlae.tmp, PE32+ 89->119 dropped 121 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 89->121 dropped 209 Writes to foreign memory regions 89->209 211 Modifies the context of a thread in another process (thread injection) 89->211 213 Found hidden mapped module (file has been removed from disk) 89->213 219 3 other signatures 89->219 161 ip-api.com 208.95.112.1, 49794, 49923, 49940 TUT-ASUS United States 91->161 163 raw.githubusercontent.com 185.199.109.133, 443, 49812, 49898 FASTLYUS Netherlands 91->163 123 C:\Users\user\AppData\Roaming\...\Update.exe, PE32 91->123 dropped 125 C:\Users\user\AppData\...\sqlite.interop.dll, PE32+ 91->125 dropped 215 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 91->215 217 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 91->217 file26 signatures27 process28 signatures29 245 Wscript starts Powershell (via cmd or directly) 94->245 247 Windows Scripting host queries suspicious COM object (likely to drop second stage) 94->247
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/001b1e6a60f512808cbaea7d6be9d2303ede9e1effc6451724f5d69d68ceaa14
Gathering data
Threat name:
Win32.Exploit.TelegramRAT
Create hunting rule
Status:
Malicious
First seen:
2024-09-28 15:37:29 UTC
File Type:
PE+ (Exe)
Extracted files:
1467
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aanr42ta6ujibdf25j6wx2osga7n5hq677dekfze6xlj22govika._file
Verdict:
malicious
Label(s):
milleniumrat
Create hunting rule
Similar samples:
06d1a9fd3099cfb0cc829db930ab25f75a532e5e670e1704844cf7b1000d6314
CoinMiner
246be4970b93f526c742ff8f7f9030b292294480f79df9a8f1bd9626df459e63
CoinMiner
34443c63e5b3678dfd5df2e83fb1c70dcad8fbaa658a25bcde512e216e8d4a1c
CoinMiner
72fdb72dcc71697b027824211e2879f4bf8c8974e56a857f2fca30ad7b675d6f
CoinMiner
9d904569ff4c27fccee3c7bce8fefb282525a1936e7fd2078585f033fc7c61d4
CoinMiner
a129d94c366e0caa9a024b5846031b331b5ea7526915299cac3c60c0a79fdde9
CoinMiner
d0c18b8e222e3b9c09c05145bab139b63e010ba754f4ff688ee71ac69697a402
CoinMiner
error
CoinMiner
fccf2be42bab41f3d1f8bb7778765729cdf5ed10a0bd65871ba3bd2b827c2402
CoinMiner
+ 30 additional samples on MalwareBazaar
Result
Malware family:
milleniumrat
Create hunting rule
Score:
  10/10
Tags:
family:gurcu family:milleniumrat defense_evasion discovery execution persistence pyinstaller rat spyware stealer upx
Link:
https://tria.ge/reports/250221-qbmvrssnep/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Delays execution with timeout.exe
Detects videocard installed
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Stops running service(s)
Contacts a large (2330) amount of remote hosts
Gurcu family
Gurcu, WhiteSnake
MilleniumRat
Milleniumrat family
Modifies WinLogon for persistence
Process spawned unexpected child process
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.26%20kb
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-
https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20take
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/eefe1279-6fe6-4b64-8767-477c9fb30337
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/001b1e6a60f512808cbaea7d6be9d2303ede9e1effc6451724f5d69d68ceaa14

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::FindFirstFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments