MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04d6b79b4981e2bfa3f3d778ed61aaf12efaa6a55870df62dc4013cb99d98a30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04d6b79b4981e2bfa3f3d778ed61aaf12efaa6a55870df62dc4013cb99d98a30
SHA3-384 hash: f0b02d652df706bcdbdb177c2a12b4428354e106e2c99463fc024786feaa6464b3093aca2ade5b83f3c8670305c7facd
SHA1 hash: 6052ee04638e30af80a897bf3407562b6e804fc2
MD5 hash: 0a22bbcf3c149176032a88da9591c6c1
humanhash: johnny-cola-fanta-sad
File name:0a22bbcf3c149176032a88da9591c6c1
Download: download sample
File size:104'960 bytes
First seen:2021-07-09 05:23:50 UTC
Last seen:2021-07-09 05:50:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:9ETpPTQHkdy9a4YwQUHcscidT7V2uYz/:sPTQHkw94p2cwdT7V2uYz
Threatray 5 similar samples on MalwareBazaar
TLSH T1D6A35B8C766075DFC86BC976DAA82CA4E760347B470BC253945316EDAA0CA9BCF150F3
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0a22bbcf3c149176032a88da9591c6c1
Verdict:
No threats detected
Analysis date:
2021-07-09 05:24:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7a5522da-ccce-49de-8230-4eed4e41a0e7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170605/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.ABVL.461.31416.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dbfcf30f-d2c4-4b33-b77a-537932d61464
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813860
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Creates files in the system32 config directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Found strings related to Crypto-Mining
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Xmrig
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 446271 Sample: XgD8cl9Jli Startdate: 09/07/2021 Architecture: WINDOWS Score: 100 93 clientconfig.passport.net 2->93 121 Sigma detected: Xmrig 2->121 123 Multi AV Scanner detection for submitted file 2->123 125 Yara detected Xmrig cryptocurrency miner 2->125 127 3 other signatures 2->127 10 Services32.exe 9 2->10         started        14 XgD8cl9Jli.exe 8 2->14         started        signatures3 process4 file5 79 C:\Windows\System32\config\...\Services32.exe, PE32+ 10->79 dropped 81 C:\Windows\System32\config\...\sihost32.exe, PE32+ 10->81 dropped 83 C:\Windows\...\Services32.exe:Zone.Identifier, ASCII 10->83 dropped 129 Multi AV Scanner detection for dropped file 10->129 131 Creates files in the system32 config directory 10->131 133 Drops executables to the windows directory (C:\Windows) and starts them 10->133 16 sihost32.exe 2 10->16         started        19 Services32.exe 10->19         started        22 cmd.exe 1 10->22         started        85 C:\Users\user\Services32.exe, PE32+ 14->85 dropped 87 C:\Users\...\Services32.exe:Zone.Identifier, ASCII 14->87 dropped 89 C:\Users\user\AppData\...\XgD8cl9Jli.exe.log, ASCII 14->89 dropped 91 C:\Users\user\AppData\...\sihost32.exe, PE32+ 14->91 dropped 135 Drops PE files to the user root directory 14->135 24 Services32.exe 14 5 14->24         started        26 cmd.exe 1 14->26         started        28 sihost32.exe 14->28         started        signatures6 process7 dnsIp8 103 Drops executables to the windows directory (C:\Windows) and starts them 16->103 30 Services32.exe 16->30         started        33 Services32.exe 16->33         started        35 Services32.exe 16->35         started        37 Services32.exe 16->37         started        95 185.199.111.133, 443, 49733 FASTLYUS Netherlands 19->95 105 Multi AV Scanner detection for dropped file 19->105 107 Hijacks the control flow in another process 19->107 109 Creates files in the system32 config directory 19->109 119 2 other signatures 19->119 43 2 other processes 19->43 45 2 other processes 22->45 97 github.com 140.82.121.3, 443, 49725, 49732 GITHUBUS United States 24->97 99 raw.githubusercontent.com 185.199.108.133, 443, 49726 FASTLYUS Netherlands 24->99 101 192.168.2.1 unknown unknown 24->101 111 Injects code into the Windows Explorer (explorer.exe) 24->111 113 Writes to foreign memory regions 24->113 115 Allocates memory in foreign processes 24->115 39 cmd.exe 1 24->39         started        41 explorer.exe 24->41         started        117 Uses schtasks.exe or at.exe to add and modify task schedules 26->117 47 2 other processes 26->47 signatures9 process10 signatures11 137 Hijacks the control flow in another process 30->137 139 Injects code into the Windows Explorer (explorer.exe) 30->139 141 Writes to foreign memory regions 30->141 49 cmd.exe 30->49         started        51 explorer.exe 30->51         started        143 Allocates memory in foreign processes 33->143 145 Modifies the context of a thread in another process (thread injection) 33->145 147 Injects a PE file into a foreign processes 33->147 53 cmd.exe 33->53         started        55 explorer.exe 33->55         started        57 cmd.exe 35->57         started        59 conhost.exe 39->59         started        61 schtasks.exe 1 39->61         started        63 conhost.exe 43->63         started        65 schtasks.exe 43->65         started        process12 process13 67 conhost.exe 49->67         started        69 schtasks.exe 49->69         started        71 conhost.exe 53->71         started        73 schtasks.exe 53->73         started        75 conhost.exe 57->75         started        77 schtasks.exe 57->77         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04d6b79b4981e2bfa3f3d778ed61aaf12efaa6a55870df62dc4013cb99d98a30/
Threat name:
ByteCode-MSIL.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2021-07-09 03:44:49 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
8f1ed07ca8c41df4a0c109f87d46e67365cd111de9ef1f17687be43c18f51e49
995ab2c020f8d8ac61c6c5e2bfdd383f2134a6463ea2ba218337b80b639e13cd
fb49ad3836c334d8d06a36a45994eaa52d7629ecbf765fe46aa53825aef56e56
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210709-qgts4rz8dj/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
04d6b79b4981e2bfa3f3d778ed61aaf12efaa6a55870df62dc4013cb99d98a30
MD5 hash:
0a22bbcf3c149176032a88da9591c6c1
SHA1 hash:
6052ee04638e30af80a897bf3407562b6e804fc2
Link:
https://www.unpac.me/results/f227304a-7060-4500-9241-a07e8038e868/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04d6b79b4981e2bfa3f3d778ed61aaf12efaa6a55870df62dc4013cb99d98a30

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 04d6b79b4981e2bfa3f3d778ed61aaf12efaa6a55870df62dc4013cb99d98a30

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1438014/
Cape
Cape
https://www.capesandbox.com/analysis/170605/

Comments


Avatar
zbet commented on 2021-07-09 05:23:51 UTC

url : hxxp://141.95.28.201/start.exe