MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06ae265d022abb3efb56a9aaf1b4cbee322817434b6dbebd93afa4e2869a2236. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06ae265d022abb3efb56a9aaf1b4cbee322817434b6dbebd93afa4e2869a2236
SHA3-384 hash: 2bfba4bdb90c142130192da60ce618d5c489ed453cde3fccfc9d1cb664ae6a4e9d5e8d0fb1e720b6cd3f2be813601bf2
SHA1 hash: 8a376464b78a3347b5252d01a60b9452e36bb37b
MD5 hash: 88d0108f230277eedb029bb7996aacf5
humanhash: low-solar-johnny-king
File name:HWID Spoofer.exe
Download: download sample
File size:2'201'600 bytes
First seen:2021-06-24 21:59:30 UTC
Last seen:2021-06-24 22:46:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:VHh9t+k9ygodrENjEJ3prMpjqc6G2qIv7KDdncc:hnt+PENQJZApp+8dnh
Threatray 56 similar samples on MalwareBazaar
TLSH 64A53358FBC042A5F45DEABF30AB2E3E54BD318B52D50B10B4607424A70BBD85B77DA8
Reporter Anonymous
Tags:exe gaming


Avatar
Anonymous
We run a multi-gaming organisation/multi-game guild with a large amount of members, and receive targeted spearphishing and non-targeted malware typically RATs or keyloggers, attempting to compromise accounts and steal items.

On our forums, we also automatically quarantine new accounts that DM users links. These uploads are typically the outputs of online uploads, spambots, or users trying to steal kids' game accounts.

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HWID Spoofer.exe
Verdict:
No threats detected
Analysis date:
2021-06-24 22:03:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/34a78aaf-768e-4287-b9f3-218675758493

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168160/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.721.31761.23713.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c2cda0b-b813-4730-930f-c9cdd623da11
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807804
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Xmrig
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440215 Sample: HWID Spoofer.exe Startdate: 25/06/2021 Architecture: WINDOWS Score: 100 74 Sigma detected: Xmrig 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Yara detected Xmrig cryptocurrency miner 2->78 80 5 other signatures 2->80 8 HWID Spoofer.exe 8 2->8         started        12 Cheats.exe 4 2->12         started        14 svchost.exe 2->14         started        16 10 other processes 2->16 process3 dnsIp4 54 C:\Users\user\AppData\Local\Temp\Cheats.exe, PE32+ 8->54 dropped 56 C:\Users\user\...\Cheats.exe:Zone.Identifier, ASCII 8->56 dropped 58 C:\Users\user\...\HWID Spoofer.exe.log, ASCII 8->58 dropped 100 Sample is not signed and drops a device driver 8->100 19 Cheats.exe 3 8->19         started        23 cmd.exe 1 8->23         started        102 Machine Learning detection for dropped file 12->102 104 Injects code into the Windows Explorer (explorer.exe) 12->104 106 Writes to foreign memory regions 12->106 110 3 other signatures 12->110 25 explorer.exe 12->25         started        28 cmd.exe 1 12->28         started        108 Changes security center settings (notifications, updates, antivirus, firewall) 14->108 30 MpCmdRun.exe 14->30         started        60 127.0.0.1 unknown unknown 16->60 file5 signatures6 process7 dnsIp8 52 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 19->52 dropped 82 Injects code into the Windows Explorer (explorer.exe) 19->82 84 Writes to foreign memory regions 19->84 86 Allocates memory in foreign processes 19->86 98 2 other signatures 19->98 32 explorer.exe 19->32         started        36 cmd.exe 1 19->36         started        88 Uses schtasks.exe or at.exe to add and modify task schedules 23->88 38 conhost.exe 23->38         started        40 schtasks.exe 1 23->40         started        66 mine.bmpool.org 157.90.156.89, 49716, 49717, 6004 REDIRISRedIRISAutonomousSystemES United States 25->66 68 pastebin.com 104.23.99.190, 443, 49713, 49714 CLOUDFLARENETUS United States 25->68 90 System process connects to network (likely due to code injection or exploit) 25->90 92 Query firmware table information (likely to detect VMs) 25->92 94 Tries to detect sandboxes and other dynamic analysis tools (window names) 25->94 42 conhost.exe 28->42         started        44 schtasks.exe 1 28->44         started        46 conhost.exe 30->46         started        file9 96 Detected Stratum mining protocol 66->96 signatures10 process11 dnsIp12 62 mine.bmpool.org 32->62 64 pastebin.com 32->64 70 System process connects to network (likely due to code injection or exploit) 32->70 72 Query firmware table information (likely to detect VMs) 32->72 48 conhost.exe 36->48         started        50 schtasks.exe 1 36->50         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06ae265d022abb3efb56a9aaf1b4cbee322817434b6dbebd93afa4e2869a2236/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 22:00:27 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1ed5337566938228ee9afcad29b1f722d55f4f8172a3157af4d4ad913541b2ea
6c3a2575d3325e7a0f520a5fefa0384855980461683e6c7463debbd668ab3258
74b13418d9f50f94920aa870823732618509599ed36a57e440c32c1e9cd928f2
a1a0ca95d42cb766533d9c4a8260cdcea4abab6d17214b711b7f366fbafe2413
a5e6caf0fc19953ef3c7ec323b851f1b14bde593f75d0113e0cada70880912df
c1082902dff7b4652dbd0b43e974c0c1d34f135fdb8353ec5e92f9cdc54b6ed2
e15ea1dc92dd31517334886dba17d7022c73d258096bf77f897ef60c1b8302b1
e8c4bcdcf46f101cc7126f7bde6955f6a971d06dc2bea9f6499594b475b091e2
f970fb9186f287b64997d76b1d4ddc5121b42e4bf697734ae1855a641e95b923
feb12de92aa1536ba75f69b41bf74cc3bd8438df7eb0f0705ebbd1de73994624
+ 46 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/210624-ljlra7cycn/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
06ae265d022abb3efb56a9aaf1b4cbee322817434b6dbebd93afa4e2869a2236
MD5 hash:
88d0108f230277eedb029bb7996aacf5
SHA1 hash:
8a376464b78a3347b5252d01a60b9452e36bb37b
Link:
https://www.unpac.me/results/f46c70b8-dd23-4f29-9bf5-238109043a53/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06ae265d022abb3efb56a9aaf1b4cbee322817434b6dbebd93afa4e2869a2236

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168160/

Comments