MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20fdea0c17ffb565895491b930cc6ad3df6ca3cc85780ddda1dad5a0ecd1983b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Expiro


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20fdea0c17ffb565895491b930cc6ad3df6ca3cc85780ddda1dad5a0ecd1983b
SHA3-384 hash: 1265bfae37855c5b16e7c43e9123c04012debe698ef43604f473ce1d8b9bff5ecc495d706e5bca9ccca47501aac368a5
SHA1 hash: 236db4d97d8a2e26217f4475b2949fb0bac261bf
MD5 hash: accdd3c18e0a1ecaaf42b3f0a88533df
humanhash: alaska-pizza-washington-mockingbird
File name:expiro2.bin
Download: download sample
Signature Expiro
Create hunting rule
File size:1'362'944 bytes
First seen:2022-01-11 18:10:36 UTC
Last seen:2022-01-11 19:45:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 72567d001c30c3c46b19a98842491779 (16 x Azov, 1 x Expiro)
ssdeep 12288:McCvO70oQcXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kw:BLQcsqjnhMgeiCl7G0nehbGZpbD
TLSH T12E55025BB3E80099D176D1B6C6E1C30AD7727D524B3043CF25A65AAAAF33AD48D39313
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter johannes
Tags:dll exe Expiro

Intelligence

File Origin
# of uploads :
2
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
expiro2.bin
Verdict:
No threats detected
Analysis date:
2022-01-11 18:13:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bd76ffc7-364e-4b0b-9047-9170d7144528

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/218293/
Detection(s):
SecuriteInfo.com.Win32.Expiro.153.15018.8871.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a window
Modifying an executable file
Launching a service
Searching for synchronization primitives
Modifying a system executable file
Creating a file in the Windows subdirectories
Launching a process
Loading a system driver
Modifying a system file
Using the Windows Management Instrumentation requests
Changing a file
Creating a file
Enabling autorun for a service
Query of malicious DNS domain
Enabling autorun with the shell\open\command registry branches
Creating a file in the mass storage device
Infecting executable files
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
greyware msiexec.exe update.exe virus
Link:
https://www.filescan.io/uploads/61ddc838e997359713dd80cf/reports/3a1bab17-e98e-46c0-aa77-8d9c45a3438d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e41270ad-2e54-4f20-a668-45fa1aeb49a8
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/918567
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Drops executable to a common third party application directory
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking volume information)
Infects executable files (exe, dll, sys, html)
Multi AV Scanner detection for submitted file
Queries random domain names (often used to prevent blacklisting and sinkholes)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to resolve many domain names, but no domain seems valid
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 551044 Sample: expiro2.bin Startdate: 11/01/2022 Architecture: WINDOWS Score: 100 31 qpnczch.biz 2->31 33 brsua.biz 2->33 35 gvijgjwkh.biz 2->35 49 Antivirus detection for URL or domain 2->49 51 Antivirus detection for dropped file 2->51 53 Multi AV Scanner detection for submitted file 2->53 57 3 other signatures 2->57 6 armsvc.exe 1 2->6         started        11 expiro2.exe 1 2->11         started        13 perfhost.exe 2->13         started        15 13 other processes 2->15 signatures3 55 Tries to resolve many domain names, but no domain seems valid 33->55 process4 dnsIp5 37 zyiexezl.biz 6->37 39 zrlssa.biz 6->39 45 128 other IPs or domains 6->45 17 C:\Windows\System32\xbgmsvc.exe, PE32+ 6->17 dropped 19 C:\Windows\System32\wbengine.exe, PE32+ 6->19 dropped 21 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 6->21 dropped 29 30 other files (21 malicious) 6->29 dropped 59 Infects executable files (exe, dll, sys, html) 6->59 41 xlfhhhm.biz 11->41 43 vjaxhpbji.biz 11->43 47 17 other IPs or domains 11->47 23 C:\Windows\System32\alg.exe, PE32+ 11->23 dropped 25 C:\Windows\System32\AppVClient.exe, PE32+ 11->25 dropped 27 C:\Program Files (x86)\...\armsvc.exe, PE32 11->27 dropped 61 Drops executable to a common third party application directory 11->61 63 Antivirus detection for dropped file 13->63 65 Found evasive API chain (may stop execution after checking volume information) 13->65 67 Found evasive API chain (may stop execution after checking computer name) 13->67 69 Creates files inside the volume driver (system volume information) 15->69 file6 71 Tries to resolve many domain names, but no domain seems valid 39->71 signatures7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20fdea0c17ffb565895491b930cc6ad3df6ca3cc85780ddda1dad5a0ecd1983b/
Threat name:
Win64.Trojan.Kryplod
Create hunting rule
Status:
Malicious
First seen:
2021-12-28 16:23:22 UTC
File Type:
PE+ (Exe)
Extracted files:
9
AV detection:
15 of 43 (34.88%)
Threat level:
  5/5
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner spyware stealer
Link:
https://tria.ge/reports/220111-wsk1dsghej/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
xmrig
Unpacked files
SH256 hash:
20fdea0c17ffb565895491b930cc6ad3df6ca3cc85780ddda1dad5a0ecd1983b
MD5 hash:
accdd3c18e0a1ecaaf42b3f0a88533df
SHA1 hash:
236db4d97d8a2e26217f4475b2949fb0bac261bf
Link:
https://www.unpac.me/results/247284a2-c5f3-451b-b58b-5b4d49caff71/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20fdea0c17ffb565895491b930cc6ad3df6ca3cc85780ddda1dad5a0ecd1983b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/218293/

Comments