MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26a02495b38b2a19ae23687148232563ed9dceaf5c0a6eed4b55a19d8f8b4818. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Techsnab


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26a02495b38b2a19ae23687148232563ed9dceaf5c0a6eed4b55a19d8f8b4818
SHA3-384 hash: 6abfb669ad78e1c4b8da28f296b2826fbd1a7032578aeb9206d80cdfc955a597df9e3bb27cd789b06c576d72070932f0
SHA1 hash: 80c71eea8a34f0cc06f648551b9ed4ac63302107
MD5 hash: f4c64387af7b3c31cf1447c4f4ae003b
humanhash: eighteen-river-shade-lamp
File name:f4c64387af7b3c31cf1447c4f4ae003b
Download: download sample
Signature Adware.Techsnab
Create hunting rule
File size:7'365'120 bytes
First seen:2021-08-23 22:26:41 UTC
Last seen:2021-08-23 23:16:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 196608:lFQAbyY5dux+RIMIeACZdjZ+hQqLgFppJDw7808n:lFQAbHox+RDjZcgbpJDw780
Threatray 100 similar samples on MalwareBazaar
TLSH T147762259E3B27670D4B70A7380A2211C0EB2AD5617E6BE552EBCF64F18322814C77B77
dhash icon 70e886ccf0f0f871 (1 x Adware.Techsnab)
Reporter zbetcheckin
Tags:Adware.Techsnab exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
182
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f4c64387af7b3c31cf1447c4f4ae003b
Verdict:
No threats detected
Analysis date:
2021-08-23 22:29:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a99f5f00-d80e-4182-9d53-c42857dd359c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181649/
Detection(s):
SecuriteInfo.com.ArtemisF4C64387AF7B.10105.790.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Sending a UDP request
Creating a window
Launching a service
Connection attempt
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Creating a service
Loading a system driver
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c4832479-f4ee-47f0-85f8-0c3a89e89666
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/837855
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 470286 Sample: OZixe06aPK Startdate: 24/08/2021 Architecture: WINDOWS Score: 100 35 xmr.2miners.com 2->35 45 Sigma detected: Xmrig 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected Xmrig cryptocurrency miner 2->49 51 6 other signatures 2->51 8 OZixe06aPK.exe 25 8 2->8         started        13 DriversService.exe 1 2->13         started        15 svchost.exe 2->15         started        17 12 other processes 2->17 signatures3 process4 dnsIp5 39 discord.com 162.159.137.232, 443, 49703 CLOUDFLARENETUS United States 8->39 41 httpbin.org 54.156.165.4, 443, 49702 AMAZON-AESUS United States 8->41 33 C:\Users\user\AppData\...\DriversService.exe, PE32+ 8->33 dropped 57 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->57 59 Writes to foreign memory regions 8->59 61 Modifies the context of a thread in another process (thread injection) 8->61 63 Injects a PE file into a foreign processes 8->63 19 InstallUtil.exe 1 8->19         started        23 powershell.exe 1 19 8->23         started        65 Multi AV Scanner detection for dropped file 13->65 67 Machine Learning detection for dropped file 13->67 69 Changes security center settings (notifications, updates, antivirus, firewall) 15->69 25 MpCmdRun.exe 15->25         started        43 127.0.0.1 unknown unknown 17->43 file6 signatures7 process8 dnsIp9 37 xmr.2miners.com 51.89.96.41, 2222, 49706, 49716 OVHFR France 19->37 53 Query firmware table information (likely to detect VMs) 19->53 27 conhost.exe 19->27         started        29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        signatures10 55 Detected Stratum mining protocol 37->55 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26a02495b38b2a19ae23687148232563ed9dceaf5c0a6eed4b55a19d8f8b4818/
Threat name:
Win64.PUA.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-08-23 21:32:07 UTC
AV detection:
12 of 46 (26.09%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e2qcjfntrmvbtlrdnbyuqizfmpwz3tvplqfg53klkwqz3d4ljama._file
Verdict:
unknown
Similar samples:
70c61a7220e7df5841fded5bafa8340c388440911f8c894b35872188f300f29d
Adware.Techsnab
766d8e9d2d0de0a0ba2440a847e7eb7da3e69d51331e15a61ec1d25d3d92fc3e
Adware.Techsnab
7e4bc5c98691dd99d7c856dc26110113c15d72fb5b8a73db75a9c9b2bee021e2
Adware.Techsnab
831d7b676bb75c44df50f40798fe739cb07d4c0b1ee217a7e8fea443f7b00346
Adware.Techsnab
87f4a4c323f26710b7acdc123173fa63f4ccb4f3c8239dfaa489ee69ab89f7cc
Adware.Techsnab
88614f9e923a5d979c64bee190f05f0932bc01f351ded417c59e1b2a92be560b
Adware.Techsnab
89aea7429e8634bbba4d97c8576adb9568cdf91830d15ecd2c34c5a290f7b83f
Adware.Techsnab
ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32
Adware.Techsnab
+ 90 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210823-4lq2q9qpb2/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
Unpacked files
SH256 hash:
26a02495b38b2a19ae23687148232563ed9dceaf5c0a6eed4b55a19d8f8b4818
MD5 hash:
f4c64387af7b3c31cf1447c4f4ae003b
SHA1 hash:
80c71eea8a34f0cc06f648551b9ed4ac63302107
Link:
https://www.unpac.me/results/b51acb62-7eaf-4659-891a-eb490dec3b0f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/26a02495b38b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26a02495b38b2a19ae23687148232563ed9dceaf5c0a6eed4b55a19d8f8b4818

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Adware.Techsnab

Executable exe 26a02495b38b2a19ae23687148232563ed9dceaf5c0a6eed4b55a19d8f8b4818

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1558442/
Cape
Cape
https://www.capesandbox.com/analysis/181649/

Comments


Avatar
zbet commented on 2021-08-23 22:26:43 UTC

url : hxxp://45.90.46.71/Venera.exe