MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b0a76c45a3dd1e9bd3b867465a7095762272a9bbe59c1672da1226f59d3d641. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Techsnab


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b0a76c45a3dd1e9bd3b867465a7095762272a9bbe59c1672da1226f59d3d641
SHA3-384 hash: 1fdc859c2b32ee7cff26913fdd06784de53e03a3115e32bb999370f6e2f4438aed0ef6bc8db02a3c69c103e84059b290
SHA1 hash: 2586a89a32da02e923633c1dd4f313ff6a9d8609
MD5 hash: d3b4ddb1726a71c80f63c62744b630db
humanhash: social-uranus-quebec-tennis
File name:d3b4ddb1726a71c80f63c62744b630db
Download: download sample
Signature Adware.Techsnab
Create hunting rule
File size:7'385'600 bytes
First seen:2021-08-29 02:22:40 UTC
Last seen:2021-08-29 03:26:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 98304:dKAhxgyedx7ViIapxK8vmrInTlUIt5LjevuJ36CtgwArPXb7oMtoxMdZJfLmK3d:1hayeDRi3pxK8vuFUjQzT1PvtDBLP3d
Threatray 103 similar samples on MalwareBazaar
TLSH T11D76330973E3563AD2FF16B140FB85208FAABDE621F2A2063F35E90D55740414EB57AB
dhash icon ececc888ecc8c8c8 (1 x RedLineStealer, 1 x Adware.Techsnab)
Reporter zbetcheckin
Tags:Adware.Techsnab CoinMiner exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d3b4ddb1726a71c80f63c62744b630db
Verdict:
No threats detected
Analysis date:
2021-08-29 02:24:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/48976567-302f-44d4-a1aa-bb7671ae1eff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183183/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.690.8627.31900.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a window
Launching a service
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Sending a UDP request
Creating a service
Loading a system driver
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Unauthorized injection to a system process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7749aadf-4e67-4c51-8d11-541d638c1cfa
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840932
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 473363 Sample: Y54o1vpvV6 Startdate: 29/08/2021 Architecture: WINDOWS Score: 100 35 xmr.2miners.com 2->35 45 Sigma detected: Xmrig 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 9 other signatures 2->51 8 Y54o1vpvV6.exe 25 8 2->8         started        13 DriversService.exe 1 2->13         started        15 svchost.exe 2->15         started        17 12 other processes 2->17 signatures3 process4 dnsIp5 39 discord.com 162.159.135.232, 443, 49708 CLOUDFLARENETUS United States 8->39 41 httpbin.org 3.209.207.48, 443, 49707 AMAZON-AESUS United States 8->41 33 C:\Users\user\AppData\...\DriversService.exe, PE32+ 8->33 dropped 57 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->57 59 Writes to foreign memory regions 8->59 61 Modifies the context of a thread in another process (thread injection) 8->61 63 Injects a PE file into a foreign processes 8->63 19 InstallUtil.exe 1 8->19         started        23 powershell.exe 1 16 8->23         started        65 Multi AV Scanner detection for dropped file 13->65 67 Machine Learning detection for dropped file 13->67 69 Changes security center settings (notifications, updates, antivirus, firewall) 15->69 25 MpCmdRun.exe 15->25         started        43 127.0.0.1 unknown unknown 17->43 file6 signatures7 process8 dnsIp9 37 xmr.2miners.com 51.89.96.41, 2222, 49709, 49719 OVHFR France 19->37 53 Query firmware table information (likely to detect VMs) 19->53 27 conhost.exe 19->27         started        29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        signatures10 55 Detected Stratum mining protocol 37->55 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b0a76c45a3dd1e9bd3b867465a7095762272a9bbe59c1672da1226f59d3d641/
Threat name:
Win64.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-08-27 19:42:19 UTC
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fmfhnrc2hxi6tpj3qz2gljyjk5rcoku3xzm4czznuerg6wot2zaq._file
Verdict:
unknown
Similar samples:
51e6527daa5a10028c434c7ceaed1570ddd95e1de0eafa702f77860cec3d0b7c
Adware.Techsnab
766d8e9d2d0de0a0ba2440a847e7eb7da3e69d51331e15a61ec1d25d3d92fc3e
Adware.Techsnab
831d7b676bb75c44df50f40798fe739cb07d4c0b1ee217a7e8fea443f7b00346
Adware.Techsnab
87f4a4c323f26710b7acdc123173fa63f4ccb4f3c8239dfaa489ee69ab89f7cc
Adware.Techsnab
89aea7429e8634bbba4d97c8576adb9568cdf91830d15ecd2c34c5a290f7b83f
Adware.Techsnab
f60f32ec899bcb92fd50491a8c32f0548afbd4dc02462dfa373d484b4b161a86
Adware.Techsnab
ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32
Adware.Techsnab
+ 93 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210829-mada2k9hya/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
Unpacked files
SH256 hash:
2b0a76c45a3dd1e9bd3b867465a7095762272a9bbe59c1672da1226f59d3d641
MD5 hash:
d3b4ddb1726a71c80f63c62744b630db
SHA1 hash:
2586a89a32da02e923633c1dd4f313ff6a9d8609
Link:
https://www.unpac.me/results/51c697a9-e1c4-49a3-be47-c85191376a8b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2b0a76c45a3d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2b0a76c45a3dd1e9bd3b867465a7095762272a9bbe59c1672da1226f59d3d641

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Adware.Techsnab

Executable exe 2b0a76c45a3dd1e9bd3b867465a7095762272a9bbe59c1672da1226f59d3d641

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1573789/
Cape
Cape
https://www.capesandbox.com/analysis/183183/

Comments


Avatar
zbet commented on 2021-08-29 02:22:41 UTC

url : hxxp://65.21.223.132/Ahiles.exe