MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 362911dc126bfc3bf0edde07ab4dcf66e79830f1da312942b1731b6f45ac9da5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 362911dc126bfc3bf0edde07ab4dcf66e79830f1da312942b1731b6f45ac9da5
SHA3-384 hash: 93410e79600ca80eae50a1a0b3195d948d9469402dc0f816b259f902e36054b741a9c534b3e6b2a2ab57356cccb4a93c
SHA1 hash: c20b9e3b0e3bd8ecc09d3d2fb18639103e95bfba
MD5 hash: 12c46e15136f351bdb64f4d62a57f90d
humanhash: juliet-minnesota-emma-island
File name:12c46e15136f351bdb64f4d62a57f90d.exe
Download: download sample
File size:94'462 bytes
First seen:2021-03-25 09:47:45 UTC
Last seen:2021-03-25 12:09:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:kXLGo3wcQR0maZwzNLiVXwfF/Fl9XaBrdV2iPNLxX:kJ3fI0mam0Xwl9Khd7F
Threatray 16 similar samples on MalwareBazaar
TLSH F793171A7B548F00E55C247B81EF152843F5DAC36AF3F397AEA432DD18032A26C95ED9
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
12c46e15136f351bdb64f4d62a57f90d.exe
Verdict:
Malicious activity
Analysis date:
2021-03-25 12:20:59 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/b535ddc3-2b9a-4e1b-8fc0-a08e973478cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36510340.19898.8901.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Creating a service
Launching a service
Loading a system driver
Enabling the 'hidden' option for recently created files
Creating a window
Moving of the original file
Unauthorized injection to a recently created process
Enabling autorun for a service
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/653623
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found strings related to Crypto-Mining
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 375752 Sample: b471elVvJc.exe Startdate: 25/03/2021 Architecture: WINDOWS Score: 100 43 icanhazip.com 2->43 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus / Scanner detection for submitted sample 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 5 other signatures 2->65 9 b471elVvJc.exe 14 5 2->9         started        14 b471elVvJc.exe 3 2->14         started        signatures3 process4 dnsIp5 45 194.32.79.231, 49708, 49715, 49725 MVPShttpswwwmvpsnetEU Germany 9->45 47 icanhazip.com 172.67.9.138, 49707, 49723, 49726 CLOUDFLARENETUS United States 9->47 37 C:\Users\user\AppData\...\b471elVvJc.exe.log, ASCII 9->37 dropped 71 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->71 73 May check the online IP address of the machine 9->73 75 Uses schtasks.exe or at.exe to add and modify task schedules 9->75 16 b471elVvJc.exe 5 9->16         started        21 schtasks.exe 1 9->21         started        49 icanhazip.com 14->49 51 192.168.2.1 unknown unknown 14->51 23 kernel.exe 14->23         started        file6 signatures7 process8 dnsIp9 39 104.22.19.188, 49713, 49721, 49724 CLOUDFLARENETUS United States 16->39 41 icanhazip.com 16->41 35 C:\Users\user\AppData\Roaming\...\kernel.exe, PE32+ 16->35 dropped 55 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->55 57 May check the online IP address of the machine 16->57 25 kernel.exe 1 16->25         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        file10 signatures11 process12 dnsIp13 53 185.117.155.20 IHOR-ASRU Russian Federation 25->53 67 Antivirus detection for dropped file 25->67 69 Multi AV Scanner detection for dropped file 25->69 33 conhost.exe 25->33         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/362911dc126bfc3bf0edde07ab4dcf66e79830f1da312942b1731b6f45ac9da5/
Threat name:
ByteCode-MSIL.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-03-25 06:41:00 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
35b236fbe87c82a8481485fcf00f3a08749e7a7b49bb2adbd6729c72906a1a60
5f3507cbeaeda2b6fa6b1144782f45f17c274d30fba40fa1ee9b302496242265
773a42f5dd2dbe163dbc36037d53a25675c29fd0dba24d19ccb249a6f590ef12
86f57444e6f4a40378fd0959a54794c7384d04678f8c66dfb7801f3d0cfc0152
ae9f21e994994c7d538df1032eb81cba7c3cbff6a76e8c15d91c8fe6f78dfa28
af56963172182772cfb8ece6dee221898b281e8f93a62dc82a08cc188131849f
c6b664ffd10c03d085b36bd57b72467b6508ba736e9c8d77182e0d1518b91295
c7f6ad7d3e040d26e8103885756e2f720a97a16f12ef44bf6707676d26680586
cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
f213aa18c565dfcb1b7637901b57b6baa6f0d3515b3c601797b418d3d8ff5e2e
+ 6 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/210325-wwtpkbd2c6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Looks up external IP address via web service
Executes dropped EXE
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
362911dc126bfc3bf0edde07ab4dcf66e79830f1da312942b1731b6f45ac9da5
MD5 hash:
12c46e15136f351bdb64f4d62a57f90d
SHA1 hash:
c20b9e3b0e3bd8ecc09d3d2fb18639103e95bfba
Link:
https://www.unpac.me/results/836044d9-d8b1-48b1-9b02-f05d6dc79189/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.72
Link:
https://yomi.yoroi.company/submissions/362911dc126bfc3bf0edde07ab4dcf66e79830f1da312942b1731b6f45ac9da5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 362911dc126bfc3bf0edde07ab4dcf66e79830f1da312942b1731b6f45ac9da5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1089540/
  
Delivery method
Distributed via web download

Comments