MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36f384938e022f6448676ad2f479b47efde5b02a09834b245f22aee9a15fd371. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Hive


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36f384938e022f6448676ad2f479b47efde5b02a09834b245f22aee9a15fd371
SHA3-384 hash: 14af7f81d2224b98dd9514f990762249ee471f43ae1f79c2c4e8c5a42ed768575a91a2ef176258ce16d994ed915183e5
SHA1 hash: d86e750d78e4f2008ed21c8c3502c253cd9fb9f2
MD5 hash: 2b897d710b4c56419679d2ee7bf1f152
humanhash: beryllium-spaghetti-island-iowa
File name:2b897d710b4c56419679d2ee7bf1f152
Download: download sample
Signature Hive
Create hunting rule
File size:2'693'120 bytes
First seen:2022-04-11 07:41:35 UTC
Last seen:2022-04-11 09:04:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep 49152:btmqIuzXkIH4oUmf8Y6KsmOACAsQgMWvAzR9Hgq0oON3dglc/EJWcBVZ6zc:btmqQmf96zUCAu3AzzgloOxanH
Threatray 75 similar samples on MalwareBazaar
TLSH T147C53377E0635431EAA6163740A816C7E34928F6262F0A551015D2623CCEFEEFDE9E37
Reporter zbetcheckin
Tags:exe Hive

Intelligence

File Origin
# of uploads :
2
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/262574/
Detection(s):
SecuriteInfo.com.WinGo.Agent.DG.22152.25352.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Enabling the 'hidden' option for analyzed file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Moving of the original file
Sending an HTTP POST request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/6253dbd504b81dabe27dda9f/reports/fe561eac-86a4-42c7-ab95-ab24dcf2b312/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Kraken
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/78ca7f93-dc6d-4c32-b52a-65b795c7ad5c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/974417
Signature
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 606904 Sample: p1WhU1kc7z Startdate: 11/04/2022 Architecture: WINDOWS Score: 84 60 Antivirus detection for URL or domain 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Found many strings related to Crypto-Wallets (likely being stolen) 2->64 66 3 other signatures 2->66 7 p1WhU1kc7z.exe 1 1 2->7         started        11 woVOxqPQGh.exe 1 2->11         started        13 woVOxqPQGh.exe 1 2->13         started        process3 dnsIp4 52 193.233.48.64, 49769, 49778, 49779 NETIS-ASRU Russian Federation 7->52 54 get.geojs.io 104.26.1.100, 443, 49764 CLOUDFLARENETUS United States 7->54 56 239.255.255.250 unknown Reserved 7->56 68 Creates multiple autostart registry keys 7->68 70 Creates an autostart registry key pointing to binary in C:\Windows 7->70 15 cmd.exe 1 7->15         started        18 cmd.exe 1 7->18         started        20 cmd.exe 1 7->20         started        28 8 other processes 7->28 22 cmd.exe 11->22         started        30 9 other processes 11->30 58 172.67.70.233, 443, 49780, 49784 CLOUDFLARENETUS United States 13->58 24 cmd.exe 1 13->24         started        26 cmd.exe 13->26         started        32 8 other processes 13->32 signatures5 process6 signatures7 72 Uses cmd line tools excessively to alter registry or file data 15->72 36 2 other processes 15->36 34 conhost.exe 18->34         started        38 4 other processes 20->38 40 2 other processes 22->40 42 2 other processes 24->42 44 2 other processes 26->44 46 16 other processes 28->46 48 16 other processes 30->48 50 13 other processes 32->50 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36f384938e022f6448676ad2f479b47efde5b02a09834b245f22aee9a15fd371/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-04-11 07:42:19 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g3zyje4oaixwisdhnljpi6nup366lmbkbgbuwjc7ekxotik72nyq._file
Verdict:
unknown
Similar samples:
15d06d1741cc8b5495da9c79c6f630e33060e80c73da9666500f6f0bdf5ff259
Hive
177281ae34e8e42aeca619f1a5dd728bb7dc4647b64b1411b2b13103c6b06865
Hive
3d6425cf292c5a78f2014754d8a3368a934110587077584bc54b54642609b1f0
Hive
5782a7d3cf791a0be9d8e994520618d4299a51ca032ff1a549646713193a1ecf
Hive
bb5ec56740f8e99fe4bf5b43e7fd7db75d678a7273dd418060b610e60185cc20
Hive
d94a67d52526006c2cf1ff40a181b1b6a763cda06513c3f8051e9a29c208b1f8
Hive
e0ba9bc255356e77c0953b12176294874fedc482796db4c2a3e8e23e1085ae0e
Hive
+ 65 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence upx
Link:
https://tria.ge/reports/220411-jjpk1aehf4/
Behaviour
GoLang User-Agent
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Drops file in Windows directory
Adds Run key to start application
Sets file to hidden
Unpacked files
SH256 hash:
36f384938e022f6448676ad2f479b47efde5b02a09834b245f22aee9a15fd371
MD5 hash:
2b897d710b4c56419679d2ee7bf1f152
SHA1 hash:
d86e750d78e4f2008ed21c8c3502c253cd9fb9f2
Link:
https://www.unpac.me/results/21bdfcce-d5a0-4726-a591-a6337030d1b7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/36f384938e022f6448676ad2f479b47efde5b02a09834b245f22aee9a15fd371

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Hive

Executable exe 36f384938e022f6448676ad2f479b47efde5b02a09834b245f22aee9a15fd371

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2136819/
Cape
Cape
https://www.capesandbox.com/analysis/262574/

Comments


Avatar
zbet commented on 2022-04-11 07:41:37 UTC

url : hxxp://193.233.48.64/build_o.exe