MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 392d92c5987f4aeea5e9988e126bd19798c3a63e60917445f67df835c15d598b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 392d92c5987f4aeea5e9988e126bd19798c3a63e60917445f67df835c15d598b
SHA3-384 hash: ef8ceb7386723cb360ba8a952d8b1f1ab5847aec3fbf0d9d53812630470d8c2adf437952daac33be5f10a1f9685cca8b
SHA1 hash: c0b95c1f6de9bbf2a52fcd8c9863a671ac46fb5c
MD5 hash: 6109d3eb95379d204c6e43d9c5603da4
humanhash: ack-ink-alaska-arizona
File name:SecuriteInfo.com.Trojan.GenericKD.39253528.22153.22248
Download: download sample
File size:233'472 bytes
First seen:2022-03-21 18:14:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:mchW+kj10s/e4AcbDpWGdOgaqB0mDk8eff1+i05hI7yZB14mM0+9lHPDv:m+6TbDpzOgaqB0mDkzff1+i05hI7yZBw
Threatray 1'436 similar samples on MalwareBazaar
TLSH T11234469D726072EFC867D472DEA82DA8EA5074BB931F4203902715ADEE4D897DF140F2
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/253749/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39253528.22153.22248.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Searching for the Windows task manager window
Creating a file in the %temp% directory
Launching a process
Sending a custom TCP request
Creating a file
DNS request
Unauthorized injection to a recently created process
Launching a tool to kill processes
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6238c0c9dfdfa8501cc827e6/reports/0a9cf4e6-34fd-436f-8737-aa723d27cf2a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1056c660-02bf-4de0-adc4-83a2491fda04
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/961151
Signature
Antivirus detection for URL or domain
Command shell drops VBS files
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd delete
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Xmrig
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 593630 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 21/03/2022 Architecture: WINDOWS Score: 100 83 Sigma detected: Xmrig 2->83 85 Antivirus detection for URL or domain 2->85 87 Multi AV Scanner detection for dropped file 2->87 89 11 other signatures 2->89 9 SecuriteInfo.com.Trojan.GenericKD.39253528.22153.exe 5 4 2->9         started        13 Windows Security.exe 27 4 2->13         started        process3 file4 77 C:\Users\user\...\Windows Security.exe, PE32 9->77 dropped 79 C:\...\Windows Security.exe:Zone.Identifier, ASCII 9->79 dropped 95 Detected unpacking (changes PE section rights) 9->95 97 Obfuscated command line found 9->97 99 Self deletion via cmd delete 9->99 101 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->101 15 cmd.exe 1 9->15         started        18 cmd.exe 1 9->18         started        20 cmd.exe 13->20         started        23 cmd.exe 13->23         started        25 cmd.exe 13->25         started        27 21 other processes 13->27 signatures5 process6 file7 105 Obfuscated command line found 15->105 29 Windows Security.exe 14 5 15->29         started        33 conhost.exe 15->33         started        41 4 other processes 18->41 75 C:\Users\user\AppData\Local\...\tmp7D9C.vbs, ASCII 20->75 dropped 107 Command shell drops VBS files 20->107 43 2 other processes 20->43 35 conhost.exe 23->35         started        37 powershell.exe 23->37         started        45 2 other processes 25->45 39 taskkill.exe 27->39         started        47 29 other processes 27->47 signatures8 process9 dnsIp10 81 111.90.143.200, 27941 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 29->81 103 Obfuscated command line found 29->103 49 cmd.exe 2 29->49         started        53 cmd.exe 29->53         started        55 cmd.exe 29->55         started        57 conhost.exe 35->57         started        59 conhost.exe 39->59         started        signatures11 process12 file13 73 C:\Users\user\AppData\Local\...\tmpE823.vbs, ASCII 49->73 dropped 91 Command shell drops VBS files 49->91 61 cscript.exe 1 49->61         started        63 conhost.exe 49->63         started        93 Obfuscated command line found 53->93 65 conhost.exe 53->65         started        67 powershell.exe 53->67         started        69 conhost.exe 55->69         started        71 powershell.exe 55->71         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/392d92c5987f4aeea5e9988e126bd19798c3a63e60917445f67df835c15d598b/
Threat name:
ByteCode-MSIL.Trojan.CoinminerX
Create hunting rule
Status:
Malicious
First seen:
2022-03-16 16:52:00 UTC
File Type:
PE (.Net Exe)
AV detection:
31 of 42 (73.81%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
04ff00131dc81c785b075d33b1ab543f68e3aafa4ed1d52f8a19d16cbf66f3f2
0f0807cdcb400a718656d3ec845ad57ffef9e25232d50044bb8d7a5d9d2a0a98
162d0b27db414f15b5ae0870b2a4132b7fad64f8471441541ff153c2aded121a
47ee7c873ff6ad620d68f6bd92cbd41ae0194c446720228f805f3487192dd909
6046aace6f59b5eba51322cb82de3b9b6be567f958b65d6586e6924a2366a32c
73872c3c2ba2f4e09a18b0e0b3e00419b302781a83206512da39c28ae2e35fcc
bd250e1cb4f8d322a5464549dc067ac7bcbecfc2d4fca46c40af8d23173011d3
d42ae9509a110e4c8316bb71949c14a908f38277cbf6b4d2a216ba173aa24e55
fc7c0979e0a7b2f95d8e50177b844166ced49a0c78de4adcedef75090dee4dd9
+ 1'426 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220321-wvydhahgcr/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Deletes itself
Executes dropped EXE
Unpacked files
SH256 hash:
e6419e384cd61ab2149bbb50b38b6bcb9a1076c10e6f1137517cd2837ccb6107
MD5 hash:
c775510fda11e12c3518aa4228a52168
SHA1 hash:
5594ac8624e9b3701e81f83ce66d28e7e7fe40d0
Link:
https://www.unpac.me/results/96f45869-8426-46e4-a058-b904b0af5274/
SH256 hash:
392d92c5987f4aeea5e9988e126bd19798c3a63e60917445f67df835c15d598b
MD5 hash:
6109d3eb95379d204c6e43d9c5603da4
SHA1 hash:
c0b95c1f6de9bbf2a52fcd8c9863a671ac46fb5c
Link:
https://www.unpac.me/results/96f45869-8426-46e4-a058-b904b0af5274/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/392d92c5987f4aeea5e9988e126bd19798c3a63e60917445f67df835c15d598b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 392d92c5987f4aeea5e9988e126bd19798c3a63e60917445f67df835c15d598b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/253749/
  
URLhaus
https://urlhaus.abuse.ch/url/2109331/
  
Delivery method
Distributed via web download

Comments