MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3cef6251ea6a26aaf56f933a3ef27b6b1b20d591a3cac9816ac5d850cd3a51c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3cef6251ea6a26aaf56f933a3ef27b6b1b20d591a3cac9816ac5d850cd3a51c9
SHA3-384 hash: 477e890bf03ba656e30fdf8dcb621737ef3f60235c79bdc5f224e96a9a5e5a21a025b1decfccf9c80700e87693884782
SHA1 hash: 3114d530f716e3dc9e07d78703e0ad34256b8e1c
MD5 hash: 64d97ceac5d0fbb39f316eb8707c5af4
humanhash: vermont-violet-hot-fix
File name:64d97ceac5d0fbb39f316eb8707c5af4.exe
Download: download sample
File size:51'712 bytes
First seen:2025-02-22 07:46:23 UTC
Last seen:2025-02-22 13:14:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (84 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 768:517muhL+HZOtOKK7q5xEHXXIYRIeAsFKYuG:L7xLg0OKmq5KnfRo
TLSH T1B8338C3BDE6E007CE33F10BB1692196A8972B09A4665719386FF1F781B25C7723187C9
TrID 55.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.9% (.ICL) Windows Icons Library (generic) (2059/9)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
6.7% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
11
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.DownLoader6.32179.28375.19817.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b98107a0fd713c335c5066
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt donut obfuscated overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/67b981023afc3763bec11507/reports/2e4bcbc6-31dd-4029-b0b7-6d3f8cc0beea/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/3cef6251ea6a26aaf56f933a3ef27b6b1b20d591a3cac9816ac5d850cd3a51c9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c31ab173-09ac-4b92-9a80-b1658c2d4a71
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1621699
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3cef6251ea6a26aaf56f933a3ef27b6b1b20d591a3cac9816ac5d850cd3a51c9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3cef6251ea6a26aaf56f933a3ef27b6b1b20d591a3cac9816ac5d850cd3a51c9/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2025-02-20 07:22:18 UTC
File Type:
PE+ (Exe)
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=htxweupknitkv5lpsm5d54t3nmnsbvmrupfmtalkyxmfbtj2kheq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250222-jmk2zssjaq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6cfa134a-32eb-45d1-aca0-9262689c1243
Unpacked files
SH256 hash:
3cef6251ea6a26aaf56f933a3ef27b6b1b20d591a3cac9816ac5d850cd3a51c9
MD5 hash:
64d97ceac5d0fbb39f316eb8707c5af4
SHA1 hash:
3114d530f716e3dc9e07d78703e0ad34256b8e1c
Link:
https://www.unpac.me/results/a806e31d-5a6f-441d-a603-7f7bd57ee9ca/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3cef6251ea6a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3cef6251ea6a26aaf56f933a3ef27b6b1b20d591a3cac9816ac5d850cd3a51c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 3cef6251ea6a26aaf56f933a3ef27b6b1b20d591a3cac9816ac5d850cd3a51c9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3448640/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA

Comments