MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41a0c85fe2ebc2e7849b3acfa57b834c9c953ab515512cf254bbab2a28bdcec9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41a0c85fe2ebc2e7849b3acfa57b834c9c953ab515512cf254bbab2a28bdcec9
SHA3-384 hash: 91d20cdbc53d07049669a39b1e25faa7f76c5dfa4d2506acc2398946ac07395093ca3b7facebdd0ab7dc56d5fe8bfa45
SHA1 hash: 84e0064d148b2107332c04e0f5261c187f96a4b9
MD5 hash: e67b1abf49c1d759f8bb70643a40191d
humanhash: harry-xray-burger-yankee
File name:e67b1abf49c1d759f8bb70643a40191d.exe
Download: download sample
File size:3'606'036 bytes
First seen:2022-04-14 19:59:05 UTC
Last seen:2022-04-20 10:24:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 66902b8e3e575e82beedd85e2fa55016
ssdeep 98304:HgpPv4VWmGEn5dxzI5TDZwftraHuqa0J9rqzx9MnE:Hg9WHGQmJsqae9WzN
Threatray 3'612 similar samples on MalwareBazaar
TLSH T1B2F52369639505E8D4B7D1788A870646E772B8560368D7EF039CD63B1F236E08F7EB20
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
348
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e67b1abf49c1d759f8bb70643a40191d.exe
Verdict:
No threats detected
Analysis date:
2022-04-14 20:04:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fb3e1bb9-fc6c-407c-b5fe-d122c4d690a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263859/
Detection(s):
Win.Trojan.Downloader-9942257-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Delayed reading of the file
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Launching the process to change network settings
Launching a service
Creating a file in the Windows subdirectories
Launching a process
Blocking Windows Firewall launch
Firewall traversal
Enabling autorun for a service
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cmd.exe control.exe expand.exe greyware hacktool keylogger packed
Link:
https://www.filescan.io/uploads/62587d22eab80a7a6c15b175/reports/81c9b2b9-2224-42d9-99b9-4a47c91f1265/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4b30578-95da-4ca8-bd00-2d14d9ad0c04
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/977152
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates files in the system32 config directory
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Accessing WinAPI in PowerShell. Code Injection
Sigma detected: Suspicious Remote Thread Created
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 609641 Sample: Fza7TPh6Z7.exe Startdate: 14/04/2022 Architecture: WINDOWS Score: 100 96 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->96 98 Antivirus / Scanner detection for submitted sample 2->98 100 Multi AV Scanner detection for submitted file 2->100 102 4 other signatures 2->102 11 Fza7TPh6Z7.exe 37 2->11         started        16 System.exe 2->16         started        process3 dnsIp4 84 iplogger.org 148.251.234.83, 443, 49715, 49716 HETZNER-ASDE Germany 11->84 86 bitbucket.org 104.192.141.1, 443, 49713, 49717 AMAZON-02US United States 11->86 92 3 other IPs or domains 11->92 76 C:\ProgramData\UpSys.exe, PE32+ 11->76 dropped 78 C:\ProgramData\MicrosoftNetwork\System.exe, PE32+ 11->78 dropped 80 C:\ProgramData\...\System.exe:Zone.Identifier, ASCII 11->80 dropped 82 C:\Users\user\AppData\Local\...\UpSys[1].exe, PE32+ 11->82 dropped 108 Query firmware table information (likely to detect VMs) 11->108 110 May check the online IP address of the machine 11->110 112 Modifies the windows firewall 11->112 122 3 other signatures 11->122 18 powershell.exe 1 28 11->18         started        21 cmd.exe 11->21         started        23 cmd.exe 11->23         started        31 37 other processes 11->31 88 52.216.112.243, 443, 49730 AMAZON-02US United States 16->88 90 192.168.2.1 unknown unknown 16->90 94 2 other IPs or domains 16->94 114 Antivirus detection for dropped file 16->114 116 Multi AV Scanner detection for dropped file 16->116 118 Tries to detect sandboxes and other dynamic analysis tools (window names) 16->118 120 Machine Learning detection for dropped file 16->120 25 powershell.exe 16->25         started        27 conhost.exe 16->27         started        29 WerFault.exe 16->29         started        file5 signatures6 process7 signatures8 104 Uses netsh to modify the Windows network and firewall settings 18->104 33 UpSys.exe 18->33         started        45 2 other processes 18->45 35 taskkill.exe 21->35         started        37 conhost.exe 21->37         started        39 taskkill.exe 23->39         started        41 conhost.exe 23->41         started        43 UpSys.exe 25->43         started        47 2 other processes 25->47 49 49 other processes 31->49 process9 process10 51 UpSys.exe 33->51         started        53 conhost.exe 35->53         started        55 taskkill.exe 35->55         started        57 conhost.exe 39->57         started        59 UpSys.exe 43->59         started        61 conhost.exe 49->61         started        process11 63 UpSys.exe 51->63         started        65 UpSys.exe 59->65         started        process12 67 powershell.exe 63->67         started        70 powershell.exe 65->70         started        signatures13 106 Creates files in the system32 config directory 67->106 72 conhost.exe 67->72         started        74 conhost.exe 70->74         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41a0c85fe2ebc2e7849b3acfa57b834c9c953ab515512cf254bbab2a28bdcec9/
Threat name:
Win64.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2022-04-13 06:49:57 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
15d06d1741cc8b5495da9c79c6f630e33060e80c73da9666500f6f0bdf5ff259
26a4c5b36d9fde80ea47137eb53b40dacf240432a5895f98417eae51b6b681da
2c7e8a9b546f7c133469fabcfc200e5ab79da84ffa180fda9e088bc5476af860
437f639d05da27e1909877e3f8c39f70ee5d525a8be7c631e69f4141db287ab6
4e7105da7face5917f66842ba73810d29826cb971140f9da2b0efb7a37de3c0e
5879d39a0bab80032ebc751728e034cf7ec7fb30749090b5df8c37100034ef95
babf526ebe596643961a64b67dea3846f45355f4852f560046f06b633141b2a3
cd405e770529383fa2faaa18d006bd308d72a18995f808229677a2f803d2de96
edb86e9c3d29b3d13c82562dc1aeb1cd7e2c33e2bfcbae30791bf1d1aaf4345f
+ 3'602 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence themida trojan
Link:
https://tria.ge/reports/220414-yqzf4sghb6/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Loads dropped DLL
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
41a0c85fe2ebc2e7849b3acfa57b834c9c953ab515512cf254bbab2a28bdcec9
MD5 hash:
e67b1abf49c1d759f8bb70643a40191d
SHA1 hash:
84e0064d148b2107332c04e0f5261c187f96a4b9
Link:
https://www.unpac.me/results/916d0989-c317-4635-b463-59f299988043/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.46
Link:
https://yomi.yoroi.company/submissions/41a0c85fe2ebc2e7849b3acfa57b834c9c953ab515512cf254bbab2a28bdcec9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 41a0c85fe2ebc2e7849b3acfa57b834c9c953ab515512cf254bbab2a28bdcec9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2148218/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/263859/

Comments