MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4501d85e86cf567897f6c4ed7b1f7877cee415f92760566404b1f1daf8f4d6e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Zyklon


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4501d85e86cf567897f6c4ed7b1f7877cee415f92760566404b1f1daf8f4d6e5
SHA3-384 hash: ef3813b43b839cf1440419ab150a37908a6fb9b0da36e0195eefac727e6cc59e586441a0d8739b7ff9c47bc4f8c4a820
SHA1 hash: 4787230a896e666d85e77c6e71e8a347433b5098
MD5 hash: 99dd44876baa90714269ed17e412ea7a
humanhash: orange-cat-princess-october
File name:99dd44876baa90714269ed17e412ea7a
Download: download sample
Signature Zyklon
Create hunting rule
File size:849'920 bytes
First seen:2022-07-26 16:31:26 UTC
Last seen:2022-07-26 18:59:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:2cRbFueFELgMDuWzvrRUxI5aknPnFaGqXfu7YQLpI55hd8olHVK5Yp181rKxy6PX:JbFaLUSrRsIkkIwJp4c
Threatray 346 similar samples on MalwareBazaar
TLSH T1E2054F597A0B4FB6DE4E05F0C392B9499F20DC66BBC0D4E629B15CC9A60D9C2EC4D48F
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:exe Zyklon

Intelligence

File Origin
# of uploads :
2
# of downloads :
439
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/294421/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.31075.28142.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Creating a file
Creating a file in the %temp% directory
Enabling the 'hidden' option for recently created files
Running batch commands
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP POST request
Blocking the Windows Defender launch
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/62e0170d7dd0cb902f016bc6/reports/e1c689ac-e074-46fd-9af8-711a908d92f8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7b0c1d48-7bac-4d6c-8eb7-0835c375e3b4
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1041252
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 673747 Sample: TujyOM6vZc Startdate: 26/07/2022 Architecture: WINDOWS Score: 100 29 microsoftvisualstudio.wtf 2->29 39 Multi AV Scanner detection for domain / URL 2->39 41 Antivirus detection for URL or domain 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 6 other signatures 2->45 8 TujyOM6vZc.exe 5 2->8         started        signatures3 process4 file5 25 C:\ProgramData\epicgames\RLNEY.exe, PE32+ 8->25 dropped 27 C:\Users\user\AppData\...\TujyOM6vZc.exe.log, ASCII 8->27 dropped 47 Detected unpacking (changes PE section rights) 8->47 49 Adds a directory exclusion to Windows Defender 8->49 12 cmd.exe 1 8->12         started        14 powershell.exe 21 8->14         started        signatures6 process7 process8 16 RLNEY.exe 12->16         started        19 conhost.exe 12->19         started        21 timeout.exe 1 12->21         started        23 conhost.exe 14->23         started        signatures9 31 Antivirus detection for dropped file 16->31 33 Multi AV Scanner detection for dropped file 16->33 35 Detected unpacking (changes PE section rights) 16->35 37 Machine Learning detection for dropped file 16->37
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4501d85e86cf567897f6c4ed7b1f7877cee415f92760566404b1f1daf8f4d6e5/
Threat name:
ByteCode-MSIL.Trojan.Cerbu
Create hunting rule
Status:
Malicious
First seen:
2022-07-25 20:43:00 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iua5qxugz5lhrf7wytwxwh3yo7hoifpze5qfmzaewhy5v6hu23sq._file
Verdict:
malicious
Similar samples:
0077e7d6e90ad972b64e90c343c617482f39505deff44ebff99ff49041252dcb
Zyklon
38ce628c98b083b2de29baa5f294dd16e90468926f0101d68f2a1f20c79dea25
Zyklon
5b3273f09ad5782f7a310f93799361caa312624ab75e7a09c445af4422ce467a
Zyklon
73b569701300146f7c31f8017d86e64811f0984acc27afd8831414f21d42cf12
Zyklon
b924bd60cc419ee92e7c55cb20eb5fe43e2a9c440b5d6ed8b78446bbd180795c
Zyklon
b929d80990e7bb23fa5b8d8ab2f54d687f73b5e1c3c30d2f1e1271bae0fd7a99
Zyklon
c5f1fea2d9ffc0a1be85ed94f6ab57e14affca55f0cd44207a1b85e99b26a8fc
Zyklon
f1156e18afdec093a4f8da69a5d11910a119cb9d6d8a7448e8a3655b4023975d
Zyklon
+ 336 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/220726-t1yv4sege2/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
Windows security modification
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
4501d85e86cf567897f6c4ed7b1f7877cee415f92760566404b1f1daf8f4d6e5
MD5 hash:
99dd44876baa90714269ed17e412ea7a
SHA1 hash:
4787230a896e666d85e77c6e71e8a347433b5098
Link:
https://www.unpac.me/results/d10f9f2b-2861-4f05-9a42-ccfe324db039/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4501d85e86cf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Zyklon

Executable exe 4501d85e86cf567897f6c4ed7b1f7877cee415f92760566404b1f1daf8f4d6e5

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2261618/
Cape
Cape
https://www.capesandbox.com/analysis/294421/

Comments


Avatar
zbet commented on 2022-07-26 16:31:30 UTC

url : hxxp://a0669976.xsph.ru/sgot.exe