MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 477006ea2705b58613ca7d69c6b0870b1a004f9ba76b54bea7d19453e06abd41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Zyklon

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	477006ea2705b58613ca7d69c6b0870b1a004f9ba76b54bea7d19453e06abd41
SHA3-384 hash:	5948f7127b5663d923f73cb33ff34241754b80dc3711cac877eed25244f076dbe2707850c2f804bc1c608617a659343b
SHA1 hash:	ecfd00a88908148063be4a560832eaec60f778f9
MD5 hash:	24edccf341c5a06a1d6c8ff386003b4f
humanhash:	skylark-earth-uranus-sink
File name:	file
Download:	download sample
Signature	Zyklon Create hunting rule
File size:	2'670'080 bytes
First seen:	2023-07-08 05:26:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:tv+b+TWHh6VZVuAY7gLszIiAGYJRxdHdq/U2uWsrpem9UMRZ7T:tWqTPuM/JRxdHd5Frpem9UMRZ
Threatray	692 similar samples on MalwareBazaar
TLSH	T14AC55C71B4C18CA2CD8A03F1A6AF54050E528E521B68A58D36DBB7DFE7BE3C3748D146
TrID	40.9% (.EXE) Win64 Executable (generic) (10523/12/4) 19.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.0% (.EXE) Win16/32 Executable Delphi generic (2072/23) 8.0% (.ICL) Windows Icons Library (generic) (2059/9) 7.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	f4f4f6cefb23e361 (1 x Zyklon, 1 x Arechclient2)
Reporter	andretavare5
Tags:	exe Zyklon

andretavare5

Sample downloaded from http://red.mk/netTime.exe

Intelligence

File Origin

# of uploads :

# of downloads :

297

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/411413/

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.93536.3055.31286.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Using the Windows Management Instrumentation requests

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

explorer lolbin overlay packed

Link:

https://www.filescan.io/uploads/64a8f3a60e49d672f31ea9ba/reports/2f4751d1-8e91-48f1-800e-fae931599fff/overview

Verdict:

Malicious

Labled as:

MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/477006ea2705b58613ca7d69c6b0870b1a004f9ba76b54bea7d19453e06abd41

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9d469e83-24f8-46ac-a927-32ea8b856f14

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/477006ea2705b58613ca7d69c6b0870b1a004f9ba76b54bea7d19453e06abd41/

Threat name:

ByteCode-MSIL.Trojan.Privateloader

Status:

Malicious

First seen:

2023-07-07 23:49:13 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

301

AV detection:

17 of 38 (44.74%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=i5yan2rhaw2yme6kpvu4nmehbmnaat43u5vvjpvh2gkfhydkxvaq._file

Verdict:

malicious

Zyklon

106dbb50c553bbf2fc3e5e31443cb8d78b97f1e1a7ba07dc1e0bc1b29beb7f46

Zyklon

16bd19342581c44c063d66f6fcd8ca6fcacfdd9a47f3adbfe3ad3d2a877ced56

Zyklon

31d46975095ad3f3510b9d6fee3228de3c9a536abf64898c9857c31e43cdc93a

Zyklon

7c4d7e3e118dec78c66dd7a90eb7209c790837cc7e41f44e49b9542ca2466ff8

Zyklon

92af4af2f69e4483dfc37894d1f5cf1f2fc3cfa343af82a54eb1b3307c09e91b

Zyklon

9dca904c03551d33f96618bae69cb43811bd5072826ead4e1b7072229451a376

Zyklon

cfa0e89054a2c3e47b0f0f036f26639897bfd79977ffce5697910a13136a462d

Zyklon

+ 682 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig miner

Link:

https://tria.ge/reports/230708-f5efdach63/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

XMRig Miner payload

xmrig

Unpacked files

SH256 hash:

477006ea2705b58613ca7d69c6b0870b1a004f9ba76b54bea7d19453e06abd41

MD5 hash:

24edccf341c5a06a1d6c8ff386003b4f

SHA1 hash:

ecfd00a88908148063be4a560832eaec60f778f9

Link:

https://www.unpac.me/results/ac4fba8c-849c-439f-8462-26c5f19fae48/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/477006ea2705/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/477006ea2705b58613ca7d69c6b0870b1a004f9ba76b54bea7d19453e06abd41

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2662087/

Cape

https://www.capesandbox.com/analysis/411413/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample