MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c4db9faeb1bd7b7171e47bd886cf835c77f198a23c7618e80f356c5babaf295. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c4db9faeb1bd7b7171e47bd886cf835c77f198a23c7618e80f356c5babaf295
SHA3-384 hash: 9788ff0e97ed1b51ecb1f71cec627b050a11e4e291b2d9d4832be354da55da3c94020703526fa5e9ba58e974ce3e170e
SHA1 hash: 329b638cf4a995959f5c92df66284f00531e1d55
MD5 hash: 934f1d68402b6a18f2fb34e824a7f455
humanhash: spring-ten-cardinal-may
File name:934f1d68402b6a18f2fb34e824a7f455
Download: download sample
File size:4'665'592 bytes
First seen:2022-01-12 08:41:41 UTC
Last seen:2022-01-12 13:08:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 98304:z/mr4jFr5PaPYl26+OdIx5pFuMmeSQnCDwjRApC7/I/:zerY5C/OdIx5pMSz9ja8rK
TLSH T1DF26AEA27A0AD3BFC7834474A4139907CD7603D2D750AAC7ED1878789963ACD32FAB54
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
934f1d68402b6a18f2fb34e824a7f455
Verdict:
Suspicious activity
Analysis date:
2022-01-12 12:54:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/21105c49-2163-4e6e-b70b-00f074da4ec3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/218604/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.30843.4146.32610.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Running batch commands
DNS request
Sending an HTTP GET request
Launching a process
Downloading the file
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e5a1ec87-0156-45b6-8069-79140c4c4f19
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/919048
Signature
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c4db9faeb1bd7b7171e47bd886cf835c77f198a23c7618e80f356c5babaf295/
Threat name:
Win32.Trojan.Phpw
Create hunting rule
Status:
Malicious
First seen:
2022-01-11 22:17:09 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
19 of 43 (44.19%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion
Link:
https://tria.ge/reports/220112-kl1xgsbhb9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Blocklisted process makes network request
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Malware Config
Dropper Extraction:
http://62.109.4.68/UpdateWindows.exe
Unpacked files
SH256 hash:
fe6a493a94371e1db0734fd7ab0e933f655af13591e039499c5b9dd4a3053472
MD5 hash:
6b38c00890064698083a8f1c0dee06f3
SHA1 hash:
d7ee69a8a09e39ab3857e7570c2bafb59e920cce
Link:
https://www.unpac.me/results/0dea3f6a-67b7-493b-bd63-0f739c4ca925/
SH256 hash:
4c4db9faeb1bd7b7171e47bd886cf835c77f198a23c7618e80f356c5babaf295
MD5 hash:
934f1d68402b6a18f2fb34e824a7f455
SHA1 hash:
329b638cf4a995959f5c92df66284f00531e1d55
Link:
https://www.unpac.me/results/0dea3f6a-67b7-493b-bd63-0f739c4ca925/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c4db9faeb1bd7b7171e47bd886cf835c77f198a23c7618e80f356c5babaf295

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4c4db9faeb1bd7b7171e47bd886cf835c77f198a23c7618e80f356c5babaf295

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/218604/
  
URLhaus
https://urlhaus.abuse.ch/url/1970193/

Comments


Avatar
zbet commented on 2022-01-12 08:41:43 UTC

url : hxxp://data-host-coin-8.com/files/1787_1641897555_6214.exe