MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57e8fc9e724f9a78b7d6d7c2f640ea8842bdbd7dcd1480b9463237bd70de2725. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57e8fc9e724f9a78b7d6d7c2f640ea8842bdbd7dcd1480b9463237bd70de2725
SHA3-384 hash: a21c40a988c683c718f7f4d3eeee694b4d4ba8fa08a815e45c5016328f078e396a74eb30e80eef244457fbcee78fd7d5
SHA1 hash: 05430322d0e0f3b9d14ee71f17ab11d15040ec45
MD5 hash: 695b5ba144d09b972e940abfad58ff09
humanhash: alanine-nuts-three-gee
File name:695b5ba144d09b972e940abfad58ff09.exe
Download: download sample
File size:3'268'608 bytes
First seen:2022-03-03 09:39:47 UTC
Last seen:2022-03-23 04:44:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 629d572bad2dcff0fc429ecaf29f92a3 (2 x CoinMiner)
ssdeep 49152:EYNmK8vSVzaNh1+iYv5ek4Uy70wmDJO67zRebQf/vydQkOlvi1wtBUYjW9236kx1:E+mAQ1+352Uy3967zRebYXyw/og
Threatray 147 similar samples on MalwareBazaar
TLSH T126E501FD6140339CC41E8C345523FD05E2B5952E0AE9D9EA7ADB7BC03FAE501EA06B46
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/246899/
Detection(s):
SecuriteInfo.com.Win32.Packed.VMProtect.ACR.32193.14992.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Сreating synchronization primitives
Searching for synchronization primitives
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8045/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f675ab35-f23e-4659-9e9c-814fc622f7f3
Result
Threat name:
lolMiner Downloader
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/950179
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected lolMiner Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 582667 Sample: Ld9lAht2ws.exe Startdate: 03/03/2022 Architecture: WINDOWS Score: 100 106 Antivirus detection for URL or domain 2->106 108 Antivirus detection for dropped file 2->108 110 Multi AV Scanner detection for dropped file 2->110 112 5 other signatures 2->112 10 Ld9lAht2ws.exe 1 4 2->10         started        15 RegHost.exe 1 2->15         started        process3 dnsIp4 92 185.137.234.33, 49740, 8080 SELECTELRU Russian Federation 10->92 84 C:\Users\user\AppData\...\RegModule.exe, PE32+ 10->84 dropped 86 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 10->86 dropped 88 C:\Users\user\AppData\Roaming\...\RegData.exe, PE32+ 10->88 dropped 114 Injects code into the Windows Explorer (explorer.exe) 10->114 116 Writes to foreign memory regions 10->116 118 Allocates memory in foreign processes 10->118 120 Injects a PE file into a foreign processes 10->120 17 explorer.exe 2 10->17         started        20 curl.exe 1 10->20         started        23 bfsvc.exe 1 10->23         started        25 conhost.exe 10->25         started        122 Multi AV Scanner detection for dropped file 15->122 124 Machine Learning detection for dropped file 15->124 126 Modifies the context of a thread in another process (thread injection) 15->126 27 explorer.exe 2 15->27         started        29 bfsvc.exe 1 15->29         started        31 conhost.exe 15->31         started        file5 signatures6 process7 dnsIp8 94 Found stalling execution ending in API Sleep call 17->94 33 RegHost.exe 17->33         started        36 curl.exe 1 17->36         started        38 curl.exe 1 17->38         started        48 12 other processes 17->48 90 api.telegram.org 149.154.167.220, 443, 49741 TELEGRAMRU United Kingdom 20->90 40 conhost.exe 20->40         started        42 conhost.exe 23->42         started        44 RegHost.exe 27->44         started        50 10 other processes 27->50 46 conhost.exe 29->46         started        signatures9 process10 signatures11 96 Injects code into the Windows Explorer (explorer.exe) 33->96 98 Writes to foreign memory regions 33->98 100 Allocates memory in foreign processes 33->100 52 explorer.exe 33->52         started        60 2 other processes 33->60 62 2 other processes 36->62 54 conhost.exe 38->54         started        56 conhost.exe 40->56         started        102 Modifies the context of a thread in another process (thread injection) 44->102 104 Injects a PE file into a foreign processes 44->104 58 explorer.exe 44->58         started        64 2 other processes 44->64 66 11 other processes 48->66 68 8 other processes 50->68 process12 process13 70 curl.exe 52->70         started        72 conhost.exe 52->72         started        74 conhost.exe 54->74         started        76 conhost.exe 58->76         started        78 curl.exe 58->78         started        80 conhost.exe 60->80         started        process14 82 conhost.exe 70->82         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57e8fc9e724f9a78b7d6d7c2f640ea8842bdbd7dcd1480b9463237bd70de2725/
Threat name:
Win64.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-03-03 09:40:17 UTC
File Type:
PE+ (Exe)
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1635567f96d69d53a64c49fb4a8cb5d65663d545f4ae4ea7c6465b49e4c297f4
3a06f4cc6efdaf99f8ddeb7303f2a0b18db737261e29b95dc8571420af6fb0f7
527b3ec7f548207e3ef8509973591509e5d61c91d613c232329204dfa35535be
5aaecc91eecab8970deeef790df826ad10dd5fb4a40695b1143b9a84773c3223
99c01d1fd62da5b29fb9b5335319ae532d30679f39096284ee2da359a411b529
d057f4f00abe0297d81c25d6a1475c495b5784930ce77ca0b63bf2bad720b5e1
+ 137 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/220303-lm8jdsach8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
57e8fc9e724f9a78b7d6d7c2f640ea8842bdbd7dcd1480b9463237bd70de2725
MD5 hash:
695b5ba144d09b972e940abfad58ff09
SHA1 hash:
05430322d0e0f3b9d14ee71f17ab11d15040ec45
Link:
https://www.unpac.me/results/c044f7af-152e-4c05-a5a6-f5d33eaee708/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.79
Link:
https://yomi.yoroi.company/submissions/57e8fc9e724f9a78b7d6d7c2f640ea8842bdbd7dcd1480b9463237bd70de2725

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 57e8fc9e724f9a78b7d6d7c2f640ea8842bdbd7dcd1480b9463237bd70de2725

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2073065/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/246899/

Comments