MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6
SHA3-384 hash: 446e93d753d3b3464d626f841b561b110fe0cf411f005cfc8887b59765c20a0a42618d86e8935fc32917e73077056249
SHA1 hash: 221a714c7ea143399c9dad504b12b29be2f62bc9
MD5 hash: d21a17b082c180ab291d60acd6472c08
humanhash: stairway-connecticut-bravo-maine
File name:setup.exe
Download: download sample
File size:10'745'360 bytes
First seen:2024-04-03 17:53:14 UTC
Last seen:2024-04-03 18:29:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 35a81d16af9f2ba6d515f11152d0364b (58 x CoinMiner, 2 x CobaltStrike)
ssdeep 196608:/H4wkCR3Peo3+hwP4Ff8Qg+rho+hs8sZbLV2dfN+zvidCGVgaYXMB0lvbWDjpqHi:/4wkCd3+hDEQLbs8ybLu4Did5gaYXMB1
TLSH T19CB6334E798F51D3EFD957B9CA6A296FAB55FCE2524C920CA3127840C336E4221C83DD
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
337
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6.exe
Verdict:
Malicious activity
Analysis date:
2024-04-03 17:56:26 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/ceb0297e-6269-44af-a8b3-bc9fe7e94ca5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a file in the %temp% directory
Deleting a recently created file
Creating a file in the Program Files subdirectories
DNS request
Connection attempt
Sending a custom TCP request
Creating a window
Moving a file to the Program Files subdirectory
Replacing files
Sending an HTTP GET request
Forced system process termination
Adding an exclusion to Microsoft Defender
Changing the hosts file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/660d97bed463a7b0477e363c/reports/822c779a-c1b1-42bb-a832-fc6676e81c2b/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/20bbd4c1-aee6-435d-a2c9-1e0de56c7a62
Result
Threat name:
n/a
Detection:
malicious
Classification:
adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1419671
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Invoke-WebRequest Execution
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1419671 Sample: setup.exe Startdate: 03/04/2024 Architecture: WINDOWS Score: 100 28 iplogger.com 2->28 34 Antivirus detection for dropped file 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for dropped file 2->38 40 8 other signatures 2->40 7 setup.exe 2 2->7         started        11 powershell.exe 23 2->11         started        13 powershell.exe 14 27 2->13         started        16 svchost.exe 1 1 2->16         started        signatures3 process4 dnsIp5 24 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 7->24 dropped 26 C:\Windows\System32\drivers\etc\hosts, ASCII 7->26 dropped 42 Suspicious powershell command line found 7->42 44 Query firmware table information (likely to detect VMs) 7->44 46 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->46 48 7 other signatures 7->48 18 WmiPrvSE.exe 11->18         started        20 conhost.exe 11->20         started        30 iplogger.com 104.21.76.57, 443, 49704 CLOUDFLARENETUS United States 13->30 22 conhost.exe 13->22         started        32 127.0.0.1 unknown unknown 16->32 file6 signatures7 process8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6/
Threat name:
Win64.Trojan.DisguisedXMRigMiner
Create hunting rule
Status:
Malicious
First seen:
2023-11-12 21:59:08 UTC
File Type:
PE+ (Exe)
Extracted files:
9
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lpzcjvlrvqthbsl2hl42q5aaqbkxlnzi5dakglspclzprdip6kta._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/240403-wgvqfsgc6s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Themida packer
Blocklisted process makes network request
Drops file in Drivers directory
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6
MD5 hash:
d21a17b082c180ab291d60acd6472c08
SHA1 hash:
221a714c7ea143399c9dad504b12b29be2f62bc9
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/ea55813b-b886-4baf-aeb2-6e35e7fa5d7b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 5bf224d571ac2670c97a3af9a87400805575b728e8c0a32e4f12f2f88d0ff2a6

(this sample)

  
Delivery method
Distributed via web download

Comments