MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d459a560ce1e32853c637997806cf8080c8d8f02d0c136057a0344d543b2532. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d459a560ce1e32853c637997806cf8080c8d8f02d0c136057a0344d543b2532
SHA3-384 hash: 716086b28debf0edd2b83832d220addd8ec7a4ae15621d8bb989e1f707642c958e344791171e47de4f1032c6caa66fd2
SHA1 hash: 0da43b681b5e5fe75a6db19f791ac3e651b0d528
MD5 hash: b7cc73b06361183296b1e9f6d0df01d8
humanhash: west-artist-delta-winner
File name:Software version 3.0.5.1.exe
Download: download sample
File size:3'117'880 bytes
First seen:2021-08-04 14:20:45 UTC
Last seen:2021-08-04 15:24:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep 49152:mYldKR1KIA39vtjG7FSilg9W0hmsyZByKvJargzDZYTijl0No6tKat9/TLuFZJLG:mYza1TU9vMgilg9phnyrLvJarLE0KBaH
Threatray 98 similar samples on MalwareBazaar
TLSH T1E6E5334C8F50D223CA5C2930BFB37A9CDBC57511588463B8A82AC652D8FB6357B2DDC2
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Software version 3.0.5.1.exe
Verdict:
Malicious activity
Analysis date:
2021-08-04 14:23:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3ccb4a52-2e06-4509-8fcb-2f72b8503dd4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176373/
Detection(s):
SecuriteInfo.com.Trojan.Heur.TP.I0@bSoU4Ini.6707.10825.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Connection attempt
Sending an HTTP GET request
Creating a file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5eff083d-5b8d-476a-a302-402e0e744f04
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/826917
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates processes via WMI
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 459346 Sample: Software version 3.0.5.1.exe Startdate: 04/08/2021 Architecture: WINDOWS Score: 100 151 Antivirus detection for dropped file 2->151 153 Antivirus / Scanner detection for submitted sample 2->153 155 Detected unpacking (changes PE section rights) 2->155 157 6 other signatures 2->157 11 Software version 3.0.5.1.exe 15 7 2->11         started        16 taskhostw.exe 2->16         started        18 Datafile64.exe 2->18         started        20 2 other processes 2->20 process3 dnsIp4 145 3.0.5.1 AMAZON-02US United States 11->145 147 83.220.173.160, 49707, 49715, 49716 THEFIRST-ASRU Russian Federation 11->147 149 192.168.2.1 unknown unknown 11->149 135 C:\Users\user\AppData\...\intobroker.exe, PE32 11->135 dropped 137 C:\Users\user\AppData\...\Datafile64.exe, PE32+ 11->137 dropped 139 C:\Users\user\AppData\...\Datafile32.exe, PE32+ 11->139 dropped 141 C:\Users\...\Software version 3.0.5.1.exe.log, ASCII 11->141 dropped 193 Query firmware table information (likely to detect VMs) 11->193 195 Hides threads from debuggers 11->195 197 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->197 22 Datafile32.exe 5 11->22         started        26 Datafile64.exe 5 11->26         started        28 intobroker.exe 11->28         started        199 Antivirus detection for dropped file 16->199 201 Detected unpacking (changes PE section rights) 16->201 203 Tries to detect sandboxes and other dynamic analysis tools (window names) 16->203 205 Machine Learning detection for dropped file 16->205 143 C:\Users\user\AppData\Local\...\svchost64.exe, PE32+ 18->143 dropped 207 Adds a directory exclusion to Windows Defender 18->207 30 cmd.exe 18->30         started        32 cmd.exe 18->32         started        34 cmd.exe 20->34         started        file5 signatures6 process7 file8 121 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 22->121 dropped 165 Multi AV Scanner detection for dropped file 22->165 167 Machine Learning detection for dropped file 22->167 169 Adds a directory exclusion to Windows Defender 22->169 36 cmd.exe 1 22->36         started        38 cmd.exe 1 22->38         started        41 cmd.exe 26->41         started        43 cmd.exe 1 26->43         started        123 C:\Windows\SysWOW64\winmsipc\cmd.exe, PE32 28->123 dropped 125 C:\Windows\SysWOW64\...\RuntimeBroker.exe, PE32 28->125 dropped 127 C:\ProgramData\dbg\taskhostw.exe, PE32 28->127 dropped 129 C:\Program Files (x86)\...\msiexec.exe, PE32 28->129 dropped 171 Antivirus detection for dropped file 28->171 173 Detected unpacking (changes PE section rights) 28->173 175 Query firmware table information (likely to detect VMs) 28->175 177 3 other signatures 28->177 45 cmd.exe 28->45         started        53 2 other processes 30->53 47 conhost.exe 32->47         started        49 conhost.exe 34->49         started        51 powershell.exe 34->51         started        signatures9 process10 signatures11 55 svchost32.exe 36->55         started        59 conhost.exe 36->59         started        159 Uses schtasks.exe or at.exe to add and modify task schedules 38->159 161 Adds a directory exclusion to Windows Defender 38->161 61 powershell.exe 24 38->61         started        63 conhost.exe 38->63         started        65 svchost64.exe 41->65         started        67 conhost.exe 41->67         started        69 powershell.exe 22 43->69         started        71 conhost.exe 43->71         started        163 Drops executables to the windows directory (C:\Windows) and starts them 45->163 73 2 other processes 45->73 process12 file13 131 C:\Windows\System32\Datafile32.exe, PE32+ 55->131 dropped 179 Multi AV Scanner detection for dropped file 55->179 181 Machine Learning detection for dropped file 55->181 183 Drops executables to the windows directory (C:\Windows) and starts them 55->183 75 Datafile32.exe 55->75         started        78 cmd.exe 55->78         started        80 cmd.exe 55->80         started        133 C:\Windows\System32\Datafile64.exe, PE32+ 65->133 dropped 82 Datafile64.exe 65->82         started        84 cmd.exe 65->84         started        86 cmd.exe 65->86         started        signatures14 process15 signatures16 187 Multi AV Scanner detection for dropped file 75->187 189 Machine Learning detection for dropped file 75->189 191 Adds a directory exclusion to Windows Defender 75->191 88 cmd.exe 75->88         started        91 conhost.exe 78->91         started        93 schtasks.exe 78->93         started        95 conhost.exe 80->95         started        97 choice.exe 80->97         started        99 cmd.exe 82->99         started        101 conhost.exe 84->101         started        103 schtasks.exe 84->103         started        105 2 other processes 86->105 process17 signatures18 185 Adds a directory exclusion to Windows Defender 88->185 107 conhost.exe 88->107         started        109 powershell.exe 88->109         started        111 powershell.exe 88->111         started        113 powershell.exe 88->113         started        115 conhost.exe 99->115         started        117 powershell.exe 99->117         started        119 powershell.exe 99->119         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d459a560ce1e32853c637997806cf8080c8d8f02d0c136057a0344d543b2532/
Threat name:
Win32.Backdoor.LightStone
Create hunting rule
Status:
Malicious
First seen:
2021-08-04 14:21:07 UTC
AV detection:
23 of 46 (50.00%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
24ea17a2c73edd5668c90344844c696e8bfddb72bf605feeea1a0dcc054f246f
479579cc0f9ecdbcdb6d8df674940a411a0fdaa9ab66fc87db6a24658f979204
91949edb9145bda3b1336a5513c44707a86300ca5a378411c9bf8800b8127db9
b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae
c6c9d678a3313c5bb7fe71194a2a1e4d3ffca2f04252dd1983ba657cfe17320e
e481e934466d3e768442331a3c3af50c4d430b6ed14059afbe661925338ef531
e5ebf928e029cbd3799e7db55f61252e11ab3a821a5998b9044c0ea76aa65b20
+ 88 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/210804-agss2nx23x/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
Process spawned unexpected child process
xmrig
Unpacked files
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/4c5087e5-b26f-43e9-b736-c2ee491582ea/
SH256 hash:
5d459a560ce1e32853c637997806cf8080c8d8f02d0c136057a0344d543b2532
MD5 hash:
b7cc73b06361183296b1e9f6d0df01d8
SHA1 hash:
0da43b681b5e5fe75a6db19f791ac3e651b0d528
Link:
https://www.unpac.me/results/4c5087e5-b26f-43e9-b736-c2ee491582ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/5d459a560ce1e32853c637997806cf8080c8d8f02d0c136057a0344d543b2532

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/176373/

Comments