MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ee9f4addc6c85c45a7a66f9b61c4d7977f21d8ce1aadf667508f4623b317572. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ee9f4addc6c85c45a7a66f9b61c4d7977f21d8ce1aadf667508f4623b317572
SHA3-384 hash: 1595431f4dc990f8f3b0b99119c359cf7cf153eead56285aec0149d4b272a569a15b7b59ce050335c41e8f1b5a36bc2d
SHA1 hash: bb984fd9c577af95d366878f637ea35cef01e873
MD5 hash: 334eaf9d3c65ab489fdec2f7a88c1184
humanhash: carbon-carolina-undress-undress
File name:334eaf9d3c65ab489fdec2f7a88c1184.exe
Download: download sample
File size:5'660'832 bytes
First seen:2021-07-19 08:56:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a56f115ee5ef2625bd949acaeec66b76 (54 x Stealc, 52 x PureHVNC, 35 x CoinMiner)
ssdeep 49152:CzgO7fXhU65RQBopE7u6PcKIuTEE4D7XdWs7ki9FeGQY8kd59+94+mzUKhXGemju:CXzfsBopE7u6PcXZDhWhSHdb+K+m3XGu
Threatray 61 similar samples on MalwareBazaar
TLSH T15F4618E35AD2A25AC296C4F5C215B62F876F79F74E14E5C2C6F921B88933C803D24F25
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
334eaf9d3c65ab489fdec2f7a88c1184.exe
Verdict:
No threats detected
Analysis date:
2021-07-19 09:00:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2f4f137d-3775-4974-bb6e-c49ed80ff1fd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172503/
Detection(s):
SecuriteInfo.com.Dropper.Generic.VZR.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2cc96395-6901-45f1-b672-094ec77d6f8e
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818146
Signature
Adds a directory exclusion to Windows Defender
Detected unpacking (changes PE section rights)
Found strings related to Crypto-Mining
Hides threads from debuggers
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450555 Sample: 2KJSJthbAt.exe Startdate: 19/07/2021 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 Yara detected Xmrig cryptocurrency miner 2->72 74 3 other signatures 2->74 8 2KJSJthbAt.exe 2 5 2->8         started        12 MicrosoftApi.exe 14 5 2->12         started        process3 dnsIp4 44 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 8->44 dropped 46 C:\Users\user\AppData\...\2KJSJthbAt.exe.log, ASCII 8->46 dropped 48 C:\Users\user\...\ICSharpCode.SharpZipLib.dll, PE32 8->48 dropped 76 Detected unpacking (changes PE section rights) 8->76 78 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->78 80 Query firmware table information (likely to detect VMs) 8->80 15 MicrosoftApi.exe 1 5 8->15         started        56 77.232.43.180, 49750, 49751, 49752 EUT-ASEUTIPNetworkRU Russian Federation 12->56 50 C:\Users\user\AppData\...\ScreanDriver.exe, PE32+ 12->50 dropped 82 Hides threads from debuggers 12->82 84 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->84 19 ScreanDriver.exe 12->19         started        21 ScreanDriver.exe 12->21         started        23 ScreanDriver.exe 12->23         started        25 3 other processes 12->25 file5 signatures6 process7 file8 52 C:\Users\user\AppData\...\tmp8062.tmp.cmd, DOS 15->52 dropped 58 Multi AV Scanner detection for dropped file 15->58 60 Detected unpacking (changes PE section rights) 15->60 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->62 66 4 other signatures 15->66 27 cmd.exe 1 15->27         started        30 cmd.exe 1 15->30         started        54 C:\Users\user\...\ScreanDriver.exe.log, ASCII 19->54 dropped 64 Machine Learning detection for dropped file 19->64 signatures9 process10 signatures11 86 Uses schtasks.exe or at.exe to add and modify task schedules 27->86 88 Adds a directory exclusion to Windows Defender 27->88 32 powershell.exe 23 27->32         started        34 conhost.exe 27->34         started        36 timeout.exe 1 27->36         started        38 conhost.exe 30->38         started        40 timeout.exe 1 30->40         started        42 schtasks.exe 1 30->42         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ee9f4addc6c85c45a7a66f9b61c4d7977f21d8ce1aadf667508f4623b317572/
Threat name:
Win64.Exploit.BypassUac
Create hunting rule
Status:
Malicious
First seen:
2021-07-18 10:43:15 UTC
AV detection:
10 of 27 (37.04%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
14754f307601049ba389cf7b9536db2049193b31f05330c7b6d4cb5cd8fa081f
49b57d024424267e79102b40cacbdb69c6e92ec41d5443d069da06e4eb083921
55d33f116ca5cbd1e8bbf9151c2f457f7f045c8b00b7980cada01d20e9bd29c6
6ba57cb21a12212bb988ccfc64bfadb07bc25b332905f3db1b84665c3a5ca5ce
757e7c2569cc52c9e1639fbca06e957cb40f775d5cb1a8aafa670131b62b0824
7c7cff0a48bcfe565fb02e3a39087ce2ad56d5b1c57b229f2d0142f41b7ab191
8aa1689d6acacf9f2eb2603db52dc5908e1ec5d80000deec13e2e038c2883413
cdf2ed21f6bda94bdebd880cb3e45005de2e714d8f1311f3d38684f103be2f00
+ 51 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/210719-whmk82hmws/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
5ee9f4addc6c85c45a7a66f9b61c4d7977f21d8ce1aadf667508f4623b317572
MD5 hash:
334eaf9d3c65ab489fdec2f7a88c1184
SHA1 hash:
bb984fd9c577af95d366878f637ea35cef01e873
Link:
https://www.unpac.me/results/301c5332-45be-4807-9f7e-9febfa2e54e4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5ee9f4addc6c85c45a7a66f9b61c4d7977f21d8ce1aadf667508f4623b317572

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 5ee9f4addc6c85c45a7a66f9b61c4d7977f21d8ce1aadf667508f4623b317572

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1463746/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172503/

Comments