MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63ca43cb57d0f7cd204631a9e9ae8e9856787fb246b84bd99ec3561f5adb24ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 8 File information Comments

SHA256 hash:	63ca43cb57d0f7cd204631a9e9ae8e9856787fb246b84bd99ec3561f5adb24ca
SHA3-384 hash:	182044962e2cf044917f56a1b915ac6ac9ea50f62e7eb4fa982fcfbd1300b90f0bfefbf49285b3e44462f9e5b82e4c2e
SHA1 hash:	95431564b79ca038cdbfa28903e99f791cc421f0
MD5 hash:	877075c3dc40355ad4c4da167fc6cc3b
humanhash:	nineteen-pip-mobile-lithium
File name:	877075c3dc40355ad4c4da167fc6cc3b.exe
Download:	download sample
File size:	4'068'393 bytes
First seen:	2023-08-25 12:06:25 UTC
Last seen:	2023-08-25 17:05:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d5e0355f8764c235b38759b860077ceb (1 x Adware.QQpass, 1 x CoinMiner)
ssdeep	98304:/1IGkrpfCFNxteZv3Fxcf0aTW1QSgp8txSmALv:dIVfiNxc3fclzSgetImAD
Threatray	11 similar samples on MalwareBazaar
TLSH	T19E163341ADDB5FBBE6DF99F2D5648C2D031A6510FB6145E7C2810E68F0DEAAE78D0B00
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4505/5/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	a661d572b3b0f0f2 (1 x Adware.QQpass, 1 x CoinMiner)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

259

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

877075c3dc40355ad4c4da167fc6cc3b.exe

Verdict:

Malicious activity

Analysis date:

2023-08-25 12:09:31 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c77e2bf3-e63f-4d42-ac4a-ee5b457b9d18

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/444735/

Detection(s):

PUA.Win.Packer.Asprotect-3

Win.Malware.Flystudio-6937682-0

Win.Trojan.Agent-111655

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Сreating synchronization primitives

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed packed

Link:

https://www.filescan.io/uploads/64e8996abf947976df44e0bd/reports/638ee1ce-03a6-4ce1-93c9-53f943110db3/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/63ca43cb57d0f7cd204631a9e9ae8e9856787fb246b84bd99ec3561f5adb24ca

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

CoinMiner

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5c23e4d1-7e4b-4729-8c8d-ab07fbf2f27a

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1297354

Signature

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/63ca43cb57d0f7cd204631a9e9ae8e9856787fb246b84bd99ec3561f5adb24ca/

Threat name:

Win32.Trojan.Zusy

Status:

Malicious

First seen:

2023-08-24 13:24:17 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 35 (68.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mpfehs2x2d342icgggu6tluotblhq75si24exwm6ynlb6ww3etfa._file

Verdict:

malicious

149741274dbc5dc82d83766d39bcfb918f8ac5757e0002b1ab5c56f6e6648074

1c2ffcdacc67ed928064e5eea666a7e09e635854b6daa07c41ceeb7033ed923e

20f50b240a1aaea2b5a962a03e4b07db415a7c8149e7777f608f32705761681c

341cd2df1ecb5f27225c1f53bcc38cec2e5e94503f0b3c2040b93a01b7721aea

729b9c38e2230f41260beef114d0a3714da4914642f99b383e7b0c909620b664

738ff1b734f45db5f96fcf7cf44bc19be88ae922ef08a4b1952bdc3b12e86090

a92ef3003ca08593ac9552ca1f4a3b8e9586b9177c4cdf7a13b008d4e2eed9de

af627addc0146dfa2e5c4c60e755397245d74469b5898f1887ba8db82afb37c5

bd0d884649509aece899372e0bea6f6dbe833b463e35206753dae69a0bc60632

+ 1 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

aspackv2

Link:

https://tria.ge/reports/230825-paa9xadc51/

Behaviour

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

ASPack v2.12-2.42

Loads dropped DLL

Unpacked files

SH256 hash:

0216a0f6d6d5360ab487e696b26a39eb81a1e2c8cd7f59c054c90ab99a858daf

MD5 hash:

d2a9c02acb735872261d2abc6aff7e45

SHA1 hash:

fce6c2cf2465856168ea55ccd806155199a6f181

Link:

https://www.unpac.me/results/ac13bd65-335b-49bb-b389-24e8f3d224f9/

SH256 hash:

fd672602ed6371ee5ec7d4d1c0311c4326ff075316c91dd628b075b046fae682

MD5 hash:

1a4d03ebc83a1fc3150c4bc9fd597b45

SHA1 hash:

dd7b3aead6f38ebfa3a3439b39beab3de1d0513b

Link:

https://www.unpac.me/results/ac13bd65-335b-49bb-b389-24e8f3d224f9/

SH256 hash:

2e9769ace867c79d5fcdda0eb2660c52b5e062c69b36add42d22eb0dddc4b3ee

MD5 hash:

f9a994df4d407bc79f7c84886fe7a654

SHA1 hash:

c93e4be70794164b7b339218cc832ac94074d08e

Link:

https://www.unpac.me/results/ac13bd65-335b-49bb-b389-24e8f3d224f9/

SH256 hash:

a8b14f31098a191631696db5ddc77e029b48999542e0ec15b63df02220c66d37

MD5 hash:

dba5fdbe7ec94463b3f6fdf2162c9f95

SHA1 hash:

a97137b4f2b77166b2a23da1f58e0bdb7365f4f2

Link:

https://www.unpac.me/results/ac13bd65-335b-49bb-b389-24e8f3d224f9/

Parent samples :

05cc7a32e5a0023f9e1c790f97b069ccd27ada59ea8b9864f7f9069e3049663c
0def3cbaec84dc2729761b4a47590d888cf93ed2097d6dfd6dda7d3b29471ef3
0b2a852742c7d974fe16a45a7c6fb5efcf7b03f19e7029f9c43284a2ea5be84f
b59199454fb6665bfd64c5a88d13532eb56b22735b83ba262cc643dd290d5f97
e30a9bee5ee26e31edbdd2654969551cbabd2694b8703539f768c04b53c19be0

SH256 hash:

d1a1c6bac6a498adccdafab9d600a372aa9d5b826a33cfa06aaa9f75357c5b23

MD5 hash:

8f385e7c8cf1f8ebdae0448473977cc7

SHA1 hash:

942bf465e29a5e5f85580eb30aa9510b92f802d7

Link:

https://www.unpac.me/results/ac13bd65-335b-49bb-b389-24e8f3d224f9/

SH256 hash:

25ed7ed1a08c63f40da1d378c9922efd0db9627e2856848469961bf64a86e40d

MD5 hash:

af60aac7484ba84bfb6d5a39aea349a3

SHA1 hash:

7e4862c0735ac4f881de87317fc3e864eaa33cce

Link:

https://www.unpac.me/results/ac13bd65-335b-49bb-b389-24e8f3d224f9/

SH256 hash:

53483523c316ad8c022c2b07a5cabfff3339bc5cb5e4ac24c3260eea4f4d9731

MD5 hash:

7c1ff88991f5eafab82b1beaefc33a42

SHA1 hash:

5ea338434c4c070aaf4e4e3952b4b08b551267bc

Link:

https://www.unpac.me/results/ac13bd65-335b-49bb-b389-24e8f3d224f9/

SH256 hash:

1b28d05c306b575319c6fb9b08276b2204a7b569d9e540879ce67c8d17640990

MD5 hash:

f6a2a92194fc69858ffa9aa1557454da

SHA1 hash:

47dbb9abb4d83e2d21c6107c11244f8daae0cc5d

Link:

https://www.unpac.me/results/ac13bd65-335b-49bb-b389-24e8f3d224f9/

SH256 hash:

19b4d189a73b79a73c2ddd678ed5ff7357d92494cf76a21372a58e3dce075d50

MD5 hash:

e5e521468e2a9f9b314e06e29116b5a9

SHA1 hash:

4044a4efd7998e8c4245e632b18056b089f0aa53

Link:

https://www.unpac.me/results/ac13bd65-335b-49bb-b389-24e8f3d224f9/

SH256 hash:

4bed8a6e4e1548fddee40927b438132b47ef2aca6e9beb06b89fcf7714726310

MD5 hash:

1eece63319e7c5f6718562129b1572f1

SHA1 hash:

089ea3a605639eb1292f6a2a9720f0b2801b0b6e

Link:

https://www.unpac.me/results/ac13bd65-335b-49bb-b389-24e8f3d224f9/

SH256 hash:

590c9ba4cad5a401c071f89f8468c45031a637f1c137ca320d9dbe82e4beabd6

MD5 hash:

2b86ad8cd1903916ae5a3cd7ec2f1b9e

SHA1 hash:

0240b4f0795ed3bf24748954fee6751901f26f2c

Link:

https://www.unpac.me/results/ac13bd65-335b-49bb-b389-24e8f3d224f9/

SH256 hash:

44118bc5c144ecf7c28b42d116a31df957291dc44354af67db76d6b16ad40ef5

MD5 hash:

3809a3c164466a92a140aa0f075238f2

SHA1 hash:

1698f99ca1f142aa6824b0f68698e97dedef8e13

Link:

https://www.unpac.me/results/ac13bd65-335b-49bb-b389-24e8f3d224f9/

SH256 hash:

63ca43cb57d0f7cd204631a9e9ae8e9856787fb246b84bd99ec3561f5adb24ca

MD5 hash:

877075c3dc40355ad4c4da167fc6cc3b

SHA1 hash:

95431564b79ca038cdbfa28903e99f791cc421f0

Link:

https://www.unpac.me/results/ac13bd65-335b-49bb-b389-24e8f3d224f9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/63ca43cb57d0f7cd204631a9e9ae8e9856787fb246b84bd99ec3561f5adb24ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ASPackv212AlexeySolodovnikov Create hunting rule
Author:	malware-lu

Rule name:	ASProtectV2XDLLAlexeySolodovnikov Create hunting rule
Author:	malware-lu

Rule name:	CMD_Ping_Localhost Create hunting rule

Rule name:	INDICATOR_EXE_Packed_ASPack Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ASPack

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 63ca43cb57d0f7cd204631a9e9ae8e9856787fb246b84bd99ec3561f5adb24ca

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2301795/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/444735/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample