MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 656feea079f74b94c31e4ad4fcdb2cb0b6c4f61a861db5084af2857c6a456c47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 656feea079f74b94c31e4ad4fcdb2cb0b6c4f61a861db5084af2857c6a456c47
SHA3-384 hash: 8aed10ba30de64725c653fb31288d42d5a312bd0155224bc3ca2a11e114b78fcaffc666113ecafca0fe0c8453543e3a5
SHA1 hash: 043f4ab26eb710aa336e0cac2868311407d360e4
MD5 hash: 8b8262ee5164a7cad79367a6a7e5d1ad
humanhash: beryllium-wisconsin-red-finch
File name:file
Download: download sample
File size:9'114'280 bytes
First seen:2024-05-21 01:15:47 UTC
Last seen:2024-05-21 02:28:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 35a81d16af9f2ba6d515f11152d0364b (57 x CoinMiner, 2 x CobaltStrike)
ssdeep 196608:vDA4AqUb+3ahxQgpRdGOWPcwYXJ6Ii+CeaoLP2D+los2o2hT2rkOs:vDA407hxlpmOWPcT5VTCdmuD+DUhmE
Threatray 165 similar samples on MalwareBazaar
TLSH T18C96336D87164FCFEFAC1FF421E6D9A15DAC4193B87EADE2E47B1853005C6CE01A9809
TrID 33.6% (.EXE) OS/2 Executable (generic) (2029/13)
33.1% (.EXE) Generic Win/DOS Executable (2002/3)
33.1% (.EXE) DOS Executable Generic (2000/1)
Reporter Bitsight
Tags:exe


Avatar
Bitsight
url: https://vk.com/doc5294803_669740900?hash=ug7NPqAVfHNvHMYAkIprqapNCZOH7TbMbhdGexq2tJz&dl=WvTzaKFTjFiHjhNyjGfrlspzwcQOl0gMP35mMvNeWag&api=1&no_preview=1#sys32

Intelligence

File Origin
# of uploads :
2
# of downloads :
330
Origin country :
US US
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
656feea079f74b94c31e4ad4fcdb2cb0b6c4f61a861db5084af2857c6a456c47.exe
Verdict:
Malicious activity
Analysis date:
2024-05-21 01:18:05 UTC
Tags:
xmrig
Link:
https://app.any.run/tasks/801631dd-ae77-44fd-9d02-93d2a3873559

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.Evo-gen.3412.30609.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Tags:
Encryption Execution Network Stealth Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Сreating synchronization primitives
Running batch commands
Deleting a system file
Launching a process
Creating a service
Creating a file
Launching a service
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Creating a file in the system32 subdirectories
Forced system process termination
Using the Windows Management Instrumentation requests
Connection attempt to an infection source
Loading a system driver
Setting browser functions hooks
Enabling autorun for a service
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed packed themidawinlicense
Link:
https://www.filescan.io/uploads/664bf5d3d5c40bffee63efa9/reports/55675555-aff6-4b82-856d-99eeea2053da/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/656feea079f74b94c31e4ad4fcdb2cb0b6c4f61a861db5084af2857c6a456c47
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4eeac5d2-1958-4009-9ffa-d326512b806b
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1444651
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected unpacking (creates a PE file in dynamic memory)
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Disable power options
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Snort IDS alert for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1444651 Sample: file.exe Startdate: 21/05/2024 Architecture: WINDOWS Score: 100 58 time.windows.com 2->58 60 pool.hashvault.pro 2->60 72 Snort IDS alert for network traffic 2->72 74 Sigma detected: Stop EventLog 2->74 76 Sigma detected: Disable power options 2->76 78 6 other signatures 2->78 8 file.exe 1 2 2->8         started        12 hsuuyddhbzpg.exe 2->12         started        14 svchost.exe 2->14         started        16 7 other processes 2->16 signatures3 process4 file5 54 C:\ProgramData\...\hsuuyddhbzpg.exe, PE32+ 8->54 dropped 84 Query firmware table information (likely to detect VMs) 8->84 86 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->86 88 Uses powercfg.exe to modify the power settings 8->88 98 6 other signatures 8->98 18 dialer.exe 1 8->18         started        21 powershell.exe 23 8->21         started        23 cmd.exe 1 8->23         started        31 13 other processes 8->31 56 C:\Windows\Temp\exgiidmvdrnp.sys, PE32+ 12->56 dropped 90 Detected unpacking (creates a PE file in dynamic memory) 12->90 92 Protects its processes via BreakOnTermination flag 12->92 94 Tries to detect sandboxes and other dynamic analysis tools (window names) 12->94 100 2 other signatures 12->100 25 powershell.exe 12->25         started        27 cmd.exe 12->27         started        29 sc.exe 12->29         started        33 6 other processes 12->33 96 Changes security center settings (notifications, updates, antivirus, firewall) 14->96 signatures6 process7 signatures8 62 Contains functionality to inject code into remote processes 18->62 64 Writes to foreign memory regions 18->64 66 Allocates memory in foreign processes 18->66 70 3 other signatures 18->70 35 lsass.exe 18->35 injected 44 3 other processes 18->44 68 Loading BitLocker PowerShell Module 21->68 38 conhost.exe 21->38         started        46 2 other processes 23->46 40 conhost.exe 25->40         started        48 2 other processes 27->48 42 conhost.exe 29->42         started        50 13 other processes 31->50 52 5 other processes 33->52 process9 signatures10 80 Installs new ROOT certificates 35->80 82 Writes to foreign memory regions 35->82
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/656feea079f74b94c31e4ad4fcdb2cb0b6c4f61a861db5084af2857c6a456c47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/656feea079f74b94c31e4ad4fcdb2cb0b6c4f61a861db5084af2857c6a456c47/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mvx65idz65fzjqy6jlkpzwzmwc3mj5q2qyo3kcck6kcxy2sfnrdq._file
Verdict:
malicious
Similar samples:
0f975de9620a33d9ce23d0754e248f1ffa6f1c4a572bc2b4dc8b6b6736d70e10
5690f5208387bba02ca4f4954d9d479c57ca556d553795d813603a2b1f83121b
82ae530eb29e0c64986dbd019f86cac5eff3daf3c1fb861757a60252eb1e4661
8462485220bfcba052d89e06bb3eaf38343b92bc246e391050f6019e70dba6a6
8eeda0849b8bffc5d26ee56f02162f2e75e4271c4257c309197f3645fac47c03
d0c18b8e222e3b9c09c05145bab139b63e010ba754f4ff688ee71ac69697a402
e380482fc3d8c4fe11073f9734238d60ab66385e3261231358f7d02082b235cd
e49aec48358a65ac8d93539528d239cf5b9346e83efe7e67a8fa434283fa2d25
ed58046044e126ab8b740bd4d37aa52dd8eebbfd539b607bda4425e6cd3e8c66
f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499
+ 155 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion execution persistence themida trojan
Link:
https://tria.ge/reports/240521-bmtecsdd52/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Themida packer
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Sets service image path in registry
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies security service
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/98ff51b1-39fb-45fa-968e-b81855909d2e
Unpacked files
SH256 hash:
656feea079f74b94c31e4ad4fcdb2cb0b6c4f61a861db5084af2857c6a456c47
MD5 hash:
8b8262ee5164a7cad79367a6a7e5d1ad
SHA1 hash:
043f4ab26eb710aa336e0cac2868311407d360e4
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/3a92cb74-4b78-49d2-9715-efa169befba5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/656feea079f74b94c31e4ad4fcdb2cb0b6c4f61a861db5084af2857c6a456c47

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 656feea079f74b94c31e4ad4fcdb2cb0b6c4f61a861db5084af2857c6a456c47

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download

Comments