MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68c944c28e2b06a534175149916e7daaf9a8cb12b09178e89556bcc8337d682f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IRCbot


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68c944c28e2b06a534175149916e7daaf9a8cb12b09178e89556bcc8337d682f
SHA3-384 hash: 3f4ec8639ee98b45c83afafce80c644265ac783ec9d32c69aeaf10233b2a480f03a3e0288222b20d5843d55c67573b79
SHA1 hash: ba527cd188b8b6d13f8b16a1a8f824e28def0ed9
MD5 hash: 83e1382f971f88e6d75264559057f983
humanhash: carolina-beer-echo-sad
File name:83e1382f971f88e6d75264559057f983.exe
Download: download sample
Signature IRCbot
Create hunting rule
File size:797'706 bytes
First seen:2020-12-04 19:34:21 UTC
Last seen:2020-12-04 21:48:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep 12288:qYV6MorX7qzuC3QHO9FQVHPF51jgcI+Fczaad8PEuqBfVKFCr279jF:ZBXu9HGaVH+zaU8PEuqBNey2xx
Threatray 2 similar samples on MalwareBazaar
TLSH 690523C0DE52C8F6D06423F4D83AEDD048627431CEC87B59A69AF05EF531793A417EAA
Reporter abuse_ch
Tags:exe IRCbot

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106805/
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Connecting to a cryptocurrency mining pool
Creating a service
Launching a service
Loading a system driver
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun for a service
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Dogecoin Miner Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/556005
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Drops PE files with benign system names
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses IRC for communication with a C&C
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Dogecoin Miner
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 327105 Sample: OKx5tyuiLx.exe Startdate: 04/12/2020 Architecture: WINDOWS Score: 100 62 242.116.3.0.in-addr.arpa 2->62 92 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 Antivirus detection for URL or domain 2->96 98 13 other signatures 2->98 10 OKx5tyuiLx.exe 2 3 2->10         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        18 11 other processes 2->18 signatures3 process4 dnsIp5 58 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 10->58 dropped 60 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 10->60 dropped 104 Creates multiple autostart registry keys 10->104 106 Contains functionality to inject code into remote processes 10->106 108 Drops PE files with benign system names 10->108 21 OKx5tyuiLx.exe 2 21 10->21         started        110 Injects a PE file into a foreign processes 14->110 25 svchost.exe 14->25         started        112 Changes security center settings (notifications, updates, antivirus, firewall) 16->112 64 127.0.0.1 unknown unknown 18->64 27 svchost.exe 18->27         started        29 svchost.exe 18->29         started        file6 signatures7 process8 dnsIp9 66 www1.c25e6559668942.xyz 193.239.147.211, 49710, 49711, 49712 DEDIPATH-LLCUS Brunei Darussalam 21->66 68 cnc.c25e6559668942.xyz 21->68 50 C:\Users\user\AppData\Roaming\...\shell32.exe, PE32 21->50 dropped 52 C:\Users\user\AppData\Local\...\oA4X9AIo.exe, PE32+ 21->52 dropped 54 C:\Users\user\AppData\Local\...\7mv84lzU.exe, PE32 21->54 dropped 56 2 other files (none is malicious) 21->56 dropped 31 oA4X9AIo.exe 1 15 21->31         started        36 7mv84lzU.exe 21->36         started        file10 process11 dnsIp12 78 cnc.c25e6559668942.xyz 31->78 46 C:\Users\user\AppData\Roaming\...\sysv.exe, PE32+ 31->46 dropped 48 C:\Users\user\AppData\Local\...\xmrig[1].exe, PE32+ 31->48 dropped 80 Binary is likely a compiled AutoIt script file 31->80 82 Creates multiple autostart registry keys 31->82 84 Writes to foreign memory regions 31->84 86 Modifies the context of a thread in another process (thread injection) 31->86 38 sysv.exe 1 31->38         started        88 Allocates memory in foreign processes 36->88 90 Injects a PE file into a foreign processes 36->90 42 RegAsm.exe 15 2 36->42         started        file13 signatures14 process15 dnsIp16 70 pool.hashvault.pro 168.119.38.182, 49715, 8888 HETZNER-ASDE Germany 38->70 100 Binary is likely a compiled AutoIt script file 38->100 44 conhost.exe 38->44         started        72 www1.c25e6559668942.xyz 42->72 74 checkip.dyndns.org 42->74 76 6 other IPs or domains 42->76 102 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->102 signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68c944c28e2b06a534175149916e7daaf9a8cb12b09178e89556bcc8337d682f/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-12-04 19:35:19 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ndeujquofmdkknaxkfezc3t5vl42rsyswcixr2evk26mqm35naxq._file
Verdict:
unknown
Similar samples:
e89843256ff5ba727b9195361447d30e88fbfb660e97aaad5cb0196fd2f0991a
IRCbot
eee4d211bbffe896f0de21854cb5adac6e10c85016986efd260b45c7022d7521
IRCbot
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner persistence upx
Link:
https://tria.ge/reports/201204-t1mxfv9zcs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
UPX packed file
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
68c944c28e2b06a534175149916e7daaf9a8cb12b09178e89556bcc8337d682f
MD5 hash:
83e1382f971f88e6d75264559057f983
SHA1 hash:
ba527cd188b8b6d13f8b16a1a8f824e28def0ed9
Link:
https://www.unpac.me/results/9e143c15-333a-4ee0-99b3-f39a609cc537/
SH256 hash:
0ca1bcab9eae185e0b5676350bfe6ee36d5d79c378dab07dd5f2d7e59b1d516f
MD5 hash:
eb2063bbb11d2a21edca8468b2434dce
SHA1 hash:
387c121e32034f271e43b42938667ae1af2f7329
Link:
https://www.unpac.me/results/9e143c15-333a-4ee0-99b3-f39a609cc537/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68c944c28e2b06a534175149916e7daaf9a8cb12b09178e89556bcc8337d682f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

IRCbot

Executable exe 68c944c28e2b06a534175149916e7daaf9a8cb12b09178e89556bcc8337d682f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/878363/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/106805/

Comments