MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69e7a10168bf96ba60f06987affd48857cd9cda1a518509f435b8b43110feacf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69e7a10168bf96ba60f06987affd48857cd9cda1a518509f435b8b43110feacf
SHA3-384 hash: 70f02436e47740601edecb0e306a01164fdba6285e54194dec78842f7c3ef697a71624b81dd8803ed5b884ed4bcf2f38
SHA1 hash: 71e14fdd0904b6c0ff288c7ec6f8af5ebfcc6bf6
MD5 hash: cba619ceefd476c9cc3f35b5263e6276
humanhash: stream-triple-robin-venus
File name:cba619ceefd476c9cc3f35b5263e6276
Download: download sample
File size:5'594'776 bytes
First seen:2021-08-09 18:20:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a56f115ee5ef2625bd949acaeec66b76 (53 x Stealc, 48 x PureHVNC, 33 x CoinMiner)
ssdeep 98304:DJIhjzhUmi32EM/H6ygOsEL2QwHFHB2ajjMtW2U2M:DJI5hOG/3gOSjHrjjjMtMz
Threatray 12 similar samples on MalwareBazaar
TLSH T100468CE397C9A95EC097D8B981A0F43F878F7C7C1B19A683D542B2BD9D1780135A8F09
dhash icon c4b8b292b2b2aedc (2 x ValleyRAT)
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cba619ceefd476c9cc3f35b5263e6276
Verdict:
No threats detected
Analysis date:
2021-08-09 18:28:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c1e77ab1-6f67-4524-8e81-77b130faeae9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177725/
Detection(s):
SecuriteInfo.com.Dropper.Generic.VZR.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SpyEye
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b6ac46ce-8eab-4cab-a8d1-253216d3d9a1
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/829599
Signature
Adds a directory exclusion to Windows Defender
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 462027 Sample: E6YsSbcLhm Startdate: 09/08/2021 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 PE file contains section with special chars 2->50 52 Sigma detected: Powershell Defender Exclusion 2->52 8 E6YsSbcLhm.exe 2 4 2->8         started        12 MicrosoftApi.exe 14 2 2->12         started        15 MicrosoftApi.exe 2->15         started        process3 dnsIp4 40 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 8->40 dropped 42 C:\Users\user\AppData\...6YsSbcLhm.exe.log, ASCII 8->42 dropped 66 Detected unpacking (changes PE section rights) 8->66 68 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->68 70 Query firmware table information (likely to detect VMs) 8->70 17 MicrosoftApi.exe 1 5 8->17         started        44 45.137.190.236, 49752, 49753, 49754 BITWEB-ASRU Russian Federation 12->44 72 Hides threads from debuggers 12->72 74 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->74 file5 signatures6 process7 file8 38 C:\Users\user\AppData\...\tmpB38D.tmp.cmd, DOS 17->38 dropped 54 Detected unpacking (changes PE section rights) 17->54 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->56 58 Query firmware table information (likely to detect VMs) 17->58 60 3 other signatures 17->60 21 cmd.exe 1 17->21         started        24 cmd.exe 1 17->24         started        signatures9 process10 signatures11 62 Uses schtasks.exe or at.exe to add and modify task schedules 21->62 64 Adds a directory exclusion to Windows Defender 21->64 26 powershell.exe 23 21->26         started        28 conhost.exe 21->28         started        30 timeout.exe 1 21->30         started        32 conhost.exe 24->32         started        34 timeout.exe 1 24->34         started        36 schtasks.exe 1 24->36         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69e7a10168bf96ba60f06987affd48857cd9cda1a518509f435b8b43110feacf/
Threat name:
Win64.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 18:21:06 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3d6a3c3b0bfcd73cb4a07aabfdc5a915b7bc38c835cf5d87b724bc5aa7704653
485c0400127ce66d5b763acb43181c399eb15608240b08e1253120429792628a
49b57d024424267e79102b40cacbdb69c6e92ec41d5443d069da06e4eb083921
5ee9f4addc6c85c45a7a66f9b61c4d7977f21d8ce1aadf667508f4623b317572
7332c0a22bffbb024052e842388e8a34d5d82d88ed0187ea16ddc810bf352604
89b9fae297db7b35a1749f0a6c6e322ab31ae7dfc8e877cd48ee9f0119fe94c2
ac085734d51ca988db79b3078badc4ce24481eee7ef68db8811b1a98d2b3980c
cf79cdf47dd999b1bda64cea18b85fbe7b217494e652462aa2cce9f7fa57a0ca
d07e7f7f409d82270a54d63f0ee9e38442665d91a5dc193bcadfe45452d8cf46
ff03a31c53b6e540bb918372dbc2a0213e5020273c6c46fdb2ef5f86ec7a0397
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion suricata themida trojan upx
Link:
https://tria.ge/reports/210809-dky64bezk6/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Executes dropped EXE
UPX packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
suricata: ET MALWARE Generic gate[.].php GET with minimal headers
suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
Unpacked files
SH256 hash:
69e7a10168bf96ba60f06987affd48857cd9cda1a518509f435b8b43110feacf
MD5 hash:
cba619ceefd476c9cc3f35b5263e6276
SHA1 hash:
71e14fdd0904b6c0ff288c7ec6f8af5ebfcc6bf6
Link:
https://www.unpac.me/results/e392e81a-c2ed-47d1-988c-8c950378bc3d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/69e7a10168bf96ba60f06987affd48857cd9cda1a518509f435b8b43110feacf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 69e7a10168bf96ba60f06987affd48857cd9cda1a518509f435b8b43110feacf

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1493960/
Cape
Cape
https://www.capesandbox.com/analysis/177725/

Comments


Avatar
zbet commented on 2021-08-09 18:20:58 UTC

url : hxxp://45.137.190.166/mine.exe