MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70a1aa57047f844284ddb6a4fc464b54c4bfaa2dd8d4aced800b197ffcee27cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	70a1aa57047f844284ddb6a4fc464b54c4bfaa2dd8d4aced800b197ffcee27cb
SHA3-384 hash:	9544f40849f69a6f5d34083205006b051541f29d22c3de0384c1ef6cc7fb19a6b23638674a5fec7d2e89673811aaeee3
SHA1 hash:	771cf91776804ea16b643aa60a3695ed6196d621
MD5 hash:	6464862099875b98f18d1cae5b9a7d23
humanhash:	monkey-video-pluto-beer
File name:	Setup.exe
Download:	download sample
File size:	6'763'024 bytes
First seen:	2022-10-31 19:53:26 UTC
Last seen:	2022-10-31 22:23:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2eab4e488333ce74fa1cf2f5b6a84f4b (2 x CoinMiner)
ssdeep	98304:mLpqgyDcTF3xyUY8I+l3QljoW2UC0NJ011L9+eMxk11fupo7Qc14WSvs:E1bYoAljq0NJ0Eeek7upSBIk
Threatray	1'241 similar samples on MalwareBazaar
TLSH	T18A6633434060FE19D8BAC97E070D508DDA1B91B17C936AC9B42E3472BBDBC6D293753A
TrID	45.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.3% (.EXE) OS/2 Executable (generic) (2029/13) 18.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter	Anonymous
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

263

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/326574/

Detection(s):

SecuriteInfo.com.Trojan.AutoIt.1122.21495.28892.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed shell32.dll

Link:

https://www.filescan.io/uploads/636027e0a5db8d309cbc1382/reports/083f2d86-8bd6-47d2-b69d-025fb859ee46/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7d894871-e418-4a0b-8833-8013d814ac3b

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1102032

Signature

Antivirus / Scanner detection for submitted sample

Binary is likely a compiled AutoIt script file

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Uses Windows timers to delay execution

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/70a1aa57047f844284ddb6a4fc464b54c4bfaa2dd8d4aced800b197ffcee27cb/

Threat name:

Win64.Trojan.Conteban

Status:

Malicious

First seen:

2022-09-09 15:06:09 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ocq2uvyep6cefbg5w2spyrslktcl7krn3dkkz3mabmmx77hoe7fq._file

Verdict:

malicious

54dc032c3503998eaa404dde9c677851856838e737edb3d198fb7c173562859e

5d34b1f77abd61c463bd6ed97eb0b12bed29ac712445fa9d1dd6abe1029fed94

60993129337e1a1f07964c4a34bee86292cd508e7a02d49ba1ca119fd02203f8

68706f1c7fd143b8b87788aff9018f8c6314d4215683402e2648d2f3b769eab4

8f5b300680db95b545347229941acb9113690ab187cd7ac7b2cc601b9e31a205

99306ce091ffc74939ea41621dd8e947086f6728083a2ff24aa02e3ae91905bd

bbe77e8a2d371343b317688a63e5200f91e33038c80bddd82b418d85332784b8

e718fda21871d54c4bade2114a35411b639bee1afe21ef5c5c9a608e72337a9d

+ 1'231 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion themida trojan

Link:

https://tria.ge/reports/221031-ymjlgsdcgp/

Behaviour

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks whether UAC is enabled

Checks BIOS information in registry

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Unpacked files

SH256 hash:

70a1aa57047f844284ddb6a4fc464b54c4bfaa2dd8d4aced800b197ffcee27cb

MD5 hash:

6464862099875b98f18d1cae5b9a7d23

SHA1 hash:

771cf91776804ea16b643aa60a3695ed6196d621

Link:

https://www.unpac.me/results/05a6ffd8-de12-4e17-a5bb-580bbe6d768c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.20

Link:

https://yomi.yoroi.company/submissions/70a1aa57047f844284ddb6a4fc464b54c4bfaa2dd8d4aced800b197ffcee27cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/326574/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample