MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73bcd67ddecc7bf320a19bd5dbefdb36c097c3047959d67e0e3cc5e22f8b510b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73bcd67ddecc7bf320a19bd5dbefdb36c097c3047959d67e0e3cc5e22f8b510b
SHA3-384 hash: 28b086f9d21aa48740a08a2d06c5c8df2f4becc7371e0eb0b7661a4919430a06217001041d440eb4c25d4fe8d15a59d9
SHA1 hash: 533fa79f3b20623ae1c6de3fded5fb54b145af6a
MD5 hash: 69c885675b1b98e2fbb3f0196a1df2d1
humanhash: zebra-black-blue-venus
File name:cheat.exe
Download: download sample
File size:12'815'360 bytes
First seen:2021-08-10 10:56:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 161c85364c462057ba28801ac1ad5404 (1 x Vjw0rm, 1 x RemoteManipulator)
ssdeep 393216:37zA7xS2nebJWqMV/qU0GrQwywChsdCu:rV268qMV/tPrYwChsdC
Threatray 51 similar samples on MalwareBazaar
TLSH T126D6238933E44199FE6BF037CA52C607C6B1B44A52778B6F01E05A766F337B1292E325
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c.exe
Verdict:
No threats detected
Analysis date:
2021-08-09 15:29:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1e5917a0-308d-4156-8ec2-4338e6700c96

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177897/
Detection(s):
SecuriteInfo.com.PUA.Tool.BtcMine-5.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.34126398.28157.2351.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.DownLoader29.46016.2317.14231.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Deleting a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Launching a process
Sending a UDP request
Using the Windows Management Instrumentation requests
Searching for the window
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
UACMe
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc949929-2f28-4a5b-8806-2e9e0c7f5360
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/830078
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Detected VMProtect packer
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Csc.exe Source File Folder
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 462509 Sample: cheat.exe Startdate: 10/08/2021 Architecture: WINDOWS Score: 96 133 Antivirus / Scanner detection for submitted sample 2->133 135 Multi AV Scanner detection for dropped file 2->135 137 Multi AV Scanner detection for submitted file 2->137 139 4 other signatures 2->139 11 cheat.exe 3 28 2->11         started        14 Start.exe 8 2->14         started        process3 file4 117 C:\Users\user\AppData\Local\...\aut61BE.tmp, PE32+ 11->117 dropped 119 C:\ProgramData\Windows\d.exe, PE32+ 11->119 dropped 121 C:\ProgramData\Windows\Start.exe, PE32+ 11->121 dropped 123 6 other files (5 malicious) 11->123 dropped 16 Start.exe 8 11->16         started        19 wscript.exe 1 11->19         started        22 cmd.exe 1 14->22         started        process5 dnsIp6 127 Multi AV Scanner detection for dropped file 16->127 24 cmd.exe 1 16->24         started        125 192.168.2.1 unknown unknown 19->125 129 Wscript starts Powershell (via cmd or directly) 19->129 27 cmd.exe 1 19->27         started        29 d.exe 19->29         started        31 powershell.exe 22->31         started        33 conhost.exe 22->33         started        35 timeout.exe 1 22->35         started        signatures7 process8 signatures9 141 Wscript starts Powershell (via cmd or directly) 24->141 37 powershell.exe 26 24->37         started        40 conhost.exe 24->40         started        42 timeout.exe 1 24->42         started        143 Uses schtasks.exe or at.exe to add and modify task schedules 27->143 44 conhost.exe 27->44         started        46 schtasks.exe 1 27->46         started        145 Antivirus detection for dropped file 29->145 147 Multi AV Scanner detection for dropped file 29->147 48 wscript.exe 31->48         started        51 wscript.exe 31->51         started        53 wscript.exe 31->53         started        55 3 other processes 31->55 process10 file11 111 C:\Users\user\AppData\...\x3dukqq3.cmdline, UTF-8 37->111 dropped 57 wscript.exe 37->57         started        60 wscript.exe 37->60         started        62 wscript.exe 37->62         started        72 6 other processes 37->72 131 Wscript starts Powershell (via cmd or directly) 48->131 64 cmd.exe 48->64         started        66 cmd.exe 51->66         started        68 cmd.exe 53->68         started        113 C:\Users\user\AppData\Local\...\fk41facq.dll, PE32 55->113 dropped 70 cvtres.exe 55->70         started        signatures12 process13 file14 149 Wscript starts Powershell (via cmd or directly) 57->149 75 cmd.exe 57->75         started        77 cmd.exe 60->77         started        79 cmd.exe 62->79         started        85 3 other processes 64->85 87 3 other processes 66->87 89 2 other processes 68->89 115 C:\Users\user\AppData\Local\...\x3dukqq3.dll, PE32 72->115 dropped 81 cmd.exe 72->81         started        83 cmd.exe 72->83         started        91 3 other processes 72->91 signatures15 process16 process17 93 conhost.exe 75->93         started        95 taskkill.exe 75->95         started        97 taskkill.exe 75->97         started        99 conhost.exe 77->99         started        101 2 other processes 77->101 103 3 other processes 79->103 105 3 other processes 81->105 107 3 other processes 83->107 109 6 other processes 91->109
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/73bcd67ddecc7bf320a19bd5dbefdb36c097c3047959d67e0e3cc5e22f8b510b/
Threat name:
Win64.Trojan.UACBypassExp
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 10:57:08 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b
08e4ff0c3fd04510841e9f4e55ba0b3d2681d8f4c3405fd83dd9bbc4c2fa01d9
225aee453b9568adc4ebb27ce98fd80feabf144356196aa1139f08f4fe10eadc
5f2846d5daa6e5781427feb62144502ff1522b8250eadbfb7aa3602d04eac1fb
767e8cdbeeb723d9a79665ef465e3ceca2595d773a04a7c900d550ad780ee1ff
88c642b1fa43b77487f3916dd95ac236189971475c3289c745dc45a739e6453f
9cc0cf19e63fbf43ed381c94967a1c52a606452657cc05c17b27a1a07e2c5607
aa46ec291334b68e6c96fed8f2b88ce521dd87ff7535a5465537e7d2c36d1539
+ 41 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
miner vmprotect
Link:
https://tria.ge/reports/210810-1sm4j2t8mx/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Loads dropped DLL
Executes dropped EXE
VMProtect packed file
Detected Stratum cryptominer command
Unpacked files
SH256 hash:
73bcd67ddecc7bf320a19bd5dbefdb36c097c3047959d67e0e3cc5e22f8b510b
MD5 hash:
69c885675b1b98e2fbb3f0196a1df2d1
SHA1 hash:
533fa79f3b20623ae1c6de3fded5fb54b145af6a
Link:
https://www.unpac.me/results/e5b90efa-1cd5-453b-89a8-2066d33922cb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/73bcd67ddecc7bf320a19bd5dbefdb36c097c3047959d67e0e3cc5e22f8b510b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/177897/

Comments