MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b22171c0b658644bc40537f768933245325434e8d597e06c20f2e1437dd3b1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b22171c0b658644bc40537f768933245325434e8d597e06c20f2e1437dd3b1d
SHA3-384 hash: be082614770f363df3f19570b5fae1ce415e568f8f4f75763126c74a58be0d1682c1efdd888f6b1a1b18677e0e0d6244
SHA1 hash: 522884d576940042e8dfeff09bc3ab78f54c1596
MD5 hash: d9ba02fa865202ac2fcfb557e0775926
humanhash: zebra-east-sweet-eight
File name:WNOMMvQn2.exe
Download: download sample
File size:3'264'512 bytes
First seen:2022-03-13 21:14:52 UTC
Last seen:2022-03-13 22:47:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f084553d02ee9faa371daf024a1480c (3 x CoinMiner)
ssdeep 98304:jXmkgb7R05RMEF9oMAAOR8XKgOs6FsMD2:jXmkgiRMEFCHAOqXGbG
Threatray 263 similar samples on MalwareBazaar
TLSH T1EFE502BDA298371CC41ECCB05437AC44B2F6571E4BF8D6AA71EBFAC06F978249512B05
Reporter r3dbU7z
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/249924/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39135179.7049.29172.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
DNS request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9072/overview
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/622e5edb0cd58dbd92911eb1/reports/d4cf8987-00d7-4c80-afaf-0967b511c52c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/60ce1392-711e-42a2-9f5a-8f2326e541f6
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/955701
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 588178 Sample: WNOMMvQn2.exe Startdate: 13/03/2022 Architecture: WINDOWS Score: 100 110 easyproducts.org 2->110 140 Multi AV Scanner detection for domain / URL 2->140 142 Antivirus detection for URL or domain 2->142 144 Antivirus detection for dropped file 2->144 146 4 other signatures 2->146 13 WNOMMvQn2.exe 1 4 2->13         started        signatures3 process4 dnsIp5 134 185.137.234.33, 49764, 49765, 8080 SELECTELRU Russian Federation 13->134 104 C:\Users\user\AppData\...\RegModule.exe, PE32+ 13->104 dropped 106 C:\Users\user\AppData\Roaming\...\RegHost.exe, PE32+ 13->106 dropped 108 C:\Users\user\AppData\Roaming\...\RegData.exe, PE32+ 13->108 dropped 164 Injects code into the Windows Explorer (explorer.exe) 13->164 166 Writes to foreign memory regions 13->166 168 Allocates memory in foreign processes 13->168 170 2 other signatures 13->170 18 explorer.exe 2 13->18         started        20 bfsvc.exe 1 13->20         started        22 conhost.exe 13->22         started        file6 signatures7 process8 process9 24 RegHost.exe 1 18->24         started        27 curl.exe 1 18->27         started        30 curl.exe 1 18->30         started        34 5 other processes 18->34 32 conhost.exe 20->32         started        dnsIp10 156 Multi AV Scanner detection for dropped file 24->156 158 Machine Learning detection for dropped file 24->158 160 Injects code into the Windows Explorer (explorer.exe) 24->160 162 4 other signatures 24->162 36 explorer.exe 2 24->36         started        38 bfsvc.exe 1 24->38         started        40 conhost.exe 24->40         started        132 easyproducts.org 193.233.48.63 NETIS-ASRU Russian Federation 27->132 42 conhost.exe 27->42         started        44 conhost.exe 30->44         started        46 conhost.exe 34->46         started        48 conhost.exe 34->48         started        50 conhost.exe 34->50         started        signatures11 process12 process13 52 RegHost.exe 36->52         started        55 curl.exe 1 36->55         started        58 curl.exe 1 36->58         started        62 5 other processes 36->62 60 conhost.exe 38->60         started        dnsIp14 148 Injects code into the Windows Explorer (explorer.exe) 52->148 150 Writes to foreign memory regions 52->150 152 Allocates memory in foreign processes 52->152 154 2 other signatures 52->154 64 explorer.exe 52->64         started        66 bfsvc.exe 52->66         started        68 conhost.exe 52->68         started        122 easyproducts.org 55->122 70 conhost.exe 55->70         started        124 easyproducts.org 58->124 72 conhost.exe 58->72         started        126 easyproducts.org 62->126 128 easyproducts.org 62->128 130 2 other IPs or domains 62->130 74 conhost.exe 62->74         started        76 conhost.exe 62->76         started        78 conhost.exe 62->78         started        80 conhost.exe 62->80         started        signatures15 process16 process17 82 RegHost.exe 64->82         started        85 curl.exe 64->85         started        88 curl.exe 64->88         started        92 4 other processes 64->92 90 conhost.exe 66->90         started        dnsIp18 136 Modifies the context of a thread in another process (thread injection) 82->136 138 Injects a PE file into a foreign processes 82->138 112 easyproducts.org 85->112 94 conhost.exe 85->94         started        114 easyproducts.org 88->114 96 conhost.exe 88->96         started        116 easyproducts.org 92->116 118 easyproducts.org 92->118 120 easyproducts.org 92->120 98 conhost.exe 92->98         started        100 conhost.exe 92->100         started        102 conhost.exe 92->102         started        signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b22171c0b658644bc40537f768933245325434e8d597e06c20f2e1437dd3b1d/
Threat name:
Win64.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-03-04 05:47:00 UTC
File Type:
PE+ (Exe)
AV detection:
26 of 42 (61.90%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0713ce27fefb110cda3075fae74229170582c19758c2ecb7f85e0c0b8c694e0c
1fca453f1f9a6acf20ba5a9828178d70426e7f8e58ec6116f2aacf96053e0037
3e099c7df6b2aa9383d0019e3c911b4f141e9425a792b2a06a8a4797f1fcca9a
96b3aa4520797806ccaf670897eaead29ac9dd3f9a6add879e2d93f7e2557513
9bd02c78d6dc379e0906312cbf3feee3df113f1837cd41d4e13b0d07e96c5233
c0887fac0c1921b6678e81a90619bda7f0ffb9abee99583fe9f32107e0975e0b
d057f4f00abe0297d81c25d6a1475c495b5784930ce77ca0b63bf2bad720b5e1
e29526b1d3297a4d2d5cd5f8e4cce9a7a63b84f49470dafb02449269e055a4dc
+ 253 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/220313-z3w27aacg3/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Downloads MZ/PE file
UPX packed file
Unpacked files
SH256 hash:
7b22171c0b658644bc40537f768933245325434e8d597e06c20f2e1437dd3b1d
MD5 hash:
d9ba02fa865202ac2fcfb557e0775926
SHA1 hash:
522884d576940042e8dfeff09bc3ab78f54c1596
Link:
https://www.unpac.me/results/4fe25327-f966-4fd8-8351-4726a2ee85a1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b22171c0b658644bc40537f768933245325434e8d597e06c20f2e1437dd3b1d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 7b22171c0b658644bc40537f768933245325434e8d597e06c20f2e1437dd3b1d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/249924/

Comments