MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ba93bb22e21061429a33268b44d2a69b441e4fddc81c6590b429c470854fa35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ba93bb22e21061429a33268b44d2a69b441e4fddc81c6590b429c470854fa35
SHA3-384 hash: d0311daadc1389b545ddf92b4b84dfba8f751c8e807399e6af487922d45aaf3297254e50a3573fe6c69d5a78fb65521b
SHA1 hash: 935f1e3711308384c0db7a00f4ea0a0c41ad3b74
MD5 hash: 5a900a599ee726d179f28b6f7d18c1c6
humanhash: fish-jig-cup-alabama
File name:5a900a599ee726d179f28b6f7d18c1c6.exe
Download: download sample
File size:7'285'760 bytes
First seen:2021-08-07 07:43:04 UTC
Last seen:2021-08-07 09:02:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8be87a87d7d2cb82ba86b065b2960678
ssdeep 196608:5vDTT4+v4N7e6tIIeha9yMEzlwYUe0noZ6vbY4SV9l:RD34+vme6aIek9REaYUexZ6jzSJ
Threatray 2'609 similar samples on MalwareBazaar
TLSH T1C376232326604AC2D4F2C93A893F7DD476F363BFC6025CB9B8D6B5D12A065A0E117D87
dhash icon 009cbaa2a2a2a200
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5a900a599ee726d179f28b6f7d18c1c6.exe
Verdict:
Malicious activity
Analysis date:
2021-08-07 07:45:50 UTC
Tags:
evasion miner
Link:
https://app.any.run/tasks/237d1439-7d94-49b5-8080-fd39a85a443d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177136/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46752369.20740.6145.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Searching for analyzing tools
Searching for the window
Creating a window
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Connection attempt to an infection source
Sending a UDP request
Moving of the original file
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5734b9f4-12a9-429b-8e9a-2838ba2ca6a8
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad.mine
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/828589
Signature
Binary is likely a compiled AutoIt script file
Found strings related to Crypto-Mining
Hides threads from debuggers
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ba93bb22e21061429a33268b44d2a69b441e4fddc81c6590b429c470854fa35/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2021-08-06 22:43:41 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
0f0eb4a8a538f339214f86a8b084d685a4fb51d54f258f5718393003ab1ff35b
22f105861b8c373e94d70ac51cdbc0f03e784acee57727dae0d734587c6033a7
3221c7c857b80fab3818cf1ea9435cef9626d84bd308d7a365e4e5089e5ef413
477ea4ac94a63aa7e55baf53f5a0fba0e264f3c155f413edc03da1f5181d9999
5ac7fc154a948a26d0b7469dda7495f712cb15d055692e6cd989c07c92fee9f7
5eada5dc19ab310ed6edd61b1747b2fd9342b44be7241afa21bb0865d7fc132d
9d5bcf8c54cd23a97d0157da1e228bf0dde5af2c100d00743b550b68838b039e
e45164555700bc491659b55361a3c3fd44a7b1c411aa8f2e32ed11c4ec703ee6
f1aae79787fff8edd5f6769ebecf43eb5a94d392cb3723810a66dd9868ec2925
+ 2'599 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/210807-q5axvrm9b2/
Behaviour
Modifies system certificate store
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
f030d238d0f3f81076b27a1927703f06959e4bd27eb99353bd369b8e30b3021c
MD5 hash:
84eb993a6862253afcf3556f6f023fcf
SHA1 hash:
0b44ff88c50d6b3dbb8cd9ffd07964e0008c0b8b
Link:
https://www.unpac.me/results/2cdc069c-3169-46a8-b2ba-70ff7dba7fef/
SH256 hash:
7ba93bb22e21061429a33268b44d2a69b441e4fddc81c6590b429c470854fa35
MD5 hash:
5a900a599ee726d179f28b6f7d18c1c6
SHA1 hash:
935f1e3711308384c0db7a00f4ea0a0c41ad3b74
Link:
https://www.unpac.me/results/2cdc069c-3169-46a8-b2ba-70ff7dba7fef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/7ba93bb22e21061429a33268b44d2a69b441e4fddc81c6590b429c470854fa35

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 7ba93bb22e21061429a33268b44d2a69b441e4fddc81c6590b429c470854fa35

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1478751/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/177136/

Comments