MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8497b714d64bbe043d4ef481a213eca88cc48a1dc98ad43443433c35e4af211a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8497b714d64bbe043d4ef481a213eca88cc48a1dc98ad43443433c35e4af211a
SHA3-384 hash: ffd792385b627db106d0f3ca3bf1bf90b28711d11f3ed60ba76d5ca934d858866aa218df5ac5b174c8555700f771028b
SHA1 hash: 1f45480e1c3f7899a46500b83538643ecae76687
MD5 hash: 60b9d476ed937d310d54ae0e35973974
humanhash: nebraska-whiskey-london-lima
File name:60b9d476ed937d310d54ae0e35973974
Download: download sample
File size:453'632 bytes
First seen:2021-09-25 17:10:16 UTC
Last seen:2021-09-25 19:10:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 300d321731799d078aeaa3f624037f49
ssdeep 12288:TBc28BcwtHkJ3iX8jpPfw+oaq79TxoK+Fq/8j:tc2I16yX8jpPfw+oa2TxdO
Threatray 6 similar samples on MalwareBazaar
TLSH T1A0A49D5973A904F8E0B3C17CC9935A06E67678160361D7EF03A8D6762F236E05E7EB60
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
60b9d476ed937d310d54ae0e35973974
Verdict:
No threats detected
Analysis date:
2021-09-25 17:11:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a60f09c8-4a63-4f80-a691-90ec584452f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CoinMiner02
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191567/
Detection(s):
SecuriteInfo.com.Win64.CoinMiner.AFD.25333.26457.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request
Launching the process to change network settings
Launching a service
Creating a file
Launching the default Windows debugger (dwwin.exe)
Blocking Windows Firewall launch
Firewall traversal
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/956607c1-ba92-4f8c-89a7-11d3044d583f
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/858085
Signature
Adds a directory exclusion to Windows Defender
Creates files in the system32 config directory
Found strings related to Crypto-Mining
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Uses netsh to modify the Windows network and firewall settings
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 490516 Sample: 7yuJ4pbKSv Startdate: 25/09/2021 Architecture: WINDOWS Score: 100 99 Malicious sample detected (through community Yara rule) 2->99 101 Multi AV Scanner detection for dropped file 2->101 103 Multi AV Scanner detection for submitted file 2->103 105 5 other signatures 2->105 11 System.exe 2->11         started        16 7yuJ4pbKSv.exe 39 2->16         started        process3 dnsIp4 87 52.217.201.25, 443, 49765, 49812 AMAZON-02US United States 11->87 89 s3-1-w.amazonaws.com 11->89 91 bbuseruploads.s3.amazonaws.com 11->91 77 C:\ProgramData\Systemd\xmrig.exe, PE32+ 11->77 dropped 111 Multi AV Scanner detection for dropped file 11->111 113 May check the online IP address of the machine 11->113 115 Machine Learning detection for dropped file 11->115 18 cmd.exe 11->18         started        20 cmd.exe 11->20         started        22 cmd.exe 11->22         started        32 51 other processes 11->32 93 iplogger.org 88.99.66.31, 443, 49754, 49755 HETZNER-ASDE Germany 16->93 95 bitbucket.org 104.192.141.1, 443, 49752, 49756 AMAZON-02US United States 16->95 97 3 other IPs or domains 16->97 79 C:\ProgramData\UpSys.exe, PE32+ 16->79 dropped 81 C:\ProgramData\MicrosoftNetwork\System.exe, PE32+ 16->81 dropped 83 C:\ProgramData\...\System.exe:Zone.Identifier, ASCII 16->83 dropped 85 C:\Users\user\AppData\Local\...\UpSys[1].exe, PE32+ 16->85 dropped 117 Modifies the windows firewall 16->117 119 Adds a directory exclusion to Windows Defender 16->119 24 powershell.exe 1 29 16->24         started        27 WerFault.exe 16->27         started        30 cmd.exe 1 16->30         started        34 6 other processes 16->34 file5 signatures6 process7 file8 42 2 other processes 18->42 44 2 other processes 20->44 46 2 other processes 22->46 109 Uses netsh to modify the Windows network and firewall settings 24->109 36 UpSys.exe 2 24->36         started        38 netsh.exe 24->38         started        40 conhost.exe 24->40         started        75 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 27->75 dropped 48 2 other processes 30->48 50 67 other processes 32->50 52 7 other processes 34->52 signatures9 process10 process11 54 UpSys.exe 36->54         started        56 conhost.exe 38->56         started        58 taskkill.exe 38->58         started        60 conhost.exe 42->60         started        62 taskkill.exe 42->62         started        64 conhost.exe 44->64         started        66 conhost.exe 50->66         started        process12 68 UpSys.exe 54->68         started        process13 70 powershell.exe 68->70         started        signatures14 107 Creates files in the system32 config directory 70->107 73 conhost.exe 70->73         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8497b714d64bbe043d4ef481a213eca88cc48a1dc98ad43443433c35e4af211a/
Threat name:
Win64.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-25 17:11:08 UTC
AV detection:
10 of 45 (22.22%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
16c3925debeb733f58c941bf756a6c247992dafa4dbfa8f7f1d5337b0f96fdf1
25149614d2732a9db3e86ee490064f943cef5747b19d937d2f3cc2d7e13d29b7
25259833bb95deec56711cb26d5301d9f7975730655d314e50ddeccf986777ef
6cf4d60af4e22f92096f64bdc0be0722ba53f589922c1f171c4c4faac0ce711f
7a5a953b328eddffbd69d55bc2d6626c353bcef9a9a9f4efec49cdaa7ac601ac
8ae8b54bc449ebeb94ba2ad9e0fe136404dec237f612459282ef465e5df59160
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/210925-vqaafadfep/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
Modifies security service
Unpacked files
SH256 hash:
8497b714d64bbe043d4ef481a213eca88cc48a1dc98ad43443433c35e4af211a
MD5 hash:
60b9d476ed937d310d54ae0e35973974
SHA1 hash:
1f45480e1c3f7899a46500b83538643ecae76687
Link:
https://www.unpac.me/results/d97a71e3-f3aa-4874-8c42-2cf647369b81/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8497b714d64bbe043d4ef481a213eca88cc48a1dc98ad43443433c35e4af211a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8497b714d64bbe043d4ef481a213eca88cc48a1dc98ad43443433c35e4af211a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1643629/
Cape
Cape
https://www.capesandbox.com/analysis/191567/

Comments


Avatar
zbet commented on 2021-09-25 17:10:17 UTC

url : hxxp://f0583508.xsph.ru/Zenar.exe