MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87eb7f02f97c135ae0d2e28201bbf91575f69e625cc483886020cf8cc678c79a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87eb7f02f97c135ae0d2e28201bbf91575f69e625cc483886020cf8cc678c79a
SHA3-384 hash: 02482a5ad98f9f73020335b67d291204a2806d66cf5c50971a25643d627ed6de83aaf4acefeb3d0021397ab01417a14c
SHA1 hash: 1e2bbb0ae156513bc070657f02ca2e7440847a37
MD5 hash: a19187b62c78200ed29449c41f872ac6
humanhash: texas-alpha-vermont-timing
File name:SecuriteInfo.com.Win64.Evo-gen.29020.27952
Download: download sample
File size:37'365'264 bytes
First seen:2024-04-29 00:22:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fe0d8ab40356cb4254aca68bc2252510
ssdeep 786432:7zlk9sxzKPY83RtqenfZtKBztQnCCwN9Pb9nTeB:FkGzKPY8hZktGwbJaB
Threatray 16 similar samples on MalwareBazaar
TLSH T12987335AD97E20B8D8B783B9C2827917D761BC92D3D1C6E306D0CA359FAB2D1D63C610
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
398
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
87eb7f02f97c135ae0d2e28201bbf91575f69e625cc483886020cf8cc678c79a.exe
Verdict:
Suspicious activity
Analysis date:
2024-04-29 00:24:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/131a6a7a-bf20-4539-955a-622f42c18f52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
certutil lolbin miner packed remote shell32
Link:
https://www.filescan.io/uploads/662ee86947bfd8641eb9a7bc/reports/66e1f7da-eb03-43e2-961c-130180f1904c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/87eb7f02f97c135ae0d2e28201bbf91575f69e625cc483886020cf8cc678c79a
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1433050
Signature
Antivirus / Scanner detection for submitted sample
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1433050 Sample: SecuriteInfo.com.Win64.Evo-... Startdate: 29/04/2024 Architecture: WINDOWS Score: 84 33 keyauth.win 2->33 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Machine Learning detection for sample 2->43 9 SecuriteInfo.com.Win64.Evo-gen.29020.27952.exe 1 2->9         started        signatures3 process4 dnsIp5 35 keyauth.win 104.26.0.5, 443, 49708 CLOUDFLARENETUS United States 9->35 37 127.0.0.1 unknown unknown 9->37 45 Query firmware table information (likely to detect VMs) 9->45 47 Tries to detect sandboxes and other dynamic analysis tools (window names) 9->47 49 Hides threads from debuggers 9->49 51 3 other signatures 9->51 13 cmd.exe 1 9->13         started        15 cmd.exe 1 9->15         started        17 conhost.exe 9->17         started        19 WerFault.exe 2 9->19         started        signatures6 process7 process8 21 certutil.exe 3 1 13->21         started        23 find.exe 1 13->23         started        25 find.exe 1 13->25         started        27 cmd.exe 1 15->27         started        process9 29 conhost.exe 27->29         started        31 timeout.exe 1 27->31         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/87eb7f02f97c135ae0d2e28201bbf91575f69e625cc483886020cf8cc678c79a
Gathering data
Threat name:
Win64.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2024-03-17 19:57:09 UTC
File Type:
PE+ (Exe)
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q7vx6axzpqjvvygs4kbado7zcv27nhtcltcihcdaedhyzrtyy6na._file
Verdict:
malicious
Similar samples:
176468f01cd7ca28f666e4b3ffed69b76b4306a6081bed0859c984950d344d83
1e1db7c0d0c0e06f59ea26fc0e74c240873594c7c590fd9f3e4f34ecb1408213
85aeb0eca144912f0713ac4e8392e2645a91bb4ba8e2ffa55e5bf834665170af
bc84c3a9cfeb083fe41a238c55ea3163b5c9e5103fee0a7d7f4d8a1236b6d22d
f25ec06833cd9a9569e2459ab9e079f68f4b18849d56576db4241f34492c14ae
fcc22a367ed0a8d8de94f5159ab12c32606f97326b832eb47327b7707ba457a6
fcd465bfb29ad1ee9c3344c27035fe6721f7c634ae714db808454b2d14e6ecd3
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/240429-apgynsdb31/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87eb7f02f97c135ae0d2e28201bbf91575f69e625cc483886020cf8cc678c79a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments