MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8eeda0849b8bffc5d26ee56f02162f2e75e4271c4257c309197f3645fac47c03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8eeda0849b8bffc5d26ee56f02162f2e75e4271c4257c309197f3645fac47c03
SHA3-384 hash: 5c9a6cb79f548f4180d5fcb261b8915e8d5170cd1a2cbce43b6cd0f8da1558f335737426b12bdb706067fb56ba0a6f84
SHA1 hash: 3ef5530a433923276191eec8d98aa462194aa829
MD5 hash: 2fbf75fbac01d42161fdeb6adbd0d979
humanhash: july-cat-lake-glucose
File name:Build.exe
Download: download sample
File size:12'524'544 bytes
First seen:2024-03-02 17:18:18 UTC
Last seen:2024-03-02 19:22:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1daf4a4a7f58af2dc5d92ef5205a04ba (2 x CoinMiner, 1 x njrat)
ssdeep 196608:AFH/xtSYJodEawY/7HPjloM1LiUIX099RYU9ptAzvZaZoM2S5HQoFKArPWug0Vg:AFfxtjJ/an7HPZ12TE99R3zmhbShKArI
Threatray 157 similar samples on MalwareBazaar
TLSH T14FC633F1E7369525FE10A3B666112D8771376A438D3996C8EC8BB60278BC58BF8CC44D
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
296
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.18172.31835.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm packed packed themidawinlicense upatre xpack
Link:
https://www.filescan.io/uploads/65e35f8809d457664f0f962b/reports/c338d583-b62a-49a4-a0fb-268d32921dff/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/8eeda0849b8bffc5d26ee56f02162f2e75e4271c4257c309197f3645fac47c03
Result
Verdict:
MALICIOUS
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f4be1a7-eb98-45d4-a29b-0a84d7017521
Result
Threat name:
n/a
Detection:
malicious
Classification:
adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1401920
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses powercfg.exe to modify the power settings
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1401920 Sample: Build.exe Startdate: 02/03/2024 Architecture: WINDOWS Score: 100 62 216.47.6.0.in-addr.arpa 2->62 64 ipinfo.io 2->64 66 icanhazip.com 2->66 82 Malicious sample detected (through community Yara rule) 2->82 84 Antivirus / Scanner detection for submitted sample 2->84 86 Multi AV Scanner detection for submitted file 2->86 88 10 other signatures 2->88 9 Build.exe 10 2->9         started        13 kvkinxkledtt.exe 2->13         started        signatures3 process4 file5 54 C:\Users\user\AppData\Local\...\Updater.exe, PE32 9->54 dropped 56 C:\Users\user\AppData\Local\Temp\Setup.exe, PE32+ 9->56 dropped 102 Query firmware table information (likely to detect VMs) 9->102 104 Tries to detect sandboxes and other dynamic analysis tools (window names) 9->104 106 Hides threads from debuggers 9->106 116 2 other signatures 9->116 15 Setup.exe 1 2 9->15         started        19 Updater.exe 15 17 9->19         started        108 Antivirus detection for dropped file 13->108 110 Multi AV Scanner detection for dropped file 13->110 112 Detected unpacking (changes PE section rights) 13->112 114 Machine Learning detection for dropped file 13->114 signatures6 process7 dnsIp8 58 C:\ProgramData\...\kvkinxkledtt.exe, PE32+ 15->58 dropped 60 C:\Windows\System32\drivers\etc\hosts, ASCII 15->60 dropped 72 Antivirus detection for dropped file 15->72 74 Multi AV Scanner detection for dropped file 15->74 76 Detected unpacking (changes PE section rights) 15->76 80 6 other signatures 15->80 22 dialer.exe 15->22         started        25 powershell.exe 23 15->25         started        27 cmd.exe 15->27         started        33 13 other processes 15->33 68 ipinfo.io 34.117.186.192, 443, 49736 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 19->68 70 icanhazip.com 104.18.115.97, 49735, 80 CLOUDFLARENETUS United States 19->70 78 Machine Learning detection for dropped file 19->78 29 WerFault.exe 21 16 19->29         started        31 conhost.exe 19->31         started        file9 signatures10 process11 signatures12 94 Injects code into the Windows Explorer (explorer.exe) 22->94 96 Contains functionality to inject code into remote processes 22->96 98 Writes to foreign memory regions 22->98 100 4 other signatures 22->100 35 lsass.exe 22->35 injected 50 14 other processes 22->50 38 conhost.exe 25->38         started        40 WmiPrvSE.exe 25->40         started        42 conhost.exe 27->42         started        44 wusa.exe 27->44         started        46 conhost.exe 33->46         started        48 conhost.exe 33->48         started        52 11 other processes 33->52 process13 signatures14 90 Creates files in the system32 config directory 35->90 92 Writes to foreign memory regions 35->92
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8eeda0849b8bffc5d26ee56f02162f2e75e4271c4257c309197f3645fac47c03
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8eeda0849b8bffc5d26ee56f02162f2e75e4271c4257c309197f3645fac47c03/
Threat name:
Win32.Downloader.Upatre
Create hunting rule
Status:
Malicious
First seen:
2024-03-02 16:29:04 UTC
File Type:
PE (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r3w2bbe3rp74luto4vxqefrpfz26ijy4ijl4gcizp43el6wepqbq._file
Verdict:
malicious
Similar samples:
0f975de9620a33d9ce23d0754e248f1ffa6f1c4a572bc2b4dc8b6b6736d70e10
3761032e760a2bcc61854a0c7cf22e8e991af0ed60fac92b981853eadda00d1a
5f32944278c12140893093dff10bfae73cf3fe2a8a488b201b62f117871dac79
6b6343ca74fe0cd2fe964efa64e2fb80159b239e6253f04e280031d257f5571f
6fa605c719933e2bdd8cde82c00b62753086b62027206f2d787daae772a21736
9084423577dca12435f58eaaec583e8362cad6d25430c8d91ab185f11cff9364
95a69137e57a900e7f2721395b6aaf1695d74f16f5e44410557514dca8849ef3
b7a9265a8b419f32a9f43e114478ad5a34fd9b00fbc72e0860183b34b8a1d817
ce7a9a4a88a1a9f154bb4e0650864933d87fd75bef94ec000faf24f75d0a308f
d742b1cf923ca6bc5126ca7b25ec921e7ff49430e19b0e558bcc51b673cb1817
+ 147 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence themida trojan
Link:
https://tria.ge/reports/240302-vvtvmsfc9v/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Themida packer
Creates new service(s)
Drops file in Drivers directory
Sets service image path in registry
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
16a74c4d570d90a48ee81c23ee7370205de78f1f09ad4200a6fdf3a8db8aa9f4
MD5 hash:
b16f232bfdf6bf8965286329e900f4ad
SHA1 hash:
0866b653390e6c838ab0569a1007b267895495bc
Link:
https://www.unpac.me/results/07f20942-02bf-474d-800c-dc616605c511/
SH256 hash:
2e5a498e9299a5a6d7ca9d36def6d2f546812a34db0fe91528ab586dd9d07a18
MD5 hash:
d5ea67d392c23f20921d26cba0fdf284
SHA1 hash:
572013524756c6323a198810cf63c32d90044f46
Detections:
INDICATOR_EXE_Packed_Fody
Create hunting rule
MAL_BackNet_Nov18_1
Create hunting rule
Link:
https://www.unpac.me/results/07f20942-02bf-474d-800c-dc616605c511/
Parent samples :
8eeda0849b8bffc5d26ee56f02162f2e75e4271c4257c309197f3645fac47c03
2e5a498e9299a5a6d7ca9d36def6d2f546812a34db0fe91528ab586dd9d07a18
SH256 hash:
03a5992156b066821034d193294c772b81ae12fbbf51c494b4fbcec82d4f8c81
MD5 hash:
16ba5534f64a23380c8dd1a6efbe612a
SHA1 hash:
63eec002720232eb765edbc53f962debec2342be
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/07f20942-02bf-474d-800c-dc616605c511/
SH256 hash:
8eeda0849b8bffc5d26ee56f02162f2e75e4271c4257c309197f3645fac47c03
MD5 hash:
2fbf75fbac01d42161fdeb6adbd0d979
SHA1 hash:
3ef5530a433923276191eec8d98aa462194aa829
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/07f20942-02bf-474d-800c-dc616605c511/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8eeda0849b8b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8eeda0849b8bffc5d26ee56f02162f2e75e4271c4257c309197f3645fac47c03

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8eeda0849b8bffc5d26ee56f02162f2e75e4271c4257c309197f3645fac47c03

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_USER_APIPerforms GUI Actionsuser32.dll::CreateWindowExA

Comments