MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 965535f395581fa0c9b2e96caddab283f516fbc7bddbc1c8ae0148272726aa23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Zyklon

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	965535f395581fa0c9b2e96caddab283f516fbc7bddbc1c8ae0148272726aa23
SHA3-384 hash:	cfeba37fe17d21f5981de421a47248f3a27713fa2a47b8aad5ad3b459c36ea271764725ab7a39cb1cd5a72086fe34bef
SHA1 hash:	c17aced39bea6c1dcff358184fd067e944ef7fe3
MD5 hash:	c793f342fb899717cfdd61f28fbe8aea
humanhash:	lemon-red-pizza-fix
File name:	file
Download:	download sample
Signature	Zyklon Create hunting rule
File size:	1'837'056 bytes
First seen:	2023-07-25 17:08:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:jJtsUhtUFW/TbilwQcHHlDDDBS8rZ8LJpeO2h:j4UhtWWbbilCl9S8rZ8N
TLSH	T10685C2157AC28DB6DD5E02F1D36209AC4F63EC62A711C09B25537AE9B63EF039C4B163
TrID	40.9% (.EXE) Win64 Executable (generic) (10523/12/4) 19.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.0% (.EXE) Win16/32 Executable Delphi generic (2072/23) 8.0% (.ICL) Windows Icons Library (generic) (2059/9) 7.8% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	fcf0e0c4dad2e8cc (1 x LummaStealer, 1 x Zyklon)
Reporter	andretavare5
Tags:	exe Zyklon

andretavare5

Sample downloaded from http://red.mk/netTime.exe

Intelligence

File Origin

# of uploads :

# of downloads :

292

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-07-25 17:11:03 UTC

Tags:

miner phonk loader

Link:

https://app.any.run/tasks/a757fd96-a9a3-450c-a7e0-7a42d0bea39f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/432727/

Detection(s):

SecuriteInfo.com.Win64.TrojanX-gen.9476.2773.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a file

Sending a custom TCP request

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/965535f395581fa0c9b2e96caddab283f516fbc7bddbc1c8ae0148272726aa23

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/63e9ff1a-60d2-4910-b124-6bf293888125

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1279389

Signature

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/965535f395581fa0c9b2e96caddab283f516fbc7bddbc1c8ae0148272726aa23/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2023-07-25 10:48:36 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

103

AV detection:

15 of 37 (40.54%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=szktl44vlap2bsns5fwk3wvsqp2rn66hxxn4dsfoafecojzgvirq._file

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig miner

Link:

https://tria.ge/reports/230725-vn4q9seh2v/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

XMRig Miner payload

xmrig

Unpacked files

SH256 hash:

965535f395581fa0c9b2e96caddab283f516fbc7bddbc1c8ae0148272726aa23

MD5 hash:

c793f342fb899717cfdd61f28fbe8aea

SHA1 hash:

c17aced39bea6c1dcff358184fd067e944ef7fe3

Link:

https://www.unpac.me/results/77a953ce-7d38-45f3-90b4-84887d524834/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/965535f39558/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/965535f395581fa0c9b2e96caddab283f516fbc7bddbc1c8ae0148272726aa23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BAZT_B5_NOCEXInvalidStream Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2662087/

Cape

https://www.capesandbox.com/analysis/432727/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample