MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2648c0044dd0c910d9176445c297fd3c6f457478c2a4492ab4e504566c053a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Expiro


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2648c0044dd0c910d9176445c297fd3c6f457478c2a4492ab4e504566c053a3
SHA3-384 hash: 36f09c137ff07da652e954883e0f2479b7e4a40d8cbcf57f9552bf330c256836b6d9af94a7fc84d86d488e20577df5c3
SHA1 hash: a58649f0f6d60ec4a9d3d47ab783d8523881d14d
MD5 hash: ab2ebeea801d46bab2ac75b7b9574e2d
humanhash: foxtrot-lemon-gee-oranges
File name:ab2ebeea801d46bab2ac75b7b9574e2d.exe
Download: download sample
Signature Expiro
Create hunting rule
File size:1'374'720 bytes
First seen:2021-12-31 09:31:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 174400a01b268a209fae2074e85ffe34 (1 x Expiro)
ssdeep 12288:Uk5Hghz0DhMSUXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDR:NeJch8sqjnhMgeiCl7G0nehbGZpbD
Threatray 45 similar samples on MalwareBazaar
TLSH T14E551262F78EC1F7D41602718979FB28401AFDB94B2105DFF3D67A2E1AB12C04636A67
File icon (PE):PE icon
dhash icon ba8cae8eb6b29aa4 (2 x Loki, 1 x Expiro, 1 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe Expiro

Intelligence

File Origin
# of uploads :
1
# of downloads :
359
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ab2ebeea801d46bab2ac75b7b9574e2d.exe
Verdict:
Malicious activity
Analysis date:
2021-12-31 09:32:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1b01b788-56c7-4324-b9f8-0b4e3702e5fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216918/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Modifying an executable file
Launching a service
DNS request
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Modifying a system executable file
Sending an HTTP POST request
Launching a process
Loading a system driver
Modifying a system file
Using the Windows Management Instrumentation requests
Changing a file
Creating a file
Enabling autorun for a service
Enabling autorun with the shell\open\command registry branches
Creating a file in the mass storage device
Infecting executable files
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3558/overview
Behaviour
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint virus virut
Link:
https://www.filescan.io/uploads/61cece154ab5c44cbf58a14b/reports/cc696958-6a98-44f6-80f9-010aa0133643/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4f70ab55-94cc-4bf7-9322-32bb4d80e2a4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spre.troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/914279
Signature
Antivirus detection for dropped file
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Drops executable to a common third party application directory
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries random domain names (often used to prevent blacklisting and sinkholes)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to resolve many domain names, but no domain seems valid
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 546757 Sample: aK2aG8PTIE.exe Startdate: 31/12/2021 Architecture: WINDOWS Score: 92 36 zrlssa.biz 2->36 50 Antivirus detection for dropped file 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Machine Learning detection for sample 2->54 56 5 other signatures 2->56 7 aK2aG8PTIE.exe 2 2->7         started        12 armsvc.exe 1 2->12         started        14 perfhost.exe 2->14         started        16 14 other processes 2->16 signatures3 process4 dnsIp5 38 ereplfx.biz 7->38 40 zyiexezl.biz 7->40 46 125 other IPs or domains 7->46 20 C:\Windows\System32\snmptrap.exe, PE32+ 7->20 dropped 22 C:\Windows\System32\msiexec.exe, PE32+ 7->22 dropped 24 C:\Windows\System32\msdtc.exe, PE32+ 7->24 dropped 32 15 other malicious files 7->32 dropped 58 Drops executable to a common third party application directory 7->58 60 Infects executable files (exe, dll, sys, html) 7->60 18 conhost.exe 7->18         started        42 zyiexezl.biz 12->42 44 zrlssa.biz 12->44 48 128 other IPs or domains 12->48 26 C:\Windows\System32\xbgmsvc.exe, PE32+ 12->26 dropped 28 C:\Windows\System32\wbengine.exe, PE32+ 12->28 dropped 30 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 12->30 dropped 34 17 other files (10 malicious) 12->34 dropped 62 Antivirus detection for dropped file 14->62 64 Machine Learning detection for dropped file 14->64 66 Creates files inside the volume driver (system volume information) 16->66 file6 68 Tries to resolve many domain names, but no domain seems valid 44->68 signatures7 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a2648c0044dd0c910d9176445c297fd3c6f457478c2a4492ab4e504566c053a3/
Threat name:
Win32.Virus.Expiro
Create hunting rule
Status:
Malicious
First seen:
2021-12-29 18:27:00 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1201c943fabde039739daecfd658863ed78a2d11b316e0b1ad88d7ef8f55327f
Expiro
2c672c1537655f77a4f7df0b300aaf54f1a8af6f8dfc72475441020721aed575
Expiro
56c0dbbb56ab9b63c997eb80beb6392b50d507e4dc08ce617d32b8563fbd54ce
Expiro
82576d0e8b54901d195af6f1f724e7689bdf1b3edac3aa51e118637163eed8f4
Expiro
cb6a51b8a047de08fb4bfa7031bd1c917600e55c28f941a1da520e622c29f6a5
Expiro
cdea3bc26665eb9e8656cf107f611f5da08afa12dc9dae129696762d959eb6dc
Expiro
d9b6982e6ebb44f281207474f885164df5748889ee12d2f21ceaf13ce1315f52
Expiro
f60d8bd3ca821e7de945f17d646654b7c0f25949aa8c6f780313925076444fc2
Expiro
fcf1bd355e8599b68f43b368a9fac32d5a2dbeee4dba39d13464f86dc2eac9be
Expiro
+ 35 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner spyware stealer
Link:
https://tria.ge/reports/211231-lhlttsfccp/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Reads user/profile data of web browsers
Executes dropped EXE
xmrig
Unpacked files
SH256 hash:
abdd6f31a909b0b10e30ced74a1f6f037adf1f61a8a842048dbc254d6f076169
MD5 hash:
c33a7f0e25bb3f4d3c19fc8441e9d12b
SHA1 hash:
0286b277e97b9f7c217a0d029e8144f8e20b40b9
Link:
https://www.unpac.me/results/4653b41d-9904-4191-a954-731b17962358/
SH256 hash:
7ab368c963e40c4518a874816f33957c8f475498baad29c4494a609dcdbb0098
MD5 hash:
5b2970110e78ddd2d6d742ab17ab87b0
SHA1 hash:
875a919d524130a4ea2f4c38bc16a9c9fad498e6
Link:
https://www.unpac.me/results/4653b41d-9904-4191-a954-731b17962358/
SH256 hash:
a2648c0044dd0c910d9176445c297fd3c6f457478c2a4492ab4e504566c053a3
MD5 hash:
ab2ebeea801d46bab2ac75b7b9574e2d
SHA1 hash:
a58649f0f6d60ec4a9d3d47ab783d8523881d14d
Link:
https://www.unpac.me/results/4653b41d-9904-4191-a954-731b17962358/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a2648c0044dd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a2648c0044dd0c910d9176445c297fd3c6f457478c2a4492ab4e504566c053a3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/216918/

Comments