MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4c4487dcacebf5048b2266233f5645cfe421154f26e6685ced36aa0621037f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 28 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4c4487dcacebf5048b2266233f5645cfe421154f26e6685ced36aa0621037f1
SHA3-384 hash: aadd0ad76951906f0e65236c7c489be0f62bea23cf1e6acd4c3a04a0ccc313faa5d8691998a41d501b3f7df6f6a2d586
SHA1 hash: f0ab69f56ebbbdda791d61fd3d22476d61135871
MD5 hash: be89d598cd96443479c02b022ff70532
humanhash: sad-equal-massachusetts-india
File name:gem2.exe
Download: download sample
File size:538'624 bytes
First seen:2025-01-12 08:24:10 UTC
Last seen:2025-01-12 15:16:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c0880db5251b34da206c7402f553df0
ssdeep 6144:9m2AOgAgbVYlfxTtR9HVOPeTEKybk5e6XJugmE8fpNj8Osc11gPbuAvZmeGzpwG:9mLOplfLHVOPeYceXE8Dx1gPbVv
TLSH T13DB44B5AA7A843F4E5B7E038C881511AF7B17496132197CF53A14AAB1F23BF19E3E710
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter JAMESWT_WT
Tags:66-63-187-250 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
375
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
gem2.exe
Verdict:
Malicious activity
Analysis date:
2025-01-11 18:20:42 UTC
Tags:
evasion antivm miner ip-check amsi-bypass xmrig
Link:
https://app.any.run/tasks/8d94830b-7f97-4610-b7fb-54c985710a92

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.28881.26093.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67837c612c8240e189bc050a
Tags:
vmdetect autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the system32 directory
Launching a process
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Running batch commands
Modifying a system file
Searching for synchronization primitives
Creating a file in the system32 subdirectories
Adding an access-denied ACE
Sending an HTTP GET request
Connecting to a cryptocurrency mining pool
Setting browser functions hooks
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Using obfuscated Powershell scripts
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm anti-vm crypto evasive explorer fingerprint lolbin microsoft_visual_cc schtasks
Link:
https://www.filescan.io/uploads/67837c74c9124156667f8977/reports/74f469a2-25c1-4e1f-8927-d916b17a0055/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/a4c4487dcacebf5048b2266233f5645cfe421154f26e6685ced36aa0621037f1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/197f6000-806f-4e21-9052-b2df03aa9317
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1589411
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspect Svchost Activity
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1589411 Sample: gem2.exe Startdate: 12/01/2025 Architecture: WINDOWS Score: 100 82 www.google.com 2->82 84 wavepassage.cfd 2->84 86 4 other IPs or domains 2->86 106 Antivirus detection for URL or domain 2->106 108 Multi AV Scanner detection for dropped file 2->108 110 Multi AV Scanner detection for submitted file 2->110 112 18 other signatures 2->112 9 gem2.exe 2 19 2->9         started        14 powershell.exe 2 15 2->14         started        16 System-f4855f59e0.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 94 www.google.com 142.250.181.228, 49700, 80 GOOGLEUS United States 9->94 96 104.21.60.172, 443, 49702, 49727 CLOUDFLARENETUS United States 9->96 98 pastesnap.com 172.67.198.113, 443, 49701, 49861 CLOUDFLARENETUS United States 9->98 72 C:\Windows\System32\System-f4855f59e0.exe, PE32+ 9->72 dropped 74 C:\Windows\SysWOW64\$LMX-f4855f59e0.exe, PE32+ 9->74 dropped 76 C:\...\Microsoft-f4855f59e0.exe, PE32+ 9->76 dropped 134 Creates autostart registry keys with suspicious names 9->134 136 Injects code into the Windows Explorer (explorer.exe) 9->136 138 Uses schtasks.exe or at.exe to add and modify task schedules 9->138 140 Allocates memory in foreign processes 9->140 20 svchost.exe 1 9->20         started        24 powershell.exe 23 9->24         started        26 schtasks.exe 1 9->26         started        28 explorer.exe 1 9->28         started        142 Writes to foreign memory regions 14->142 144 Modifies the context of a thread in another process (thread injection) 14->144 146 Injects a PE file into a foreign processes 14->146 30 dllhost.exe 14->30         started        32 conhost.exe 14->32         started        148 Multi AV Scanner detection for dropped file 16->148 150 Machine Learning detection for dropped file 16->150 152 Contain functionality to detect virtual machines 16->152 154 Contains functionality to inject code into remote processes 16->154 78 C:\Users\user\...\WinDrive-f4855f59e0.exe, PE32+ 18->78 dropped 156 Found direct / indirect Syscall (likely to bypass EDR) 18->156 file6 signatures7 process8 dnsIp9 88 securetextweb.cc 104.21.64.1, 443, 49879, 49880 CLOUDFLARENETUS United States 20->88 90 textbinvault.com 172.67.176.186, 443, 49871, 49872 CLOUDFLARENETUS United States 20->90 92 2 other IPs or domains 20->92 114 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->114 116 Found strings related to Crypto-Mining 20->116 118 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->118 120 Uses powercfg.exe to modify the power settings 20->120 34 cmd.exe 1 20->34         started        37 cmd.exe 20->37         started        39 cmd.exe 20->39         started        49 10 other processes 20->49 122 Found suspicious powershell code related to unpacking or dynamic code loading 24->122 124 Loading BitLocker PowerShell Module 24->124 41 WmiPrvSE.exe 24->41         started        43 conhost.exe 24->43         started        45 conhost.exe 26->45         started        126 Injects code into the Windows Explorer (explorer.exe) 30->126 128 Writes to foreign memory regions 30->128 130 Creates a thread in another existing process (thread injection) 30->130 132 Injects a PE file into a foreign processes 30->132 47 lsass.exe 30->47 injected 52 3 other processes 30->52 signatures10 process11 dnsIp12 100 Uses cmd line tools excessively to alter registry or file data 34->100 54 conhost.exe 34->54         started        56 ReAgentc.exe 3 34->56         started        58 conhost.exe 37->58         started        60 reg.exe 37->60         started        68 2 other processes 39->68 102 Writes to foreign memory regions 47->102 80 api.ipify.org 104.26.12.205, 443, 49847 CLOUDFLARENETUS United States 49->80 104 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 49->104 62 conhost.exe 49->62         started        64 conhost.exe 49->64         started        66 conhost.exe 49->66         started        70 10 other processes 49->70 signatures13 process14
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a4c4487dcacebf5048b2266233f5645cfe421154f26e6685ced36aa0621037f1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a4c4487dcacebf5048b2266233f5645cfe421154f26e6685ced36aa0621037f1/
Threat name:
Win32.Exploit.Generic
Create hunting rule
Status:
Malicious
First seen:
2025-01-11 13:03:32 UTC
File Type:
PE+ (Exe)
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=utceq7okz27vasfsezrdh5lelt7eeeku6jxgnboo2nvkayqqg7yq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
bootkit defense_evasion discovery evasion execution exploit persistence
Link:
https://tria.ge/reports/250112-kbge4awrgj/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Looks up external IP address via web service
Maps connected drives based on registry
Power Settings
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Indicator Removal: Clear Windows Event Logs
Modifies file permissions
Command and Scripting Interpreter: PowerShell
Possible privilege escalation attempt
Sets service image path in registry
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
loader mofongoloader
YARA:
mofongo_loader
Link:
https://app.threat.zone/submission/a8c691a5-61cb-412f-953e-b99becb9b636
Unpacked files
SH256 hash:
a4c4487dcacebf5048b2266233f5645cfe421154f26e6685ced36aa0621037f1
MD5 hash:
be89d598cd96443479c02b022ff70532
SHA1 hash:
f0ab69f56ebbbdda791d61fd3d22476d61135871
Link:
https://www.unpac.me/results/d4783b34-711a-4811-bfa5-a876c09ee6a0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a4c4487dcace/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a4c4487dcacebf5048b2266233f5645cfe421154f26e6685ced36aa0621037f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:mofongo_loader
Create hunting rule
Author:vrzh
Description:Mofongo loader maps and executes a payload in a hollowed msedge process
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:skip20_sqllang_hook
Create hunting rule
Author:Mathieu Tartare <mathieu.tartare@eset.com>
Description:YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.
Reference:https://www.welivesecurity.com/
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a4c4487dcacebf5048b2266233f5645cfe421154f26e6685ced36aa0621037f1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3390604/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3390603/
  
URLhaus
https://urlhaus.abuse.ch/url/3390616/
  
URLhaus
https://urlhaus.abuse.ch/url/3390578/
  
URLhaus
https://urlhaus.abuse.ch/url/3390607/
  
URLhaus
https://urlhaus.abuse.ch/url/3390615/
  
URLhaus
https://urlhaus.abuse.ch/url/3396015/
  
URLhaus
https://urlhaus.abuse.ch/url/3390602/
  
URLhaus
https://urlhaus.abuse.ch/url/3390608/
  
URLhaus
https://urlhaus.abuse.ch/url/3397382/
  
URLhaus
https://urlhaus.abuse.ch/url/3397384/
  
URLhaus
https://urlhaus.abuse.ch/url/3397395/
  
URLhaus
https://urlhaus.abuse.ch/url/3397397/
  
URLhaus
https://urlhaus.abuse.ch/url/3397399/
  
URLhaus
https://urlhaus.abuse.ch/url/3397400/
  
URLhaus
https://urlhaus.abuse.ch/url/3398054/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegGetValueA
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegSetValueExW
ADVAPI32.dll::RegSetValueExA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::freeaddrinfo
WS2_32.dll::getaddrinfo

Comments