MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7b2e91c63805cdbacd4d7904486e86cf4e5791a32491cd59589c29566d5034f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7b2e91c63805cdbacd4d7904486e86cf4e5791a32491cd59589c29566d5034f
SHA3-384 hash: f6495ab14ce156cb27942d8b8722223224fd7053a576eac00323889e17d475c955ccc03904a49f3d1a9d2a877675e41b
SHA1 hash: 1504e8906dca683e357ff66614c775c3205082e9
MD5 hash: 666069add8f8c1c993c706817c1145c3
humanhash: mars-lima-saturn-purple
File name:666069add8f8c1c993c706817c1145c3
Download: download sample
File size:201'216 bytes
First seen:2021-09-25 17:10:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:LKh/XliiSGGg8ObUmvr5yafeDtoDRtfPn3Kmr+AD7rX52M0VfNnSG3xPSl1Lr1qg:LZGGg8Ob/6UDpzVUlru
Threatray 48 similar samples on MalwareBazaar
TLSH T11314EF1912E9D0F37177CABC03CAE635A427D5EB2E15683826D94088479DD81F8F72EE
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
666069add8f8c1c993c706817c1145c3
Verdict:
No threats detected
Analysis date:
2021-09-25 17:11:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9be2a45f-81b6-4f74-b764-b7ae6acaa7f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
CoinMiner03
Create hunting rule
Link:
https://www.capesandbox.com/analysis/191566/
Detection(s):
Win.Packed.Spyeye-9883275-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file in the %temp% directory
Running batch commands
Launching a process
Creating a file
Deleting a recently created file
Creating a window
Creating a process with a hidden window
Enabling autorun by creating a file
Malware family:
SpyEye
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a81556b1-8201-48d8-82d2-dbaf0887f971
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/858086
Signature
Adds a directory exclusion to Windows Defender
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 490517 Sample: iY1PGinCOU Startdate: 25/09/2021 Architecture: WINDOWS Score: 72 53 Multi AV Scanner detection for submitted file 2->53 55 Machine Learning detection for sample 2->55 57 Sigma detected: Powershell Defender Exclusion 2->57 8 iY1PGinCOU.exe 2 5 2->8         started        12 MicrosoftApi.exe 14 2 2->12         started        15 MicrosoftApi.exe 2->15         started        17 MicrosoftApi.exe 2->17         started        process3 dnsIp4 43 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 8->43 dropped 45 C:\Users\...\MicrosoftApi.exe:Zone.Identifier, ASCII 8->45 dropped 47 C:\Users\user\AppData\...\iY1PGinCOU.exe.log, ASCII 8->47 dropped 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->67 19 MicrosoftApi.exe 1 5 8->19         started        49 bitbucket.org 104.192.141.1, 443, 49756 AMAZON-02US United States 12->49 51 192.168.2.1 unknown unknown 12->51 file5 signatures6 process7 file8 41 C:\Users\user\AppData\...\tmpC3D.tmp.cmd, DOS 19->41 dropped 59 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->59 61 Machine Learning detection for dropped file 19->61 23 cmd.exe 1 19->23         started        26 cmd.exe 1 19->26         started        signatures9 process10 signatures11 63 Uses schtasks.exe or at.exe to add and modify task schedules 23->63 65 Adds a directory exclusion to Windows Defender 23->65 28 conhost.exe 23->28         started        31 powershell.exe 21 23->31         started        33 timeout.exe 1 23->33         started        35 conhost.exe 26->35         started        37 timeout.exe 1 26->37         started        39 schtasks.exe 1 26->39         started        process12 signatures13 69 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->69
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7b2e91c63805cdbacd4d7904486e86cf4e5791a32491cd59589c29566d5034f/
Threat name:
ByteCode-MSIL.Trojan.SpyEye
Create hunting rule
Status:
Malicious
First seen:
2021-09-25 17:11:07 UTC
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2
25149614d2732a9db3e86ee490064f943cef5747b19d937d2f3cc2d7e13d29b7
5f2846d5daa6e5781427feb62144502ff1522b8250eadbfb7aa3602d04eac1fb
7dc5a00ea0996d4edb8fbee2a9d2caa97ece60b4d5f755c3e82a06205ee2a385
9cc0cf19e63fbf43ed381c94967a1c52a606452657cc05c17b27a1a07e2c5607
a9b301d360e5c630bcfe0759d9479ae8f31f02117233061fda2492b5a21cafa5
c44f4f19f854e3a7312d262f8225024d3eb235fc580f4175ab923a4acd0231ff
dd015fe4a916f31b5b650bd6d787c594119b09ee523f046a68dbdd725ba04c5f
ea07ac0be9b5d757b3d6eab704606fb022770451be04c729af03f3a0941d3fc8
+ 38 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210925-vps16adfen/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
a7b2e91c63805cdbacd4d7904486e86cf4e5791a32491cd59589c29566d5034f
MD5 hash:
666069add8f8c1c993c706817c1145c3
SHA1 hash:
1504e8906dca683e357ff66614c775c3205082e9
Link:
https://www.unpac.me/results/6f087836-7bbd-4f0d-85da-36ca4c8b9df2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7b2e91c63805cdbacd4d7904486e86cf4e5791a32491cd59589c29566d5034f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifcats associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_CoinMiner03
Create hunting rule
Author:ditekSHen
Description:Detects coinmining malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a7b2e91c63805cdbacd4d7904486e86cf4e5791a32491cd59589c29566d5034f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1643631/
Cape
Cape
https://www.capesandbox.com/analysis/191566/

Comments


Avatar
zbet commented on 2021-09-25 17:10:11 UTC

url : hxxp://f0583508.xsph.ru/builddd.exe