MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b09fbd734be48315ad511ec3135359372fb0e1db51c72d9e283dc5e351610105. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	b09fbd734be48315ad511ec3135359372fb0e1db51c72d9e283dc5e351610105
SHA3-384 hash:	b1e1fc9c2d10253ff1200bff03c06bc7aa872e3238a095a8fd71347ce477462ee31aa4c0a05b7c1b87ffb806ca3e99dd
SHA1 hash:	78ff03f717991ec44501f4c40fd7461dcbfbb448
MD5 hash:	4e7a16db81590fadd800490b0cd2770d
humanhash:	table-avocado-magnesium-april
File name:	SecuriteInfo.com.PUA.Tool.BtcMine.2608.8514.1882
Download:	download sample
File size:	11'531'288 bytes
First seen:	2022-05-10 21:43:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b3d750ddaa605320c7fcc2bc9c45f7e0
ssdeep	196608:qecRQkmK+H4wQbhRMzKvPGT4vImfdm4ws1kdIYtMukipc5nfAqGbT:qecRhRb9RMgP84vIGdusnTLmUAB3
TLSH	T128C623AE63887398C01344389433FC19B1B6A50F59F0D5EE32DFAAC4779B524DA46F86
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	SecuriteInfoCom
Tags:	exe signed

Code Signing Certificate

Organisation:	珠海源泽咨询有限公司
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2020-12-14T00:00:00Z
Valid to:	2021-12-14T23:59:59Z
Serial number:	a7f39e96e042fb85de053131f53e5351
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	fec4f25a8fd8892425fa0d3dd00d62a6d4df9288e253da37dad44f1d920de94f
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

259

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://ya.ru/

Verdict:

Malicious activity

Analysis date:

2022-02-21 19:14:18 UTC

Tags:

miner evasion trojan

Link:

https://app.any.run/tasks/e612be19-914e-43b4-b217-76ec8806b0b2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/269545/

Detection(s):

SecuriteInfo.com.PUA.Tool.BtcMine.2608.8514.1882.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug coinminer overlay packed

Link:

https://www.filescan.io/uploads/627adc7140f9dd937eebce92/reports/18e6a879-414e-48f0-8db7-81c9c2ebb13c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/81493a37-4ff1-4b30-9c6d-a8b40e582d70

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad.mine

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/991466

Signature

Antivirus / Scanner detection for submitted sample

Found strings related to Crypto-Mining

Hides threads from debuggers

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Tries to detect debuggers (CloseHandle check)

Tries to evade analysis by execution special instruction (VM detection)

Uses Windows timers to delay execution

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b09fbd734be48315ad511ec3135359372fb0e1db51c72d9e283dc5e351610105/

Threat name:

Win64.Trojan.Miner

Status:

Malicious

First seen:

2021-11-24 06:13:14 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

21 of 41 (51.22%)

Threat level:

5/5

Verdict:

malicious

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/220510-1lf53sccbl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Unpacked files

SH256 hash:

b09fbd734be48315ad511ec3135359372fb0e1db51c72d9e283dc5e351610105

MD5 hash:

4e7a16db81590fadd800490b0cd2770d

SHA1 hash:

78ff03f717991ec44501f4c40fd7461dcbfbb448

Link:

https://www.unpac.me/results/09c6ebb9-4053-4d24-b66c-3042498327d2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b09fbd734be48315ad511ec3135359372fb0e1db51c72d9e283dc5e351610105

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe b09fbd734be48315ad511ec3135359372fb0e1db51c72d9e283dc5e351610105

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2188892/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/269545/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample