MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b10016211f6c0ad5738fa25a9c742291a7a92ed2c0f383ef30c356fff04f6bcc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Worm.m0yv


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b10016211f6c0ad5738fa25a9c742291a7a92ed2c0f383ef30c356fff04f6bcc
SHA3-384 hash: ce75d23a18f3596249093629636eeb8558a525cd21e2b2dcd9f7681e5dbfa79c6438e42b99adaf12b36a8b844958071a
SHA1 hash: f8f75d4ece048062d8a86f3a60a7f4c2e44e99a0
MD5 hash: f7883b978863cc7d5d5b53d3a4192936
humanhash: colorado-hotel-pasta-fanta
File name:b10016211f6c0ad5738fa25a9c742291a7a92ed2c0f383ef30c356fff04f6bcc
Download: download sample
Signature Worm.m0yv
Create hunting rule
File size:1'666'560 bytes
First seen:2024-07-18 12:21:48 UTC
Last seen:2024-07-24 20:27:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2dfc2c74864b84f5530ab40a343c56d8 (1 x Worm.m0yv)
ssdeep 24576:vAhX8vziFhHENJyElxVirnlBUKZ408vTZrX+lgdW:vAMWFeeERiLlBUKubZrX+ld
Threatray 1 similar samples on MalwareBazaar
TLSH T12975E01576C4C03AE1630635F8ACA765A2FEFC71A939820BB391375E1D72983DA31B53
TrID 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter JAMESWT_WT
Tags:exe przvgke-biz Worm.m0yv

Intelligence

File Origin
# of uploads :
2
# of downloads :
349
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Expiro-9933728-0
Create hunting rule

Win.Virus.Expiro-10016405-0
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=669908ed6ac935d7e8db8dc9
Tags:
Network Static Stealth Infector
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Modifying a system file
Modifying an executable file
Launching a service
Creating a window
Searching for synchronization primitives
Creating a file in the Windows subdirectories
Modifying a system executable file
Connection attempt to an infection source
Launching a process
Loading a system driver
Using the Windows Management Instrumentation requests
Enabling autorun for a service
Query of malicious DNS domain
Enabling autorun with the shell\open\command registry branches
Infecting executable files
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm expand fingerprint lolbin microsoft_visual_cc packed shell32
Link:
https://www.filescan.io/uploads/669908eea537d9330bdf5734/reports/44c63175-9784-4e41-9d50-a227e91b8a51/overview
Verdict:
Malicious
Labled as:
Expiro.Generic
Link:
https://www.hybrid-analysis.com/sample/b10016211f6c0ad5738fa25a9c742291a7a92ed2c0f383ef30c356fff04f6bcc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Expiro
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f2ac9ccd-ba97-4efb-aaa9-8038d1e5e55d
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1475910
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to behave differently if execute on a Russian/Kazak computer
Creates files inside the volume driver (system volume information)
Drops executable to a common third party application directory
Found direct / indirect Syscall (likely to bypass EDR)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1475910 Sample: 7wzPfEQC52.exe Startdate: 18/07/2024 Architecture: WINDOWS Score: 100 33 ssbzmoy.biz 2->33 35 pywolwnvd.biz 2->35 37 15 other IPs or domains 2->37 49 Snort IDS alert for network traffic 2->49 51 Antivirus detection for URL or domain 2->51 53 Antivirus detection for dropped file 2->53 55 6 other signatures 2->55 6 armsvc.exe 1 2->6         started        11 7wzPfEQC52.exe 2 2->11         started        13 TieringEngineService.exe 2->13         started        15 19 other processes 2->15 signatures3 process4 dnsIp5 39 npukfztj.biz 44.221.84.105, 49706, 80 AMAZON-AESUS United States 6->39 41 vjaxhpbji.biz 82.112.184.197, 49710, 49711, 49715 FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU Russian Federation 6->41 43 przvgke.biz 172.234.222.143, 49707, 49708, 80 AKAMAI-ASN1EU United States 6->43 17 C:\Windows\System32\wbengine.exe, PE32+ 6->17 dropped 19 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 6->19 dropped 21 C:\Windows\System32\vds.exe, PE32+ 6->21 dropped 29 145 other malicious files 6->29 dropped 57 Drops executable to a common third party application directory 6->57 59 Infects executable files (exe, dll, sys, html) 6->59 45 knjghuig.biz 18.141.10.107, 49702, 49703, 49709 AMAZON-02US United States 11->45 47 pywolwnvd.biz 54.244.188.177, 49700, 49701, 49704 AMAZON-02US United States 11->47 23 C:\Windows\System32\alg.exe, PE32+ 11->23 dropped 25 C:\Windows\System32\FXSSVC.exe, PE32+ 11->25 dropped 27 DiagnosticsHub.Sta...llector.Service.exe, PE32+ 11->27 dropped 31 2 other malicious files 11->31 dropped 61 Creates files inside the volume driver (system volume information) 13->61 63 Contains functionality to behave differently if execute on a Russian/Kazak computer 13->63 65 Found direct / indirect Syscall (likely to bypass EDR) 15->65 file6 signatures7
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b10016211f6c0ad5738fa25a9c742291a7a92ed2c0f383ef30c356fff04f6bcc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b10016211f6c0ad5738fa25a9c742291a7a92ed2c0f383ef30c356fff04f6bcc/
Threat name:
Win32.Virus.Expiro
Create hunting rule
Status:
Malicious
First seen:
2024-05-24 22:39:01 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
32 of 38 (84.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=weabmii7nqfnk44pujnjy5bcsgt2slwsydzyh3zqynlp74cpnpga._file
Verdict:
malicious
Similar samples:
b10016211f6c0ad5738fa25a9c742291a7a92ed2c0f383ef30c356fff04f6bcc
Worm.m0yv
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/240718-pjwxzaxhrl/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/87d64d2d-b805-4fcf-8a1c-d6dc08eda219
Unpacked files
SH256 hash:
abdd6f31a909b0b10e30ced74a1f6f037adf1f61a8a842048dbc254d6f076169
MD5 hash:
c33a7f0e25bb3f4d3c19fc8441e9d12b
SHA1 hash:
0286b277e97b9f7c217a0d029e8144f8e20b40b9
Link:
https://www.unpac.me/results/f20c8931-7350-43fe-a81a-ae1f7d064fc1/
SH256 hash:
8bc47b166ef5cd1307e2b1592f311d9edaab854df656b9d609feec755dbc70be
MD5 hash:
5e3707e453937a866448ccf670da0469
SHA1 hash:
2ec18ade90130bb6cf4f3fd42882577ecf5437b5
Link:
https://www.unpac.me/results/f20c8931-7350-43fe-a81a-ae1f7d064fc1/
SH256 hash:
a2118847a624b2aeb133131ec1d28541221f779879fbaae934d1198609221809
MD5 hash:
6b63ea7979f501c37fc55a26ca162acd
SHA1 hash:
4b602821d3d5ef8b8919fd7f767693a096fb1634
Link:
https://www.unpac.me/results/f20c8931-7350-43fe-a81a-ae1f7d064fc1/
SH256 hash:
fbe6ace7eb5ac5b7a16714be12cb06981976f1848be001f7a40d209b31b81bfc
MD5 hash:
f12ccc0d3d81f95c1abab4863452b756
SHA1 hash:
ecbfebdd56fb809ceeaa8f94ee64b64de0b5c486
Link:
https://www.unpac.me/results/f20c8931-7350-43fe-a81a-ae1f7d064fc1/
SH256 hash:
2ce3ca0f682941de574bafe076c1e291694f6afe8f9ef6e8eb9d393e684955b4
MD5 hash:
c51a9c74f63577377ed21501037a2915
SHA1 hash:
da3d2aaa72acb5347e2e1073d92f58d62387fbc0
Link:
https://www.unpac.me/results/f20c8931-7350-43fe-a81a-ae1f7d064fc1/
SH256 hash:
b10016211f6c0ad5738fa25a9c742291a7a92ed2c0f383ef30c356fff04f6bcc
MD5 hash:
f7883b978863cc7d5d5b53d3a4192936
SHA1 hash:
f8f75d4ece048062d8a86f3a60a7f4c2e44e99a0
Link:
https://www.unpac.me/results/f20c8931-7350-43fe-a81a-ae1f7d064fc1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b10016211f6c0ad5738fa25a9c742291a7a92ed2c0f383ef30c356fff04f6bcc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
SHELL32.dll::SHCreateDirectoryExW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetFileAttributesW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegQueryValueExW
WIN_TRUST_APIUses Windows Trust APIWINTRUST.dll::WinVerifyTrust

Comments