MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b52960b7ce7ae8c007c59626859816296471b7810036baaa7b7b86c2cd6d6218. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b52960b7ce7ae8c007c59626859816296471b7810036baaa7b7b86c2cd6d6218
SHA3-384 hash: 95225cef0a9180732e6b361a4819b280bd4616c067246ea8bf1cb79d64c8da1aecd5988ef5a65d1f0fc544a66c2fa8bb
SHA1 hash: 26feddd8b00c14d157c18396deb4928a203e21a3
MD5 hash: 8a576e40d8fd9c1cf5308d5e2c8588ae
humanhash: sweet-friend-angel-north
File name:b52960b7ce7ae8c007c59626859816296471b7810036baaa7b7b86c2cd6d6218
Download: download sample
File size:13'244'416 bytes
First seen:2020-06-29 07:05:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep 196608:xnjo4/vmFWXiXuUPSmSjMn59eT2BK9jFSz/8nxHmrYu9MzrgX+KpirCIlrAIeREz:xns4OWePNn5OxFzxAY0MzrE+59rH2Ez
Threatray 55 similar samples on MalwareBazaar
TLSH AFD6331BB02D82D0DBAF7035A611089651FB01EE82B317252BE55F3DA694D7EEE4CB0D
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b52960b7ce7ae8c007c59626859816296471b7810036baaa7b7b86c2cd6d6218/
Threat name:
Win32.Trojan.Phpw
Create hunting rule
Status:
Malicious
First seen:
2020-06-29 00:57:00 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
25 of 30 (83.33%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
05bb212dd186eaa7c2fa17ad094fd56f55fa203f488f1e150532aa23c86c9bf8
0a724325d6c34ee680d393db2ab074eb37c5c9c1cd5985e51382d275d97daa10
30f878c3d1b2e365f13e2085d39e3c9289dadf191c47dd1abcb273b5fac081b3
53e4f5df0428b043d69593a2875bace25b99e5f2b9f7fc7630a4f8ef5b75251f
74d6d0213855d53e4edad91ee620009558a9df2f6f925be9e81ba54df4b3b11d
85b315f053164c0910b88178383f3271d8faef791d4cb35442f246c91bd80225
8a80a506f1a921b1af4b1b3fd6d37737622a3fd75e10efb44da9956b590cd185
966aa9010dcd3fdd35f00b995066013f1a686c4b8364cd5037b5eaed6f1140df
9efca9fb9aadcdec3f3e23fda67899c67dda0d7178636a5691e15d6b62e01649
b0fcccae3067e57d0725eca21b6c416c9b42b26b6601a5c2d4a7dc20d72eb37a
+ 45 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence evasion trojan
Link:
https://tria.ge/reports/200629-3tj3ew9pka/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run entry to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Identifies Wine through registry keys
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments