MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8312fd35261e3ef4eea90669a22a84352eb613bad5ef5753da7168bbfd7f4fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Zyklon


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8312fd35261e3ef4eea90669a22a84352eb613bad5ef5753da7168bbfd7f4fd
SHA3-384 hash: d16ec36f3fa1c3a59a28a31a578679516d7cd7ed5a04e0d1d17a2aef86ccac9e40c8d1b9419be567b2d7330cca65b34d
SHA1 hash: 2fb2067bdd080c0a1ad9977e1343ca7a55b5f89c
MD5 hash: 2c8cee0be7b9e8dee33f6490a94bfe61
humanhash: colorado-alabama-mockingbird-iowa
File name:setup.exe
Download: download sample
Signature Zyklon
Create hunting rule
File size:795'160 bytes
First seen:2023-04-20 00:01:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash baf209bc3be6389efada6a514b122ca6 (2 x CoinMiner, 1 x Zyklon)
ssdeep 12288:nfj43aWqvEEasw/UIVXrR+28w3yKt5OER8VXbb+ABFRIlMkQzt8geHbz6Mx:nr43aftqUCt+R6R8VHzBoleuf7z6Mx
Threatray 2'298 similar samples on MalwareBazaar
TLSH T1450523A97184FB11DD850335A974D2D0D9744C1EABCC110D70B4F3BEEEF8352AA698AB
Reporter Chainskilabs
Tags:exe Zyklon

Intelligence

File Origin
# of uploads :
1
# of downloads :
253
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2023-04-20 00:03:40 UTC
Tags:
miner
Link:
https://app.any.run/tasks/8a0cca22-31bb-4a80-8003-45d69ce4ed2e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383562/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop21.60101.2236.26724.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for analyzing tools
Сreating synchronization primitives
Launching a process
Creating a file
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/644080fb26946732736ff275/reports/8a61d726-6fc6-4adb-8be1-279027349d1e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/d8312fd35261e3ef4eea90669a22a84352eb613bad5ef5753da7168bbfd7f4fd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/188bcd00-fe30-49c0-b6cd-d94570e86511
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1217484
Signature
Adds a directory exclusion to Windows Defender
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 850425 Sample: setup.exe Startdate: 20/04/2023 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->40 7 setup.exe 14 7 2->7         started        12 WBGRGV.exe 2->12         started        process3 dnsIp4 32 179.43.140.229, 49713, 80 PLI-ASCH Panama 7->32 30 C:\ProgramData\portableWin\WBGRGV.exe, PE32+ 7->30 dropped 42 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->42 44 Sets debug register (to hijack the execution of another thread) 7->44 46 Tries to evade debugger and weak emulator (self modifying code) 7->46 48 Adds a directory exclusion to Windows Defender 7->48 14 cmd.exe 1 7->14         started        17 WerFault.exe 20 9 7->17         started        20 powershell.exe 20 7->20         started        50 Detected unpacking (changes PE section rights) 12->50 52 Tries to detect sandboxes and other dynamic analysis tools (window names) 12->52 file5 signatures6 process7 file8 54 Uses schtasks.exe or at.exe to add and modify task schedules 14->54 22 conhost.exe 14->22         started        24 schtasks.exe 1 14->24         started        28 C:\ProgramData\Microsoft\...\Report.wer, Unicode 17->28 dropped 26 conhost.exe 20->26         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8312fd35261e3ef4eea90669a22a84352eb613bad5ef5753da7168bbfd7f4fd/
Threat name:
Win64.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-04-19 12:29:53 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
10 of 35 (28.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ays7u2smhr66txksbtjuiviinjowyj3vvppk5j5u4lixp6x6t6q._file
Verdict:
malicious
Similar samples:
4b52b215bd03be398da861e558349da43877790c0ff2798fcce5303239f76601
Zyklon
4eae155e065ce265492c2e1f0bf8524d940009deb17ff65b8d9218802ae92578
Zyklon
5122ba03679761d768906162a4180fda9767a441cf14aa55e008f0bcbd2878bc
Zyklon
5392a99e772d37c0cf7ba29acd157714fa18cfedb3ca7b2e1ca8c0a937077d45
Zyklon
974c3f752e02dc82bb0275e4ea30d74333fc1e029afd0a9a44805c90badf4116
Zyklon
97dd4d5ad20ddc554faf0cf0bb5bfa252cd8a0b1734bd795124edf71623b98d7
Zyklon
a233a493fb527175b1d79250512c24b3304609e4a0d075c707fb45281b898f67
Zyklon
c22758710d9076fda9f4388e4062888a370e32fd31fb5715e80b37e34b2b1b6e
Zyklon
d4eff49ceb37b4991d17972b2947cc6b54960da88df738ec79fff244d51097ea
Zyklon
db0e6d559a99334ff1924537392f1629bc00339833fcc304e365935d57861ebd
Zyklon
+ 2'288 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner
Link:
https://tria.ge/reports/230420-abftfsga8v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
.NET Reactor proctector
Checks computer location settings
Uses the VBS compiler for execution
XMRig Miner payload
xmrig
Unpacked files
SH256 hash:
d8312fd35261e3ef4eea90669a22a84352eb613bad5ef5753da7168bbfd7f4fd
MD5 hash:
2c8cee0be7b9e8dee33f6490a94bfe61
SHA1 hash:
2fb2067bdd080c0a1ad9977e1343ca7a55b5f89c
Link:
https://www.unpac.me/results/d7929e31-d381-403e-a194-21f2f51edd3b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d8312fd35261/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d8312fd35261e3ef4eea90669a22a84352eb613bad5ef5753da7168bbfd7f4fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:win_xfilesstealer_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.xfilesstealer.
Rule name:XWorm_Hunter
Create hunting rule
Author:Potato

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Zyklon

Executable exe d8312fd35261e3ef4eea90669a22a84352eb613bad5ef5753da7168bbfd7f4fd

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2606732/
Cape
Cape
https://www.capesandbox.com/analysis/383562/

Comments