MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da3e6a0d34e00cfd8f0ba76fb647ad9b4c8d3f7dbfef567b4db2127d83b076c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da3e6a0d34e00cfd8f0ba76fb647ad9b4c8d3f7dbfef567b4db2127d83b076c9
SHA3-384 hash: 1e81b57f0c611b8f39400fba329fd13752568963619882e997f789ccb9cd8bdf2ea1886f00453fcb578d83a1f7757978
SHA1 hash: f9a510e066a1c3b15fee032221645c7553f6039b
MD5 hash: 6de1741aaef2a13d96af826ec830422c
humanhash: oranges-minnesota-zebra-burger
File name:6de1741aaef2a13d96af826ec830422c
Download: download sample
File size:4'759'131 bytes
First seen:2021-07-03 11:38:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 98304:ZAI+PH9Jk/12yFnr21MIGtB0GURZjhHze1x1e3SJy1Nt3QQEXtZ:ytPH9Jk/12ylr22GddeD1iSJy/tX0Z
TLSH 5326333D67878179E60A523A1C4FB6AEB67EEB400537104FB3D70D28967333875613AA
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6de1741aaef2a13d96af826ec830422c
Verdict:
Malicious activity
Analysis date:
2021-07-03 11:41:07 UTC
Tags:
installer
Link:
https://app.any.run/tasks/b6f809cc-0dca-4bcc-b6ce-de33c822597a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5d148fd2-2667-4e9b-90be-3026c2f9ea41
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811426
Signature
Found strings related to Crypto-Mining
Hides threads from debuggers
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Xmrig
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 443837 Sample: 8zsiEeSTzI Startdate: 03/07/2021 Architecture: WINDOWS Score: 100 68 Sigma detected: Xmrig 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 Yara detected Xmrig cryptocurrency miner 2->72 74 5 other signatures 2->74 9 8zsiEeSTzI.exe 14 113 2->9         started        process3 file4 40 C:\Users\user\AppData\...\guimanager.exe, PE32 9->40 dropped 42 C:\Users\user\AppData\...\ssleay32.dll, PE32 9->42 dropped 44 C:\Users\user\AppData\...\pthreadGC2.dll, PE32 9->44 dropped 46 21 other files (none is malicious) 9->46 dropped 12 guimanager.exe 1 34 9->12         started        process5 dnsIp6 54 iplogger.org 88.99.66.31, 443, 49734, 49735 HETZNER-ASDE Germany 12->54 56 bitbucket.org 104.192.141.1, 443, 49736, 49743 AMAZON-02US United States 12->56 58 3 other IPs or domains 12->58 48 C:\ProgramData\Systemd\taskmges.exe, PE32+ 12->48 dropped 50 C:\ProgramData\Systemd\WinRing0x64.sys, PE32+ 12->50 dropped 52 C:\ProgramData\Data\cmdwin.exe, PE32+ 12->52 dropped 76 Sample is not signed and drops a device driver 12->76 17 cmdwin.exe 12->17         started        20 cmdwin.exe 12->20         started        22 cmdwin.exe 12->22         started        24 28 other processes 12->24 file7 signatures8 process9 signatures10 60 Query firmware table information (likely to detect VMs) 17->60 62 Tries to detect sandboxes and other dynamic analysis tools (window names) 17->62 64 Hides threads from debuggers 17->64 66 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->66 26 taskkill.exe 1 24->26         started        28 conhost.exe 24->28         started        30 taskkill.exe 1 24->30         started        32 31 other processes 24->32 process11 process12 34 conhost.exe 26->34         started        36 taskkill.exe 26->36         started        38 conhost.exe 28->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/da3e6a0d34e00cfd8f0ba76fb647ad9b4c8d3f7dbfef567b4db2127d83b076c9/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-07-01 05:29:41 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion themida trojan
Link:
https://tria.ge/reports/210703-91tf3yrh9a/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
7ffda7c39e9d150d700b991250bd47d566ef011632b0da2da3110dfb6d464381
MD5 hash:
522967481471d6142a36296cf7e85e3e
SHA1 hash:
f72dc4c61a89c2eb8e3814f69437e59177d611d0
Link:
https://www.unpac.me/results/89c90fe6-5641-4215-9af6-5a90ca36e38f/
SH256 hash:
88c6e056dc1f85772fe37c22868b0a7d70b106bccdac732de35186fde14d2897
MD5 hash:
5cb83304ae9f6622a1417d78f926a2fe
SHA1 hash:
e990bb8dc873b686a8929595da7c7caa00769304
Link:
https://www.unpac.me/results/89c90fe6-5641-4215-9af6-5a90ca36e38f/
SH256 hash:
da3e6a0d34e00cfd8f0ba76fb647ad9b4c8d3f7dbfef567b4db2127d83b076c9
MD5 hash:
6de1741aaef2a13d96af826ec830422c
SHA1 hash:
f9a510e066a1c3b15fee032221645c7553f6039b
Link:
https://www.unpac.me/results/89c90fe6-5641-4215-9af6-5a90ca36e38f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/da3e6a0d34e00cfd8f0ba76fb647ad9b4c8d3f7dbfef567b4db2127d83b076c9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe da3e6a0d34e00cfd8f0ba76fb647ad9b4c8d3f7dbfef567b4db2127d83b076c9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1422812/

Comments


Avatar
zbet commented on 2021-07-03 11:38:27 UTC

url : hxxp://185.215.113.55/Setup0.exe