MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e15ea1dc92dd31517334886dba17d7022c73d258096bf77f897ef60c1b8302b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e15ea1dc92dd31517334886dba17d7022c73d258096bf77f897ef60c1b8302b1
SHA3-384 hash: 99b93c17f34b4bcc5d1984c7632a6fba7dfc338dbb9188056af092464708145e3cd3a17407647f51a9057dd58eea3fa1
SHA1 hash: f584406c46d0875253a01ec222ffadf9d52dd831
MD5 hash: 690c5851e18114339101a92b77775749
humanhash: victor-ten-enemy-chicken
File name:690c5851e18114339101a92b77775749
Download: download sample
File size:3'253'071 bytes
First seen:2021-06-18 20:10:05 UTC
Last seen:2021-06-18 20:32:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:C3dhTgIFAyR8WMdDinwv+P3db4S5ccT/mU9ZREaMVvFQS/UR3uvxZVxPZTuS:CnTqyWWWWwv8db42ZREjvFvUMvxZVtRf
Threatray 330 similar samples on MalwareBazaar
TLSH 2BE53340FDD0D672D6B209364869AA52643DBD311B28DE8B63E0291FEC761C1F7327A7
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
690c5851e18114339101a92b77775749
Verdict:
Malicious activity
Analysis date:
2021-06-18 20:13:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bb8505d0-9df1-4ea3-a909-51102353fc7b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166908/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.721.27230.16755.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d72e57d2-02ae-416f-bf70-84ecddd1f85f
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/804544
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Drops PE files to the user root directory
Found strings related to Crypto-Mining
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Xmrig
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 436955 Sample: 2CX0oSqPDk Startdate: 18/06/2021 Architecture: WINDOWS Score: 100 93 Sigma detected: Xmrig 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 Yara detected Xmrig cryptocurrency miner 2->97 99 3 other signatures 2->99 11 2CX0oSqPDk.exe 10 2->11         started        14 Services32.exe 4 2->14         started        process3 file4 83 C:\Users\user\AppData\Local\Temp\6.exe, PE32+ 11->83 dropped 85 C:\Users\user\AppData\Local\Temp85isSrv.exe, PE32+ 11->85 dropped 87 C:\Users\user\AppData\Local\...\MsMpEng.exe, PE32+ 11->87 dropped 17 6.exe 7 11->17         started        129 Hijacks the control flow in another process 14->129 131 Machine Learning detection for dropped file 14->131 133 Injects code into the Windows Explorer (explorer.exe) 14->133 135 5 other signatures 14->135 21 cmd.exe 1 14->21         started        23 explorer.exe 14->23         started        signatures5 process6 file7 81 C:\Users\user\Services32.exe, PE32+ 17->81 dropped 101 Machine Learning detection for dropped file 17->101 103 Drops PE files to the user root directory 17->103 25 sihost32.exe 3 17->25         started        28 Services32.exe 3 17->28         started        31 cmd.exe 1 17->31         started        33 conhost.exe 21->33         started        35 schtasks.exe 1 21->35         started        signatures8 process9 file10 117 Machine Learning detection for dropped file 25->117 37 Services32.exe 25->37         started        40 Services32.exe 25->40         started        89 C:\Users\user\AppData\...\sihost32.exe, PE32+ 28->89 dropped 119 Hijacks the control flow in another process 28->119 121 Injects code into the Windows Explorer (explorer.exe) 28->121 123 Writes to foreign memory regions 28->123 127 3 other signatures 28->127 42 sihost32.exe 28->42         started        45 cmd.exe 28->45         started        47 explorer.exe 28->47         started        125 Uses schtasks.exe or at.exe to add and modify task schedules 31->125 49 conhost.exe 31->49         started        51 schtasks.exe 1 31->51         started        signatures11 process12 dnsIp13 105 Hijacks the control flow in another process 37->105 107 Injects code into the Windows Explorer (explorer.exe) 37->107 109 Writes to foreign memory regions 37->109 53 cmd.exe 37->53         started        55 explorer.exe 37->55         started        111 Allocates memory in foreign processes 40->111 113 Modifies the context of a thread in another process (thread injection) 40->113 115 Injects a PE file into a foreign processes 40->115 57 cmd.exe 40->57         started        59 explorer.exe 40->59         started        91 192.168.2.1 unknown unknown 42->91 61 Services32.exe 42->61         started        63 conhost.exe 45->63         started        65 schtasks.exe 45->65         started        signatures14 process15 process16 67 conhost.exe 53->67         started        69 schtasks.exe 53->69         started        71 conhost.exe 57->71         started        73 schtasks.exe 57->73         started        75 cmd.exe 61->75         started        process17 77 conhost.exe 75->77         started        79 schtasks.exe 75->79         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e15ea1dc92dd31517334886dba17d7022c73d258096bf77f897ef60c1b8302b1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-18 20:10:17 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
583d46b7751755744e80dd76654a05d021a187d7f9da495b4a75529d9e03f3c0
6c3a2575d3325e7a0f520a5fefa0384855980461683e6c7463debbd668ab3258
6d0083394a549c135820010343353dcfa2929aeaa83f72a50ec60a7263f4ec90
74b13418d9f50f94920aa870823732618509599ed36a57e440c32c1e9cd928f2
a1a0ca95d42cb766533d9c4a8260cdcea4abab6d17214b711b7f366fbafe2413
b50cfd0edcdb6b99115f83ae101003203d113e40e7cf1fa9c796886115f8c994
c19402ce537f9c7a2511484cdb5160719340543c11ae17b60ce2e1706173ceaa
e94c70d3dc3ab2496465e73bffc7c5f1bc3963f3ae309a88d5e16d5e54a540ce
f54f4f34ff1f194148e1296d12e1badfae3eecf24cbfd35aa0308507d7cd367d
fbe0c5aab0d98f9b21b4a71dee73f37df653919ad7490966f5180eaf968780ae
+ 320 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210618-f4hbqh9l9s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
e15ea1dc92dd31517334886dba17d7022c73d258096bf77f897ef60c1b8302b1
MD5 hash:
690c5851e18114339101a92b77775749
SHA1 hash:
f584406c46d0875253a01ec222ffadf9d52dd831
Link:
https://www.unpac.me/results/c6e9fd83-ac87-4fc2-ae0e-25171e8ee07e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e15ea1dc92dd31517334886dba17d7022c73d258096bf77f897ef60c1b8302b1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e15ea1dc92dd31517334886dba17d7022c73d258096bf77f897ef60c1b8302b1

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/166908/
  
URLhaus
https://urlhaus.abuse.ch/url/1377242/

Comments