MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3253959f7dac8718f377871ab2640f8f227563c8963d2c94ff4d4f571e00f13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3253959f7dac8718f377871ab2640f8f227563c8963d2c94ff4d4f571e00f13
SHA3-384 hash: d9bf34dc4e5b3f1d14abeb9937c0eae70edf1466466999fdcbffd1967d0a35bd992533deca10c21004c04f1b41936806
SHA1 hash: 5c8479f7a5695587c9c8ef6aa235a2089a4b286b
MD5 hash: bf15384858eb653a37c2c52cfb8093bf
humanhash: delta-mars-foxtrot-blossom
File name:SecuriteInfo.com.Trojan.InjectNET.14.15176.1821
Download: download sample
File size:2'042'880 bytes
First seen:2021-10-14 08:51:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 02549ff92b49cce693542fc9afb10102 (84 x CoinMiner, 2 x CoinMiner.XMRig, 1 x AgentTesla)
ssdeep 49152:qcWvnlx8hWJPJ3S0s/337kFEfNEira2PRCSdePZy:qcWNx0Wzu3oFEfN1ZQZ
Threatray 111 similar samples on MalwareBazaar
TLSH T10A95332429C21F2AD39D96F7E4413CCE35FAE1BDC52E22DB37E34C344510EA996069DA
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.InjectNET.14.15176.1821
Verdict:
No threats detected
Analysis date:
2021-10-14 09:03:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/39b733b6-a2da-41be-89ce-6f0325a0ecbf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197458/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.15176.1821.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
donut packed
Link:
https://www.filescan.io/uploads/6167efb6fd35fe780c3f8c09/reports/381a1398-e89a-4070-981f-72d99d5c7fdd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/59324ed2-779a-45cf-bdc6-d9b5ecd48a70
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/870299
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502726 Sample: SecuriteInfo.com.Trojan.Inj... Startdate: 14/10/2021 Architecture: WINDOWS Score: 76 48 Multi AV Scanner detection for submitted file 2->48 9 SecuriteInfo.com.Trojan.InjectNET.14.15176.exe 2->9         started        12 services32.exe 2->12         started        process3 signatures4 62 Writes to foreign memory regions 9->62 64 Allocates memory in foreign processes 9->64 66 Creates a thread in another existing process (thread injection) 9->66 14 conhost.exe 5 9->14         started        68 Multi AV Scanner detection for dropped file 12->68 17 conhost.exe 5 12->17         started        process5 file6 40 C:\Windows\System32\services32.exe, PE32+ 14->40 dropped 42 C:\Windows\...\services32.exe:Zone.Identifier, ASCII 14->42 dropped 20 cmd.exe 1 14->20         started        23 cmd.exe 1 14->23         started        44 C:\Windows\System32\...\sihost32.exe, PE32+ 17->44 dropped 46 Drops executables to the windows directory (C:\Windows) and starts them 17->46 25 sihost32.exe 17->25         started        signatures7 process8 signatures9 50 Drops executables to the windows directory (C:\Windows) and starts them 20->50 27 services32.exe 20->27         started        30 conhost.exe 20->30         started        52 Uses schtasks.exe or at.exe to add and modify task schedules 23->52 32 conhost.exe 23->32         started        34 schtasks.exe 1 23->34         started        54 Multi AV Scanner detection for dropped file 25->54 56 Writes to foreign memory regions 25->56 58 Allocates memory in foreign processes 25->58 60 Creates a thread in another existing process (thread injection) 25->60 36 conhost.exe 2 25->36         started        process10 signatures11 70 Writes to foreign memory regions 27->70 72 Allocates memory in foreign processes 27->72 74 Creates a thread in another existing process (thread injection) 27->74 38 conhost.exe 2 27->38         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3253959f7dac8718f377871ab2640f8f227563c8963d2c94ff4d4f571e00f13/
Threat name:
Win64.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2021-10-13 09:59:00 UTC
AV detection:
14 of 27 (51.85%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0fecc31110c98a487e301d783c61d7f0e3e607854b5b94a01a96c73b07a99272
12439fc7c876b8bf881db4e97ed57827c1c4f2fd0ebccc29a4e197b19c80488b
370623f3b732194c8497a12cfc2e906755f145c61ab8715c22d98f6fd7cf66d4
5f5650987c9810c4cc59a467650844179c1349ded7b2fa0f1b00edbbf648612c
979489468d527202ce55a465799013a16fccfcc838d523707a016e064a0e85a1
9b8c70d1c0537d946bf7233df72a7e0ebdff2cb70404a69ee6a2419730973462
b41455dfe45bf98bd2f1acec07d7a0df02a3c83e1fdecfb403df3984ab794761
e558134f888d403ba60d7db59978502a9071951528cd4873bd4702921012d69e
e7b94b42550145f6653edad5a47879f3bad1abe865f065d7036ca942c572e842
f12f4f8064e33f458acd1cb2c6c0aed335987385cf8541e71c096fe22a7b7e9c
+ 101 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211014-ksrmdsgfej/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
e3253959f7dac8718f377871ab2640f8f227563c8963d2c94ff4d4f571e00f13
MD5 hash:
bf15384858eb653a37c2c52cfb8093bf
SHA1 hash:
5c8479f7a5695587c9c8ef6aa235a2089a4b286b
Link:
https://www.unpac.me/results/67ddc764-44a3-41c3-a42d-007becd5658e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e3253959f7da/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.10
Link:
https://yomi.yoroi.company/submissions/e3253959f7dac8718f377871ab2640f8f227563c8963d2c94ff4d4f571e00f13

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e3253959f7dac8718f377871ab2640f8f227563c8963d2c94ff4d4f571e00f13

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1676496/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197458/

Comments