MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5e9bd574c786bdbe93bc9237b22ba53393eb6c198c0aca53d356040c6188152. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e5e9bd574c786bdbe93bc9237b22ba53393eb6c198c0aca53d356040c6188152
SHA3-384 hash: a30bfa7c077dc4edeaf4486e2a7d17d3bb122e9513bd2484f65fb4fe05ec441e7817b97dcc61dda06a28e2de4b36b505
SHA1 hash: be837e8cec1097ada1d658e08f371eb766ec04fe
MD5 hash: b40d666da187cba076da3f5f668139c4
humanhash: illinois-mexico-carolina-charlie
File name:31880347.exe
Download: download sample
File size:4'151'296 bytes
First seen:2022-03-20 05:33:03 UTC
Last seen:2022-03-20 07:38:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 98304:TEhEiQ/m5i+9wG0jaJTVnJJupiImkOgumfJ:I19+jkB5kOg3fJ
Threatray 1'206 similar samples on MalwareBazaar
TLSH T1F21633222EFD8102F6C5977091D4A065C0F2B736FE63DA75154A53EB3AC3BD28C161AB
Reporter adm1n_usa32
Tags:64 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/253064/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop19.58719.11287.8605.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm obfuscated packed
Link:
https://www.filescan.io/uploads/6236bc960cd58dbd92c423f5/reports/e053df3a-9789-49bb-bc44-8027c11afbfd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c79c3566-8747-4e7a-8758-e0173e58c306
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/960220
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected VMProtect packer
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 592701 Sample: 31880347.exe Startdate: 20/03/2022 Architecture: WINDOWS Score: 96 57 Antivirus / Scanner detection for submitted sample 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Detected VMProtect packer 2->61 63 2 other signatures 2->63 9 31880347.exe 6 2->9         started        12 updater.exe 2 2->12         started        process3 file4 51 C:\Users\user\AppData\Roaming\...\updater.exe, PE32+ 9->51 dropped 53 C:\Users\user\...\updater.exe:Zone.Identifier, ASCII 9->53 dropped 55 C:\Users\user\AppData\...\31880347.exe.log, ASCII 9->55 dropped 15 cmd.exe 1 9->15         started        18 cmd.exe 1 9->18         started        20 cmd.exe 1 9->20         started        67 Antivirus detection for dropped file 12->67 69 Multi AV Scanner detection for dropped file 12->69 71 Machine Learning detection for dropped file 12->71 22 cmd.exe 12->22         started        signatures5 process6 signatures7 73 Encrypted powershell cmdline option found 15->73 75 Uses schtasks.exe or at.exe to add and modify task schedules 15->75 24 powershell.exe 24 15->24         started        26 powershell.exe 16 15->26         started        28 conhost.exe 15->28         started        30 updater.exe 2 18->30         started        32 conhost.exe 18->32         started        34 conhost.exe 20->34         started        36 schtasks.exe 1 20->36         started        38 conhost.exe 22->38         started        40 powershell.exe 22->40         started        process8 process9 42 cmd.exe 30->42         started        signatures10 65 Encrypted powershell cmdline option found 42->65 45 conhost.exe 42->45         started        47 powershell.exe 42->47         started        49 powershell.exe 42->49         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e5e9bd574c786bdbe93bc9237b22ba53393eb6c198c0aca53d356040c6188152/
Threat name:
ByteCode-MSIL.Trojan.CoinminerX
Create hunting rule
Status:
Malicious
First seen:
2022-03-03 15:18:08 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
20ed18cbc1527dec58a455f647eb689f80873fb28c668758f65eb22c91880898
4b415f57ac7f2c6fbe7c0a984e819197866fa04b9f88651ab6ede076a7c76c60
773be0566a9429af2d1daf0d63ad488047a79747cfb910b115af939bfd1bd533
7a0ace49d3bdeb09fd1b43f8676d83862f15119039eaddf428e560eeea0eaa5c
92658a69d2939c08c0b2e75389b34b787da9c32c38742827f8bd85ccb549efc9
bef679a7a5813bf427d09590de7d2f483f8607c44172738aaee3760262eb29a8
+ 1'196 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
vmprotect
Link:
https://tria.ge/reports/220320-f8x2wshfb5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
VMProtect packed file
Unpacked files
SH256 hash:
e5e9bd574c786bdbe93bc9237b22ba53393eb6c198c0aca53d356040c6188152
MD5 hash:
b40d666da187cba076da3f5f668139c4
SHA1 hash:
be837e8cec1097ada1d658e08f371eb766ec04fe
Link:
https://www.unpac.me/results/29a830f7-af69-4e7b-9624-651daf7774fb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e5e9bd574c786bdbe93bc9237b22ba53393eb6c198c0aca53d356040c6188152

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e5e9bd574c786bdbe93bc9237b22ba53393eb6c198c0aca53d356040c6188152

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2072699/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/253064/

Comments