MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed2a3e363a6e6b4e13df5e00779a1318a267376b4a7878df7b0b2e75907c747e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed2a3e363a6e6b4e13df5e00779a1318a267376b4a7878df7b0b2e75907c747e
SHA3-384 hash: cbf74eadeb5899aa69227d6e0ab2936997fac0bfe49ef7f82808aeceb613a5db4a02261b016927d2801033466d9c5f0a
SHA1 hash: 25b336d93bdb5973da2d806db61dc3e065dd2c51
MD5 hash: b060b285917d1b692f6e91c2f430a4cd
humanhash: sad-lactose-aspen-sodium
File name:xdi-performance.exe
Download: download sample
File size:8'346'631 bytes
First seen:2021-03-14 15:05:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 161c85364c462057ba28801ac1ad5404 (1 x Vjw0rm, 1 x RemoteManipulator)
ssdeep 196608:WbjGyDnJtc8cVNSOPmOxNOc8THsqyeZ0Peqm82aCJNCXlKhBcUqV:m6yDn3qVUOxmMqyO+eZ8kJ5bqV
Threatray 5 similar samples on MalwareBazaar
TLSH 6E86239933E451A9FFB7E036CA12C647C6B0788A42778B2F01E45AB56F737711A1E321
Reporter r3dbU7z
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
xdi-performance.exe
Verdict:
No threats detected
Analysis date:
2021-03-14 15:06:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8fa83870-ff5e-4b22-b3f6-b329b49a8db4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/124192/
Detection(s):
SecuriteInfo.com.AutoIT-14.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AutoIT-17.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.DownLoader29.46016.2317.14231.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Enabling the 'hidden' option for recently created files
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/638852
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed2a3e363a6e6b4e13df5e00779a1318a267376b4a7878df7b0b2e75907c747e/
Threat name:
Win64.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2021-03-09 23:30:00 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
23ee36c32f198966a793d71f9e2f0b4e0b8c1429202f38f2fab3a25c692c5c64
49a326ef65fb6a7f8e778fb2104aa2708e38601348ddbc04e8cbd9117af0458a
a519b94cbb4c14b6fb3397c3220851ebf960fffe4f82360dbd4493bad0d38747
e2f0a2043a3d8ae1e3b6c3f156a410544c2336108b244dd2f9b77f2f9ede0a56
ffd134c643a96d41f3e2e4cdbe7b7a5d2d3e0335921e49618d6b3f9ee896a948
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig miner persistence
Link:
https://tria.ge/reports/210314-g8nal67f9x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
XMRig Miner Payload
xmrig
Unpacked files
SH256 hash:
ed2a3e363a6e6b4e13df5e00779a1318a267376b4a7878df7b0b2e75907c747e
MD5 hash:
b060b285917d1b692f6e91c2f430a4cd
SHA1 hash:
25b336d93bdb5973da2d806db61dc3e065dd2c51
Link:
https://www.unpac.me/results/2be4c8d9-ed03-4878-bfb2-1462327b241a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed2a3e363a6e6b4e13df5e00779a1318a267376b4a7878df7b0b2e75907c747e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/124192/

Comments