MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eef5d903a7e1eb2b6ecd93316efad2bf00def8fd4466dae0157615726a46ba4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eef5d903a7e1eb2b6ecd93316efad2bf00def8fd4466dae0157615726a46ba4b
SHA3-384 hash: 25f2801ea2f9f9159bc31bdf90f5a5a47a6b6109e9aa5d1025dee2a9c003f8cc9ae0b6207b12a93ecfa00021b6646494
SHA1 hash: 4d89d7a922325a1059f8d0b19d5aba8d0ff9d25c
MD5 hash: 259c75e4a960a53d21ac2f44b844035a
humanhash: five-wisconsin-seventeen-tango
File name:259c75e4a960a53d21ac2f44b844035a
Download: download sample
File size:29'184 bytes
First seen:2021-08-06 16:14:56 UTC
Last seen:2021-08-06 17:01:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:mK1dFlRITXm6v26CuMIZ0zaFPx+inHCCINuev00GAsVkYF9jE6hax:L1zlCR2doSQPx+YnOu400qVkYF9jEyax
Threatray 30 similar samples on MalwareBazaar
TLSH T12BD2D010DB9C0429F836CF7855F3BBC54735F191892FE72B2DCB026DDD905289A602B2
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
259c75e4a960a53d21ac2f44b844035a
Verdict:
No threats detected
Analysis date:
2021-08-06 16:17:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b0577e0b-0707-4eb2-ab0c-b986632b3551

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177063/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.46.20613.23384.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
Creating a file in the system32 directory
Sending a UDP request
Creating a file in the system32 subdirectories
DNS request
Connection attempt
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b6e6b49-e1dc-4100-a8d7-5bc19551c65f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/828420
Signature
Adds a directory exclusion to Windows Defender
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 460851 Sample: SXJzX7Q4JE Startdate: 06/08/2021 Architecture: WINDOWS Score: 84 77 Multi AV Scanner detection for submitted file 2->77 79 Machine Learning detection for sample 2->79 81 Sigma detected: Powershell Defender Exclusion 2->81 83 Sigma detected: Suspicious Script Execution From Temp Folder 2->83 10 SXJzX7Q4JE.exe 5 2->10         started        14 services32.exe 2 2->14         started        process3 file4 73 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 10->73 dropped 75 C:\Users\user\AppData\...\SXJzX7Q4JE.exe.log, ASCII 10->75 dropped 95 Adds a directory exclusion to Windows Defender 10->95 16 cmd.exe 1 10->16         started        18 cmd.exe 1 10->18         started        97 Multi AV Scanner detection for dropped file 14->97 99 Machine Learning detection for dropped file 14->99 21 cmd.exe 1 14->21         started        signatures5 process6 signatures7 23 svchost32.exe 6 16->23         started        27 conhost.exe 16->27         started        85 Uses schtasks.exe or at.exe to add and modify task schedules 18->85 87 Adds a directory exclusion to Windows Defender 18->87 29 powershell.exe 21 18->29         started        31 conhost.exe 18->31         started        39 3 other processes 18->39 33 conhost.exe 21->33         started        35 powershell.exe 21->35         started        37 powershell.exe 21->37         started        41 2 other processes 21->41 process8 file9 69 C:\Windows\System32\services32.exe, PE32+ 23->69 dropped 71 C:\Windows\...\services32.exe:Zone.Identifier, ASCII 23->71 dropped 91 Machine Learning detection for dropped file 23->91 93 Drops executables to the windows directory (C:\Windows) and starts them 23->93 43 services32.exe 3 23->43         started        46 cmd.exe 1 23->46         started        48 cmd.exe 1 23->48         started        signatures10 process11 signatures12 101 Adds a directory exclusion to Windows Defender 43->101 50 cmd.exe 1 43->50         started        53 conhost.exe 46->53         started        55 choice.exe 1 46->55         started        57 conhost.exe 48->57         started        59 schtasks.exe 1 48->59         started        process13 signatures14 89 Adds a directory exclusion to Windows Defender 50->89 61 powershell.exe 18 50->61         started        63 conhost.exe 50->63         started        65 powershell.exe 50->65         started        67 2 other processes 50->67 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eef5d903a7e1eb2b6ecd93316efad2bf00def8fd4466dae0157615726a46ba4b/
Threat name:
ByteCode-MSIL.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2021-08-06 16:15:06 UTC
AV detection:
16 of 27 (59.26%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
2dfdc495160b8492466dfe6108702ea44b5a7ff1b8d439d6a6dc9af9359a0838
3cc3678682dc887a9f5e168717967fc266e266a5fd5dfe10e210d26b7246e5c4
561b3cf57b33e115cabbb36756579d7fb15ae90656b826cbd286673b2eaef227
57430cbbfebdef7c54698b00102dbd2098aef53ba4bd5fa43660c2e306f53482
c0b57dd5b03e87a86866c7785e7e5356387c4d3b012b97ae57c6c27e664834c6
c6c9d678a3313c5bb7fe71194a2a1e4d3ffca2f04252dd1983ba657cfe17320e
d96b12587bf342e3a99493402b3ede54ef5b3f31ff4b09a6710f1443a66f2683
e481e934466d3e768442331a3c3af50c4d430b6ed14059afbe661925338ef531
e5ebf928e029cbd3799e7db55f61252e11ab3a821a5998b9044c0ea76aa65b20
+ 20 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210806-jb3pl5k67j/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
eef5d903a7e1eb2b6ecd93316efad2bf00def8fd4466dae0157615726a46ba4b
MD5 hash:
259c75e4a960a53d21ac2f44b844035a
SHA1 hash:
4d89d7a922325a1059f8d0b19d5aba8d0ff9d25c
Link:
https://www.unpac.me/results/8320c320-dbe9-4121-a978-e489e33d0288/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eef5d903a7e1eb2b6ecd93316efad2bf00def8fd4466dae0157615726a46ba4b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe eef5d903a7e1eb2b6ecd93316efad2bf00def8fd4466dae0157615726a46ba4b

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/177063/
  
URLhaus
https://urlhaus.abuse.ch/url/1511527/

Comments


Avatar
zbet commented on 2021-08-06 16:14:56 UTC

url : hxxp://1234.cs21591.tmweb.ru/explorer.exe