MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff03a31c53b6e540bb918372dbc2a0213e5020273c6c46fdb2ef5f86ec7a0397. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff03a31c53b6e540bb918372dbc2a0213e5020273c6c46fdb2ef5f86ec7a0397
SHA3-384 hash: b47e3b80424a3ab73fb658da559a65040f86c91d567add7c7398fc65f214464456a72bcc301f4c19384562bdb0b4d46a
SHA1 hash: 4cad398255d98302db4bff95ef837a8adef11472
MD5 hash: a4bd709d2da4d231ecbeca29fa852bdd
humanhash: alaska-fifteen-mango-massachusetts
File name:a4bd709d2da4d231ecbeca29fa852bdd
Download: download sample
File size:6'208'232 bytes
First seen:2021-07-19 13:05:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a56f115ee5ef2625bd949acaeec66b76 (54 x Stealc, 52 x PureHVNC, 35 x CoinMiner)
ssdeep 98304:DUt78cpCVGPPBz0rq55UojuA1+dSmymekplqWf+AFM/5ycyQxhB3G:DUtocbRBn1+dSmysGA6wcXx
Threatray 72 similar samples on MalwareBazaar
TLSH T185566CF2B1E1219BC01BE0B9C1D0B86FAB6FF4765A08F15B959239765F07C81B42DB21
Reporter zbetcheckin
Tags:exe signed

Code Signing Certificate

Organisation:Bosch GCL 2-15 G Professional 0601066J00
Issuer:Bosch GCL 2-15 G Professional 0601066J00
Algorithm:sha1WithRSAEncryption
Valid from:2021-07-17T13:19:17Z
Valid to:2031-07-18T13:19:17Z
Serial number: 121d135b848d2abf4392c64a6c3ef49c
Thumbprint Algorithm:SHA256
Thumbprint: 95daa104ae567b1ac10d1b27847e250a20c2312758257291c4c4f75ed68dda86
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://bit.ly/2TjnIwR
Verdict:
Malicious activity
Analysis date:
2021-07-19 01:52:44 UTC
Tags:
trojan rat redline stealer loader
Link:
https://app.any.run/tasks/f62166e3-a007-4330-b014-67542f3d024e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172547/
Detection(s):
SecuriteInfo.com.Dropper.Generic.VZR.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cbc53dd5-ec43-44e2-968e-ad6ec95375cd
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818257
Signature
Adds a directory exclusion to Windows Defender
Detected unpacking (changes PE section rights)
Found strings related to Crypto-Mining
Hides threads from debuggers
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450668 Sample: TUj6o3ePFl Startdate: 19/07/2021 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 Yara detected Xmrig cryptocurrency miner 2->72 74 3 other signatures 2->74 8 TUj6o3ePFl.exe 2 5 2->8         started        12 MicrosoftApi.exe 14 5 2->12         started        process3 dnsIp4 44 C:\Users\user\AppData\...\MicrosoftApi.exe, PE32+ 8->44 dropped 46 C:\Users\user\AppData\...\TUj6o3ePFl.exe.log, ASCII 8->46 dropped 48 C:\Users\user\...\ICSharpCode.SharpZipLib.dll, PE32 8->48 dropped 76 Detected unpacking (changes PE section rights) 8->76 78 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->78 80 Query firmware table information (likely to detect VMs) 8->80 15 MicrosoftApi.exe 1 5 8->15         started        56 51.254.241.28, 49750, 49751, 49752 OVHFR France 12->56 50 C:\Users\user\AppData\...\ScreanDriver.exe, PE32+ 12->50 dropped 82 Hides threads from debuggers 12->82 84 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->84 19 ScreanDriver.exe 12->19         started        21 ScreanDriver.exe 12->21         started        23 ScreanDriver.exe 12->23         started        25 5 other processes 12->25 file5 signatures6 process7 file8 52 C:\Users\user\AppData\...\tmp805E.tmp.cmd, DOS 15->52 dropped 58 Multi AV Scanner detection for dropped file 15->58 60 Detected unpacking (changes PE section rights) 15->60 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->62 66 4 other signatures 15->66 27 cmd.exe 1 15->27         started        30 cmd.exe 1 15->30         started        54 C:\Users\user\...\ScreanDriver.exe.log, ASCII 19->54 dropped 64 Machine Learning detection for dropped file 19->64 signatures9 process10 signatures11 86 Uses schtasks.exe or at.exe to add and modify task schedules 27->86 88 Adds a directory exclusion to Windows Defender 27->88 32 powershell.exe 23 27->32         started        34 conhost.exe 27->34         started        36 timeout.exe 1 27->36         started        38 conhost.exe 30->38         started        40 timeout.exe 1 30->40         started        42 schtasks.exe 1 30->42         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff03a31c53b6e540bb918372dbc2a0213e5020273c6c46fdb2ef5f86ec7a0397/
Threat name:
Win64.Exploit.BypassUac
Create hunting rule
Status:
Malicious
First seen:
2021-07-19 09:30:49 UTC
File Type:
PE+ (Exe)
Extracted files:
15
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
14754f307601049ba389cf7b9536db2049193b31f05330c7b6d4cb5cd8fa081f
3ec8d6d1645881d59332953e0da03a3207d34f985dd88e975ca8bf65fb7cc3c1
55d33f116ca5cbd1e8bbf9151c2f457f7f045c8b00b7980cada01d20e9bd29c6
5ee9f4addc6c85c45a7a66f9b61c4d7977f21d8ce1aadf667508f4623b317572
6ba57cb21a12212bb988ccfc64bfadb07bc25b332905f3db1b84665c3a5ca5ce
757e7c2569cc52c9e1639fbca06e957cb40f775d5cb1a8aafa670131b62b0824
7c7cff0a48bcfe565fb02e3a39087ce2ad56d5b1c57b229f2d0142f41b7ab191
8aa1689d6acacf9f2eb2603db52dc5908e1ec5d80000deec13e2e038c2883413
+ 62 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/210719-lq72hersfj/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
ff03a31c53b6e540bb918372dbc2a0213e5020273c6c46fdb2ef5f86ec7a0397
MD5 hash:
a4bd709d2da4d231ecbeca29fa852bdd
SHA1 hash:
4cad398255d98302db4bff95ef837a8adef11472
Link:
https://www.unpac.me/results/ddc9724a-ee2e-4c4c-9a2e-96f9c06c1532/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ff03a31c53b6e540bb918372dbc2a0213e5020273c6c46fdb2ef5f86ec7a0397

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ff03a31c53b6e540bb918372dbc2a0213e5020273c6c46fdb2ef5f86ec7a0397

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1466097/
Cape
Cape
https://www.capesandbox.com/analysis/172547/

Comments


Avatar
zbet commented on 2021-07-19 13:05:24 UTC

url : hxxp://podarkivsemu.ru/rvn.exe