NEW | Hunt across all abuse.ch platforms with one simple query - discover if an IPv4 address, domain, URL or file hash has been identified on any platform from a centralized search tool. Test it out here hunting.abuse.ch - and happy hunting 🔍

YARAify Scan Results

You are viewing the YARAify database entry for the file with the SHA256 hash aab7b5c453fb759dee9b7888deff2c4992afb72c828cb2cd3e3d71a1d7d69af5.

Scan Results

SHA256 hash: aab7b5c453fb759dee9b7888deff2c4992afb72c828cb2cd3e3d71a1d7d69af5
File size:573'440 bytes
File download: Original Unpacked
MIME type:application/x-dosexec
MD5 hash: 82aff325708b091fe134eccd77f01833
SHA1 hash: c466c97aa91db77171d22c7a85ad1539b7127076
SHA3-384 hash: 6a21c64e4d311c86e2c6335e4f36637ea567b5b2ef42c586c822c0afd8713e16c904d3093fd2e9f89583d25cba32b1b9
First seen:2022-06-18 10:24:10 UTC
Last seen:2022-06-18 10:25:07 UTC
Sightings:2
imphash : b78c7836a924f9a31372fe7f8bcc6142
Create hunting rule
ssdeep : 12288:yRvNbB/tK0mq//ZKGbtlqttaeCDDHO3pa0uf6TFO1W/DceRkDBmUL:UO0mq/8GbCttDCfu5EfgFioDbo
TLSH : T140C41227AB148971E04C0D320C638BB56E247D64CAC50F5FA7F5BF8DFC706A06A1A59E
Create hunting rule
telfhash :n/a
gimphash :n/a
File icon (PE):PE icon
dhash icon : 6a64e4c8c1f130c4
Create hunting rule

Tasks

There are 2 tasks on YARAify for this particular file. The 10 most recent ones are shown below.

Task Information

Task ID:ed149195-eef0-11ec-921d-42010aa4000b
File name:SQLAGENTIHC.exe
Task parameters:ClamAV scan:True
Unpack:True
Share file:True

ClamAV Results

The file matched the following open source and commercial ClamAV rules.

Signature:Multios.Coinminer.Miner-6781728-2
Create hunting rule
Signature:PUA.Win.Packer.Upx-4
Create hunting rule

YARA Results

Static Analysis

The following YARA rules matched on the file (static analysis).

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
TLP:TLP:WHITE

Unpacker

The following YARA rules matched on the unpacked file.

Rule name:exploit_any_poppopret
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
TLP :TLP:WHITE
Rule name:meth_get_eip
Author:Willi Ballenthin
TLP :TLP:WHITE
Rule name:pdb_YARAify
Author:@wowabiy314
Description:PDB
TLP :TLP:WHITE

Unpacked Files

The following files could be unpacked from this sample.

File name4390000.dll
MD5 hash:0c1c61d07b00c8e7c96fe56906d44198
SHA256 hash:19d594b05e0886dec12f759408b2f273453217a2caf1947ec2bee686e95f7e74
File size:46'932 bytes
File type:application/x-dosexec
YARA matches:2
File name400000.SQLAGENTSWE.exe.tag
MD5 hash:fedc8b576197622a796c12f1c797e4f0
SHA256 hash:4e8f17b950984d707d2aacd39fd34b78ae7f31fc59cefe6002eb58bbbb741ce1
File size:127'019 bytes
File type:text/plain
YARA matches:0
File name400000.dea96605-8181-416b-9fca-21c7c629e508.exe.tag
MD5 hash:bc199fcbfa8c34cd16fcc899af860670
SHA256 hash:26862be0db0ae88e68aba25d5cbe20562a93109c38e45b8e8b9eded9a204f309
File size:128'416 bytes
File type:text/plain
YARA matches:0
File name400000.dea96605-8181-416b-9fca-21c7c629e508.exe
MD5 hash:6cdb4c231ae9903478e23d2a83d64182
SHA256 hash:43c3b85efd60316c9ea9246a2ea12abe75a60cc8ef109c40b0dcac9df75eef6d
File size:1'494'397 bytes
File type:application/x-dosexec
YARA matches:3
File name400000.SQLAGENTSWE.exe
MD5 hash:caabb7daaa3650615c87a547ba574eb5
SHA256 hash:78a36bca4d1990d4c6ee643a5b54b69bbca8a77ee89d5678cd1ed658b71cbe4b
File size:1'494'485 bytes
File type:application/x-dosexec
YARA matches:3
File name4310000.dll
MD5 hash:a775bcec215c422e97d37251e9b9b47d
SHA256 hash:1e68e214c6c1a91e56341ace8e5b6f07448dc0482502efb68b333d61c5c4e9d2
File size:46'932 bytes
File type:application/x-dosexec
YARA matches:2

Task Information

Task ID:cad20e04-eef0-11ec-921d-42010aa4000b
File name:82aff325708b091fe134eccd77f01833
Task parameters:ClamAV scan:True
Unpack:False
Share file:True

ClamAV Results

The file matched the following open source and commercial ClamAV rules.

Signature:Multios.Coinminer.Miner-6781728-2
Create hunting rule
Signature:PUA.Win.Packer.Upx-4
Create hunting rule

YARA Results

Static Analysis

The following YARA rules matched on the file (static analysis).

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
TLP:TLP:WHITE

Unpacker

The following YARA rules matched on the unpacked file.

Unpacked Files

The following files could be unpacked from this sample.