MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00f99e2925f2ac3ca02397be84c75bba0ef0ec7d7094273f6e5a4f280114e2f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00f99e2925f2ac3ca02397be84c75bba0ef0ec7d7094273f6e5a4f280114e2f5
SHA3-384 hash: 505fc0644fd3cb5a12e5f10be5d1ee49c7d8ce5278b7692bf99c2043d0571c07172720acf5f4b2de57061acf01c15254
SHA1 hash: b24c89fb8edaaf9b281b675e491573ed315a497c
MD5 hash: f43edef896d4995aa3c4b488bbc3dab2
humanhash: arkansas-arizona-moon-fruit
File name:file
Download: download sample
File size:5'433'856 bytes
First seen:2023-10-10 17:16:37 UTC
Last seen:2023-10-10 22:02:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 98304:gQgFB/ih5CzuweQMWIsuhY8QJ2dsnDEpySsPQDAkC43g5:lgFBa+eQAq8AnnocfPQDAkCig
Threatray 18 similar samples on MalwareBazaar
TLSH T15A46CF07BA9B89F2C149373AC5A73C344365D58173A3F61A394E235B58437AA6B48F0F
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter andretavare5
Tags:exe


Avatar
andretavare5
Sample downloaded from http://gta5cheatmenu.com/files/strim2.exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
313
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-10-10 17:17:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/14de3308-e86d-4117-a6aa-d1e97a5a7bb6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/452950/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Agent.30897.17502.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
control lolbin
Link:
https://www.filescan.io/uploads/6525871040343f27c675d9c6/reports/a47ae112-9d0a-429d-9222-92143a912b9b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/00f99e2925f2ac3ca02397be84c75bba0ef0ec7d7094273f6e5a4f280114e2f5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/be77c63b-72ec-43e4-93c5-c353b12f5980
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00f99e2925f2ac3ca02397be84c75bba0ef0ec7d7094273f6e5a4f280114e2f5/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2023-10-10 17:17:06 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
7
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ad4z4kjf6kwdzibds67ijr23xihpb3d5ockcop3oljhsqaiu4l2q._file
Verdict:
unknown
Similar samples:
02522d0f348287c34fe5151fcd556f2f9fb9efe532af705638ea0f2a39dd2434
06578cd5ced41347d5629f398a9806ac509eb7a799e020994d349effd5a9194c
19e5692b41613cb8790fd5f3381e8b10c0fbb4d885d826cb5b7f7075441d42b0
54a730e5183a57a65dc6fa64170a3d75fa870677fb54d563b3b867a2d6208548
92f94ba0c124a7a8158ce117d838c026035116e2ab2565ebc437575ddf87eeea
9554e7ef83f9c1aabed52be7a308d7e25c99e7d71e006146aee045d29784f92d
b3d56a631e43676eda5b849e86b422b690faea632161e5dee989b4836ab4574a
be8ccfb19dab5c8d7b4273dc77b34c7ca0afea516e6bf85f607904345a3ad54f
e3918d1a379ce63babeab599ef8897ce97001017680702dfc8b5ca8ff1808b54
f40e1c8b377326be3e33ef49ddfb71fabf7af2f9a337a3c74784fc7f0356edcc
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231010-vtpjjaeg6v/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetThreadContext
Executes dropped EXE
Unpacked files
SH256 hash:
00f99e2925f2ac3ca02397be84c75bba0ef0ec7d7094273f6e5a4f280114e2f5
MD5 hash:
f43edef896d4995aa3c4b488bbc3dab2
SHA1 hash:
b24c89fb8edaaf9b281b675e491573ed315a497c
Link:
https://www.unpac.me/results/5ad1d598-0657-4eed-9adb-521ebbffaf1b/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Author:qux
Description:Detects exe does not have import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2719115/
Cape
Cape
https://www.capesandbox.com/analysis/452950/

Comments