MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04b635cd65aa68c51fd4ad0a94d3f42cbd4485dd535e4c8c50166fd2addc7bef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04b635cd65aa68c51fd4ad0a94d3f42cbd4485dd535e4c8c50166fd2addc7bef
SHA3-384 hash: 1a8281c27e08651b150fbe125a1ba5c371c1c2fafe98683938f599b886c333ebfa5d90fd05d6bfe62f10be5f23bfc51f
SHA1 hash: 1374d019e0feacbeab060640771bcb00425d8302
MD5 hash: 3de11221c58276f1776fc24b5bd04aa9
humanhash: cola-whiskey-juliet-california
File name:SecuriteInfo.com.Win32.Adware.OpenCandy.P.30589.445
Download: download sample
File size:1'239'616 bytes
First seen:2023-01-18 12:48:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'463 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 24576:CQi2QwhyIYznNrAlZ4MlHs6zU4q0CjfyJrmmSHvhld0oEMBTlP0QjcpMXVJoT:C9yCun4MZrPJrHkaGpf8
TLSH T189452309F1B2BD3AC1938E388E2B91129D363C6079B36189B65C8E5C5F33592FD48BD5
TrID 68.9% (.EXE) Inno Setup installer (109740/4/30)
8.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
8.2% (.SCR) Windows screen saver (13097/50/3)
4.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.Adware.OpenCandy.P.30589.445
Verdict:
Malicious activity
Analysis date:
2023-01-18 12:57:12 UTC
Tags:
installer
Link:
https://app.any.run/tasks/42e1d632-5605-457f-be67-163649c09de3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/354152/
Detection(s):
SecuriteInfo.com.Win32.Adware.OpenCandy.P.30589.445.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
DNS request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/61216/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
No Threat
Threat level:
  2/10
Confidence:
80%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63c7eadebda854045c192161/reports/cb8da104-7bfc-4ce8-b76b-9fa80efcf398/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
OpenCandy Adware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3039088f-c572-4ec3-90d7-ffa81f521469
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
40 / 100
Link:
https://www.joesandbox.com/analysis/1153824
Signature
Antivirus detection for dropped file
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Rundll32 performs DNS lookup (likely malicious behavior)
System process connects to network (likely due to code injection or exploit)
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 786555 Sample: SecuriteInfo.com.Win32.Adwa... Startdate: 18/01/2023 Architecture: WINDOWS Score: 40 47 Antivirus detection for dropped file 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Machine Learning detection for dropped file 2->51 9 SecuriteInfo.com.Win32.Adware.OpenCandy.P.30589.445.exe 2 2->9         started        process3 file4 29 SecuriteInfo.com.W...ndy.P.30589.445.tmp, PE32 9->29 dropped 55 Obfuscated command line found 9->55 13 SecuriteInfo.com.Win32.Adware.OpenCandy.P.30589.445.tmp 22 21 9->13         started        signatures5 process6 file7 31 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->31 dropped 33 C:\Users\user\AppData\...\OCSetupHlp.dll, PE32 13->33 dropped 35 C:\...\unins000.exe (copy), PE32 13->35 dropped 37 4 other files (3 malicious) 13->37 dropped 16 rundll32.exe 1 13->16         started        20 SDRFreeMACChanger.exe 1 1 13->20         started        process8 dnsIp9 39 api.opencandy.com 16->39 41 192.168.2.1 unknown unknown 16->41 43 System process connects to network (likely due to code injection or exploit) 16->43 45 Rundll32 performs DNS lookup (likely malicious behavior) 16->45 22 cmd.exe 2 20->22         started        signatures10 process11 signatures12 53 Uses netsh to modify the Windows network and firewall settings 22->53 25 netsh.exe 8 3 22->25         started        27 conhost.exe 22->27         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04b635cd65aa68c51fd4ad0a94d3f42cbd4485dd535e4c8c50166fd2addc7bef/
Threat name:
Win32.Adware.OpenCandy
Create hunting rule
Status:
Malicious
First seen:
2015-03-14 07:13:00 UTC
File Type:
PE (Exe)
Extracted files:
85
AV detection:
23 of 39 (58.97%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=as3dltlfvjumkh6uvufjju7ufs6ujbo5knpezdcqczx5flo4ppxq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230118-p2f98shb44/
Behaviour
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
188e65d54312eafe05095d60412c0c0c04c5cd89519ff3ebe4623f4c762d5f92
MD5 hash:
dc450054235cce3c6280bcfa8391fe27
SHA1 hash:
c914243913a06c7562586cd5e1488c1aac7c0718
Link:
https://www.unpac.me/results/0b48c113-36b7-4c70-b44a-5a5280a7a0b1/
SH256 hash:
932861bcf71c595222add049adf69e33fa303706543a5088f2b80de07c39663a
MD5 hash:
c65efd0495e09ee07b31d18a574bc877
SHA1 hash:
706da654b1b87059d188379279b383c7e964a73a
Link:
https://www.unpac.me/results/0b48c113-36b7-4c70-b44a-5a5280a7a0b1/
SH256 hash:
56d31037c09d36c86b04d9c580a57c788302a83fa24339d8874705e3d59b9bf6
MD5 hash:
74334064429d71074b76f077b014b0ce
SHA1 hash:
6a97646a633f01c7a249761e97af89edb1802e93
Link:
https://www.unpac.me/results/0b48c113-36b7-4c70-b44a-5a5280a7a0b1/
SH256 hash:
04b635cd65aa68c51fd4ad0a94d3f42cbd4485dd535e4c8c50166fd2addc7bef
MD5 hash:
3de11221c58276f1776fc24b5bd04aa9
SHA1 hash:
1374d019e0feacbeab060640771bcb00425d8302
Link:
https://www.unpac.me/results/0b48c113-36b7-4c70-b44a-5a5280a7a0b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.39
Link:
https://yomi.yoroi.company/submissions/04b635cd65aa68c51fd4ad0a94d3f42cbd4485dd535e4c8c50166fd2addc7bef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/354152/

Comments