MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0532411d15ff23b27d4f5306264a32e972c0181dcb5ca0fe8a9b6694a2280369. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0532411d15ff23b27d4f5306264a32e972c0181dcb5ca0fe8a9b6694a2280369
SHA3-384 hash: b584c50357b5a37b82912457b5b632bc337b565976a6019a618200622d9b12ffed30105f0d78fdd4654b54a5d3486f84
SHA1 hash: cf21bb7712bdae111632c7a13940351b491343a9
MD5 hash: 7cf0b940c39b45217b214ff26e78587f
humanhash: bacon-spaghetti-low-alaska
File name:SecuriteInfo.com.Trojan.MulDrop17.52128.341.13409
Download: download sample
File size:24'741'198 bytes
First seen:2021-08-05 12:09:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7235131d58a25a8130aac9df516d4024 (1 x QuasarRAT)
ssdeep 393216:uAP1dyZTDeIRs4dpRhFrjclKdBIYcDJADjOSY1OTlWG80rY3jVMQZTAkWmGN7:b1qDeIRLFrIsNIC3OSVW6c3vTAtv
Threatray 37 similar samples on MalwareBazaar
TLSH T1BD473320F6401E47DBF98A73F0A2DB725F296D37471540E70B6992E94CA7781B83DE28
dhash icon c6c2ccc4f4e0e0f8 (37 x PythonStealer, 21 x CrealStealer, 19 x Empyrean)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://anonfiles.com/neF6d221u2/tiktok_boost_2.2_rar
Verdict:
No threats detected
Analysis date:
2021-06-19 19:16:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f38bd6d4-3ae5-412b-9370-97b5d7aa758f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.MulDrop17.52128.341.13409.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Deleting a recently created file
Creating a process with a hidden window
Creating a process from a recently created file
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Modifying a system file
Launching a service
Replacing files
Launching a process
Creating a file in the Windows subdirectories
Forced system process termination
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/827688
Signature
Antivirus detection for dropped file
Detected VMProtect packer
Drops PE files to the startup folder
Machine Learning detection for dropped file
Modifies Group Policy settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected Defender Control Hacktool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 460127 Sample: SecuriteInfo.com.Trojan.Mul... Startdate: 05/08/2021 Architecture: WINDOWS Score: 88 61 192.168.2.1 unknown unknown 2->61 63 Antivirus detection for dropped file 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 4 other signatures 2->69 12 SecuriteInfo.com.Trojan.MulDrop17.52128.341.exe 35 2->12         started        16 gpscript.exe 2->16         started        signatures3 process4 file5 51 C:\Users\user\AppData\Local\...\Process.exe, PE32 12->51 dropped 53 C:\Users\user\AppData\Local\...\Defender.exe, PE32+ 12->53 dropped 55 C:\Users\user\AppData\Local\...\Bypass.exe, PE32 12->55 dropped 57 27 other files (none is malicious) 12->57 dropped 71 Drops PE files to the startup folder 12->71 18 SecuriteInfo.com.Trojan.MulDrop17.52128.341.exe 4 12->18         started        signatures6 process7 process8 20 SecuriteInfo.com.Trojan.MulDrop17.52128.341.exe 35 18->20         started        file9 35 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32 20->35 dropped 37 C:\Users\user\AppData\...\win32trace.pyd, PE32 20->37 dropped 39 C:\Users\user\AppData\Local\...\shell.pyd, PE32 20->39 dropped 41 27 other files (none is malicious) 20->41 dropped 23 SecuriteInfo.com.Trojan.MulDrop17.52128.341.exe 6 20->23         started        process10 file11 43 C:\Users\user\AppData\Roaming\...\Process.exe, PE32 23->43 dropped 45 C:\Users\user\AppData\...\Defender.exe, PE32+ 23->45 dropped 47 C:\Users\user\AppData\Roaming\...\Bypass.exe, PE32 23->47 dropped 26 Bypass.exe 3 23->26         started        process12 file13 49 C:\Users\user\AppData\Local\...\Defender.exe, PE32 26->49 dropped 29 Defender.exe 6 26->29         started        process14 file15 59 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 29->59 dropped 73 Multi AV Scanner detection for dropped file 29->73 75 Modifies Group Policy settings 29->75 33 Defender.exe 2 2 29->33         started        signatures16 process17
Gathering data
Threat name:
Win32.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2021-06-19 18:46:52 UTC
AV detection:
26 of 47 (55.32%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
22f93b97e4ee74c1af48cbdcf878a983cbe2fba7eefc5cd639814dc942cbaa8d
24846b5909d31e83e7b2f74cbc95f403d51b8377aca1b7e0184408b6d1670dca
2e67d5e7d96aec62a9dda4c0259167a44908af863c2b3af2a019723205abba9e
6c3b8f706293d8462261afe66048575af6798cd0ebaec43f77a742609be0f869
8aa1689d6acacf9f2eb2603db52dc5908e1ec5d80000deec13e2e038c2883413
95865be8f76194d2d3c385034000ad089b98c0a78e582f7e5f95661b7a643d7e
b895fbf7b60e9534de3a12e5e6c3b5dbe8a5f6149be49e50beae19e0a9006999
c48e509f7139d0ee5a09d1807e73783e0948741c6f90f1dbc8096318e7d6dd3a
c66e973686ee6d1761be2781a9f27f0f8d81fad4db088d836bebf6055cba193f
ce3a6224dae98fdaa712cfa6495cb72349f333133dbfb339c9e90699cbe4e8e4
+ 27 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion pyinstaller trojan vmprotect
Link:
https://tria.ge/reports/210805-9hzws9826e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Drops startup file
Loads dropped DLL
Windows security modification
Executes dropped EXE
VMProtect packed file
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0532411d15ff23b27d4f5306264a32e972c0181dcb5ca0fe8a9b6694a2280369

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 0532411d15ff23b27d4f5306264a32e972c0181dcb5ca0fe8a9b6694a2280369

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1507313/
  
Delivery method
Distributed via web download

Comments