MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 053c122585e122cd201f40b76dd0fa7c7bba26da8453239298d0a200247184ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 053c122585e122cd201f40b76dd0fa7c7bba26da8453239298d0a200247184ee
SHA3-384 hash: 26147d150c5f7ff4a2cf71bffd7f057e0bc4fee614f553c6edd94e3aa813016bdbf358a4a5cd2aaa28ac5e91c3fd6d25
SHA1 hash: 505b6158118e1feb1b771c57b06921b42200b039
MD5 hash: 41226c77e32b1f7c7f8b90daa8c1685b
humanhash: maryland-whiskey-hawaii-stream
File name:svchost.exe
Download: download sample
File size:87'110'571 bytes
First seen:2024-07-23 18:27:18 UTC
Last seen:2024-08-07 11:23:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (545 x GuLoader, 116 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:J9eyH+lkndbc3/XF4NbHKswwTTbiZ3Eec15Bo3Xok69GinHdXuXG8aVllc8SK/bn:JIlkdq/yNDKsnmZ3Eei5BoYVf8aVll5X
TLSH T1FA18332058496369C72BBF74C73009FBD5EC76A6CB7D387D6A4B199E9CB60E2031D122
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter hydradragonav
Tags:163-5-112-21 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
559
Origin country :
TR TR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
053c122585e122cd201f40b76dd0fa7c7bba26da8453239298d0a200247184ee.exe
Verdict:
No threats detected
Analysis date:
2024-07-23 18:35:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5d433b85-e659-4742-ba6f-a3f955c57867

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=669ff638a97e13ad9de790ab
Tags:
Discovery Execution Generic Network Stealth Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Searching for synchronization primitives
DNS request
Unauthorized injection to a recently created process
Connection attempt
Sending a custom TCP request
Deleting a recently created file
Replacing files
Changing a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/669ff63bdfa8b2fced4d8a5c/reports/5565f32a-cb54-4861-8eae-f386349b24be/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/053c122585e122cd201f40b76dd0fa7c7bba26da8453239298d0a200247184ee
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1479609
Signature
Drops large PE files
Drops PE files with benign system names
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1479609 Sample: svchost.exe Startdate: 23/07/2024 Architecture: WINDOWS Score: 68 40 ipinfo.io 2->40 44 Sigma detected: System File Execution Location Anomaly 2->44 46 Sigma detected: Suspect Svchost Activity 2->46 48 Sigma detected: Files With System Process Name In Unsuspected Locations 2->48 9 svchost.exe 283 2->9         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\svchost.exe, PE32+ 9->30 dropped 32 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 9->32 dropped 34 C:\Users\user\AppData\Local\...\System.dll, PE32 9->34 dropped 36 12 other files (none is malicious) 9->36 dropped 50 Drops large PE files 9->50 52 Drops PE files with benign system names 9->52 13 svchost.exe 31 9->13         started        signatures6 process7 dnsIp8 42 ipinfo.io 34.117.59.81, 443, 49738 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 13->42 38 6790e7b9-7dec-436a...f3a4366e2a.tmp.node, PE32+ 13->38 dropped 54 System process connects to network (likely due to code injection or exploit) 13->54 18 cmd.exe 1 13->18         started        20 svchost.exe 1 13->20         started        22 svchost.exe 1 13->22         started        24 explorer.exe 26 1 13->24 injected file9 signatures10 process11 process12 26 conhost.exe 18->26         started        28 chcp.com 1 18->28         started       
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/053c122585e122cd201f40b76dd0fa7c7bba26da8453239298d0a200247184ee
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=au6bejmf4erm2ia7ic3w3uh2pr53ujw2qrjsheuy2craajdrqtxa._file
Verdict:
unknown
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/785e775a-98c0-4f58-9e62-a07ec16fe861
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 053c122585e122cd201f40b76dd0fa7c7bba26da8453239298d0a200247184ee

(this sample)

  
X
https://twitter.com/malwrhunterteam/status/1815633400327205073
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments