MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 067c59ea6a6c74ab1450f89b6c3aae5a7f689a201414bdf62f5ce5290729a654. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 067c59ea6a6c74ab1450f89b6c3aae5a7f689a201414bdf62f5ce5290729a654
SHA3-384 hash: 13fb0d2db9a20bf9c3131a64d8367239bac415e3aa201ef86961766abedd338b73408e7be6aed34f99d845895fa972c6
SHA1 hash: 0d6be9dcbb80873090c64cadeff59e7cb901f494
MD5 hash: 0a8723888c958a154e4ec21b1d9380b5
humanhash: bacon-maryland-undress-india
File name:deadlock-aimbot-run.exe
Download: download sample
File size:1'255'936 bytes
First seen:2024-08-30 18:47:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bdd6ec5ec31af85af3b9c75c71fa21ae
ssdeep 24576:feujRyC7NWnjPotB2tETz4jtA/48SGVetzQfEfY5ldR:WujQC7K00U4jC/nVnEYj3
TLSH T1F945D059F2548B36E033C0B9C5C3DA66EA72344697308AEB731CCB1D2FA37D59935A60
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon f3e9ccb2b2cce8b2
Reporter cydave
Tags:exe github


Avatar
cydave
Extracted from: https://github.com/darksol439/Deadlock-hack

Intelligence

File Origin
# of uploads :
1
# of downloads :
445
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
deadlock-aimbot-run.exe
Verdict:
Malicious activity
Analysis date:
2024-08-30 18:49:50 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/a98314e9-68ff-418b-b3ca-af7f3c9a956b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
MiscreantPunch.SingleXOR.EXE.242.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66d213e5dfc4375710396a14
Tags:
Static
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Connection attempt
Searching for synchronization primitives
Sending an HTTP GET request
Sending an HTTP POST request
Setting a global event handler
Reading critical registry keys
Stealing user critical data
Forced shutdown of a browser
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive explorer fingerprint keylogger lolbin microsoft_visual_cc msconfig obfuscated packed rundll32 shell32
Link:
https://www.filescan.io/uploads/66d213e2577589de1265c8f8/reports/78bb9188-2b73-4f6d-a97b-295f221f3c33/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/067c59ea6a6c74ab1450f89b6c3aae5a7f689a201414bdf62f5ce5290729a654
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0be9c8f8-1726-43f8-911d-7cefe33d3194
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1501972
Signature
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found driver which could be used to inject code into processes
Modifies the context of a thread in another process (thread injection)
Sample is not signed and drops a device driver
Sets debug register (to hijack the execution of another thread)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses known network protocols on non-standard ports
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Score:
58%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/067c59ea6a6c74ab1450f89b6c3aae5a7f689a201414bdf62f5ce5290729a654
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/067c59ea6a6c74ab1450f89b6c3aae5a7f689a201414bdf62f5ce5290729a654/
Threat name:
Win64.Spyware.Bobik
Create hunting rule
Status:
Malicious
First seen:
2024-08-30 18:48:04 UTC
File Type:
PE+ (Exe)
Extracted files:
37
AV detection:
12 of 24 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=az6ft2tknr2kwfcq7cnwyovolj7wrgracqkl35rpltsssbzjuzka._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  9/10
Tags:
credential_access discovery spyware stealer
Link:
https://tria.ge/reports/240830-xfq7bayhnd/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
Downloads MZ/PE file
Credentials from Password Stores: Credentials from Web Browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f72174ae-b24c-4c7f-9b6f-863fbade73b4
Unpacked files
SH256 hash:
79efdcb46fbbc674a841dc93853e3394eeecf6b1bc6ff8686d845323e005c394
MD5 hash:
c5c5d9260a2cdd853bae3e181ccaa66b
SHA1 hash:
ef95edac4d79264120059244210e71e73a49d1fe
Link:
https://www.unpac.me/results/867caa17-18a1-4da4-b9e6-0d5c8181ab7c/
SH256 hash:
067c59ea6a6c74ab1450f89b6c3aae5a7f689a201414bdf62f5ce5290729a654
MD5 hash:
0a8723888c958a154e4ec21b1d9380b5
SHA1 hash:
0d6be9dcbb80873090c64cadeff59e7cb901f494
Detections:
SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Link:
https://www.unpac.me/results/867caa17-18a1-4da4-b9e6-0d5c8181ab7c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/067c59ea6a6c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/067c59ea6a6c74ab1450f89b6c3aae5a7f689a201414bdf62f5ce5290729a654

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:INDICATOR_TOOL_DontSleep
Create hunting rule
Author:ditekShen
Description:Detects Keep Host Unlocked (Don't Sleep)
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play MultimediaWINMM.dll::joyGetNumDevs
WINMM.dll::joyGetPos
WINMM.dll::joyGetPosEx
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::OpenProcessToken
KERNEL32.dll::SetProcessShutdownParameters
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegOpenKeyW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::WSAAccept
WS2_32.dll::WSACloseEvent
WS2_32.dll::WSACreateEvent
WS2_32.dll::WSAEnumNetworkEvents
WS2_32.dll::WSAEventSelect
WS2_32.dll::WSARecv
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::FindWindowExW
USER32.dll::CreateWindowExW

Comments