MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06f6724f13a99d43350b8c3239a574cb6d9bf07b9cb882f8670669da22568ac0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06f6724f13a99d43350b8c3239a574cb6d9bf07b9cb882f8670669da22568ac0
SHA3-384 hash: e3c7dbc608945d290ec44a653c1c0b41011bfc481065ed15b19fac354b1b3a2221a230f7feca74289fcb6ad7ccd9f4d4
SHA1 hash: 0a74625f1f5bf8ceb81106e6096dcff2f180bfbb
MD5 hash: 639c580b40915654e9eb57ca3f422cfe
humanhash: oven-oklahoma-cat-vermont
File name:SecuriteInfo.com.Win32.MalwareX-gen.20138.12701
Download: download sample
File size:28'314'886 bytes
First seen:2024-07-18 09:25:52 UTC
Last seen:2024-07-24 10:54:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 40ab50289f7ef5fae60801f88d4541fc (59 x ValleyRAT, 49 x Gh0stRAT, 41 x OffLoader)
ssdeep 393216:Q9XLIcdku/CieKlurNi2WTKuBtiuQibFGpX27tgNkur0Rs55ccK7JRHJtPo+9tWv:AXjdFeWp2ruBQiba8gt55ccUht79A+jQ
TLSH T1985733DE6FA7752BF1090BF255F29054F0F7ADD26822ED5681FC04788A2643C1EEE246
TrID 46.7% (.EXE) Inno Setup installer (107240/4/30)
25.0% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
18.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.5% (.EXE) Win64 Executable (generic) (10523/12/4)
1.9% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 03d3d14942737ff0
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
349
Origin country :
FR FR
Vendor Threat Intelligence
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6698dfad936dc865ddc7737b
Tags:
Execution Generic Network Ransomware Stealth Heur
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
embarcadero_delphi fingerprint installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/6698dfaecbb32227b6a8a785/reports/0028f4d0-5845-4ec4-b319-11e70dc22cef/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/06f6724f13a99d43350b8c3239a574cb6d9bf07b9cb882f8670669da22568ac0
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
40 / 100
Link:
https://www.joesandbox.com/analysis/1475805
Signature
Adds a directory exclusion to Windows Defender
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1475805 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 18/07/2024 Architecture: WINDOWS Score: 40 63 www.google.com 2->63 65 ipv4.imgur.map.fastly.net 2->65 67 2 other IPs or domains 2->67 77 Multi AV Scanner detection for dropped file 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 PE file contains section with special chars 2->81 83 4 other signatures 2->83 10 SecuriteInfo.com.Win32.MalwareX-gen.20138.12701.exe 2 2->10         started        13 svchost.exe 2->13         started        signatures3 process4 dnsIp5 61 SecuriteInfo.com.W...gen.20138.12701.tmp, PE32 10->61 dropped 16 SecuriteInfo.com.Win32.MalwareX-gen.20138.12701.tmp 34 453 10->16         started        75 127.0.0.1 unknown unknown 13->75 file6 process7 file8 51 C:\...\unins000.exe (copy), PE32 16->51 dropped 53 launcher_Zeromaker...n0.0.2.0.exe (copy), PE32 16->53 dropped 55 launcher_NEXUS Gam...n0.0.2.0.exe (copy), PE32 16->55 dropped 57 83 other files (74 malicious) 16->57 dropped 19 Launcher.exe 18 17 16->19         started        process9 dnsIp10 69 191.96.92.46, 49708, 80 RAINBOWIDC-AS-APrainbownetworklimitedJP Chile 19->69 71 www.google.com 142.250.185.132, 443, 49707 GOOGLEUS United States 19->71 73 2 other IPs or domains 19->73 59 C:\Program Files (x86)\...\delete_cache.cmd, ASCII 19->59 dropped 85 Adds a directory exclusion to Windows Defender 19->85 24 powershell.exe 23 19->24         started        27 msedgewebview2.exe 19->27         started        29 msedgewebview2.exe 19->29         started        31 cmd.exe 19->31         started        file11 signatures12 process13 signatures14 87 Loading BitLocker PowerShell Module 24->87 33 conhost.exe 24->33         started        35 WmiPrvSE.exe 24->35         started        37 msedgewebview2.exe 27->37         started        39 msedgewebview2.exe 27->39         started        41 msedgewebview2.exe 27->41         started        43 msedgewebview2.exe 29->43         started        45 msedgewebview2.exe 29->45         started        47 msedgewebview2.exe 29->47         started        49 conhost.exe 31->49         started        process15
Score:
68%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/06f6724f13a99d43350b8c3239a574cb6d9bf07b9cb882f8670669da22568ac0
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a33hetytvgougnilrqzdtjluznwzx4d3ts4if6dhazu5uiswrlaa._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240718-ld69zasdjr/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ea1ba5d5-5529-4b7f-be51-250c4cc6964f
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06f6724f13a99d43350b8c3239a574cb6d9bf07b9cb882f8670669da22568ac0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
advapi32.dll::EqualSid
advapi32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments