MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07138f2e2d420199d28d3617143489fcb1eace0254ef6634eeb08734817b9fec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07138f2e2d420199d28d3617143489fcb1eace0254ef6634eeb08734817b9fec
SHA3-384 hash: 51236f43b0e9c7cbf0ac242d6e57deb9384afbc78b1f0b4f5a7c33746fce6837c81cf71f1efba898786287f2bc20f7a6
SHA1 hash: f111d0376a8e625a7d2b79354e0b3bb2e76db667
MD5 hash: d5a2179490c711aeab8d99172470212a
humanhash: fanta-comet-low-indigo
File name:SecuriteInfo.com.Riskware.ITProductDev.19984.858
Download: download sample
File size:891'248 bytes
First seen:2024-01-26 17:36:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 24576:I7XSwO/MMDu173CTPG1szLSvJwBCD2pOc:iMK73C7fqvCBI2Ec
TLSH T10C15025E9BA4CC0AD8C3C5B4EE3D1E9A8F23BC3A01796352BB7AF10585F75426735052
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9831654d4d653198
Reporter SecuriteInfoCom
Tags:exe signed

Code Signing Certificate

Organisation:ITPRODUCTDEV LTD
Issuer:GlobalSign Extended Validation CodeSigning CA - SHA256 - G3
Algorithm:sha256WithRSAEncryption
Valid from:2020-05-18T10:45:28Z
Valid to:2023-05-19T10:45:28Z
Serial number: 1355660840b5813ad3d93017
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: e6847c414cd9e374b8fccc822d9c72e210f9d691075c11cce72f4a2b84c02028
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
338
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
VideoDownloader.exe
Verdict:
Malicious activity
Analysis date:
2023-02-09 15:45:38 UTC
Tags:
loader
Link:
https://app.any.run/tasks/0d264365-4055-4a00-af2d-68085fece2ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473095/
Detection(s):
SecuriteInfo.com.Riskware.ITProductDev.19984.858.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a window
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/65b3edc10eab2d1605438ba7/reports/ebd072bb-77f0-45a5-8ac5-344412d2cd70/overview
Verdict:
Malicious
Labled as:
Trojan.Malware
Link:
https://www.hybrid-analysis.com/sample/07138f2e2d420199d28d3617143489fcb1eace0254ef6634eeb08734817b9fec
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a5515aa3-7a11-4393-9bb7-a2367e24eef8
Result
Threat name:
n/a
Detection:
suspicious
Classification:
rans.spyw.evad
Score:
30 / 100
Link:
https://www.joesandbox.com/analysis/1381832
Signature
Installs new ROOT certificates
Modifies existing user documents (likely ransomware behavior)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Writes many files with high entropy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 1381832 Sample: SecuriteInfo.com.Riskware.I... Startdate: 26/01/2024 Architecture: WINDOWS Score: 30 6 Televzr.exe 2->6         started        10 SecuriteInfo.com.Riskware.ITProductDev.19984.858.exe 49 153 2->10         started        13 msiexec.exe 501 69 2->13         started        dnsIp3 51 C:\Users\user\...\bundle_2.9.8.zip (copy), Zip 6->51 dropped 53 C:\...\fea4a90ff21732e16cce974da9753c82.png, PNG 6->53 dropped 55 C:\...\fc552f940c66132822cd04325840b55c.woff2, Web 6->55 dropped 63 12 other malicious files 6->63 dropped 89 Uses cmd line tools excessively to alter registry or file data 6->89 91 Writes many files with high entropy 6->91 93 Modifies existing user documents (likely ransomware behavior) 6->93 15 Televzr.exe 6->15         started        18 reg.exe 6->18         started        20 reg.exe 6->20         started        29 21 other processes 6->29 77 173.194.219.113 GOOGLEUS United States 10->77 79 172.67.129.222 CLOUDFLARENETUS United States 10->79 81 172.67.150.95 CLOUDFLARENETUS United States 10->81 57 C:\Users\user\AppData\Local\...\yt-dlp.exe, PE32 10->57 dropped 59 C:\Users\user\AppData\Local\...\Televzr.exe, PE32 10->59 dropped 61 C:\Users\user\...\v8_context_snapshot.bin, data 10->61 dropped 65 24 other files (3 malicious) 10->65 dropped 22 vcredist_x86.exe 78 10->22         started        25 cmd.exe 1 10->25         started        27 cmd.exe 1 10->27         started        67 35 other files (none is malicious) 13->67 dropped file4 signatures5 process6 dnsIp7 95 Tries to harvest and steal browser information (history, passwords, etc) 15->95 32 conhost.exe 18->32         started        34 conhost.exe 20->34         started        69 C:\...\sqmapi.dll, PE32 22->69 dropped 71 C:\...\SetupUi.dll, PE32 22->71 dropped 73 C:\...\SetupEngine.dll, PE32 22->73 dropped 75 11 other files (none is malicious) 22->75 dropped 97 Writes many files with high entropy 22->97 36 Setup.exe 2 9 22->36         started        39 conhost.exe 25->39         started        41 tasklist.exe 1 25->41         started        43 find.exe 1 25->43         started        45 conhost.exe 27->45         started        47 more.com 1 27->47         started        83 173.194.219.102 GOOGLEUS United States 29->83 85 104.21.63.211 CLOUDFLARENETUS United States 29->85 49 16 other processes 29->49 file8 signatures9 process10 signatures11 87 Installs new ROOT certificates 36->87
Score:
6%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/07138f2e2d420199d28d3617143489fcb1eace0254ef6634eeb08734817b9fec
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/07138f2e2d420199d28d3617143489fcb1eace0254ef6634eeb08734817b9fec/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a4jy6lrniiaztuungylrinej7sy6vtqcktxwmnhowcdtjal3t7wa._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240126-v65fhscdcm/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Unpacked files
SH256 hash:
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
MD5 hash:
1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 hash:
0b9519763be6625bd5abce175dcc59c96d100d4c
Link:
https://www.unpac.me/results/962afc6b-0b4d-4361-9db6-e2b991f639d5/
SH256 hash:
ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a
MD5 hash:
38caa11a462b16538e0a3daeb2fc0eaf
SHA1 hash:
c22a190b83f4b6dc0d6a44b98eac1a89a78de55c
Link:
https://www.unpac.me/results/962afc6b-0b4d-4361-9db6-e2b991f639d5/
SH256 hash:
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
MD5 hash:
80e44ce4895304c6a3a831310fbf8cd0
SHA1 hash:
36bd49ae21c460be5753a904b4501f1abca53508
Link:
https://www.unpac.me/results/962afc6b-0b4d-4361-9db6-e2b991f639d5/
SH256 hash:
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
MD5 hash:
17309e33b596ba3a5693b4d3e85cf8d7
SHA1 hash:
7d361836cf53df42021c7f2b148aec9458818c01
Link:
https://www.unpac.me/results/962afc6b-0b4d-4361-9db6-e2b991f639d5/
SH256 hash:
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
MD5 hash:
ec0504e6b8a11d5aad43b296beeb84b2
SHA1 hash:
91b5ce085130c8c7194d66b2439ec9e1c206497c
Link:
https://www.unpac.me/results/962afc6b-0b4d-4361-9db6-e2b991f639d5/
SH256 hash:
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
MD5 hash:
0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 hash:
48df0911f0484cbe2a8cdd5362140b63c41ee457
Link:
https://www.unpac.me/results/962afc6b-0b4d-4361-9db6-e2b991f639d5/
SH256 hash:
3f47a24d6eeb1203e3325f0b06023e9678df7e860e953925057de17e6c539be4
MD5 hash:
fd78a68cb7e9fa26dec0d9d1b2342c72
SHA1 hash:
06d39a9eadc6d4272a5ae2f2ce632de5628d375b
Link:
https://www.unpac.me/results/962afc6b-0b4d-4361-9db6-e2b991f639d5/
SH256 hash:
8924993d8e71ef1950ca3668d3833de485fd3b388573bc9ebf5efdb51ac67c2f
MD5 hash:
70563b7155d9ce2ec107a0aa2a1dbc98
SHA1 hash:
d68c3f7ba89bf8baacde7461ce1c4fc16f4b345d
Link:
https://www.unpac.me/results/962afc6b-0b4d-4361-9db6-e2b991f639d5/
SH256 hash:
07138f2e2d420199d28d3617143489fcb1eace0254ef6634eeb08734817b9fec
MD5 hash:
d5a2179490c711aeab8d99172470212a
SHA1 hash:
f111d0376a8e625a7d2b79354e0b3bb2e76db667
Link:
https://www.unpac.me/results/962afc6b-0b4d-4361-9db6-e2b991f639d5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/07138f2e2d42/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07138f2e2d420199d28d3617143489fcb1eace0254ef6634eeb08734817b9fec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/473095/

Comments