MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a35146706c4712aea807ce394aab0270d5c115ceb3d0e79695f49f763648a55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a35146706c4712aea807ce394aab0270d5c115ceb3d0e79695f49f763648a55
SHA3-384 hash: 91cdaafbdd21fb13131bc32baa3fff67a662c7fd60e8e2134baecbdb71e5fc2ea2cf2183e3fba9c6e7ff0a64d48aebc4
SHA1 hash: f02ea54bb5d8b6b20016cd90892f4b56163d8e6b
MD5 hash: dc724c3aafa18b464c83bd5910407805
humanhash: stream-helium-rugby-friend
File name:dc724c3aafa18b464c83bd5910407805
Download: download sample
File size:4'614'469 bytes
First seen:2024-10-12 04:48:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (19 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 98304:+pTScE3OEH4WTi5cy2KMIg0XfhZprrGWNjPxoKiZ1PMPR8iviRGDowoxziGC:+peBJYWTmcyBMIxXdZpeKiZ1PZRkojxi
Threatray 2 similar samples on MalwareBazaar
TLSH T18526335137D4A5F0C2398630CF99DB8A6272EAB926C14F9F77831E266DA35122507CCF
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon c292ecd8f2f6fe1c (15 x HijackLoader, 11 x LummaStealer, 7 x Arechclient2)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
373
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dc724c3aafa18b464c83bd5910407805
Verdict:
Malicious activity
Analysis date:
2024-10-12 04:50:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c0509021-9d2f-4318-b57d-84c170137454

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.Win32.CandyOpen.23887.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
98.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6709ffc266161739f881b811
Tags:
Powershell Autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/6709ffc0f08c600469ca5943/reports/06a32ea1-1994-4aa6-8f9a-eaf982caa5d3/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/0a35146706c4712aea807ce394aab0270d5c115ceb3d0e79695f49f763648a55
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e9559810-b6c2-4d40-a24d-0c8c0c1f6e40
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1532025
Signature
AI detected suspicious sample
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Writes to foreign memory regions
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532025 Sample: 9nobq4rqr0.exe Startdate: 12/10/2024 Architecture: WINDOWS Score: 100 67 lagereku.sbs 2->67 69 www.sendspace.com 2->69 71 fs13n3.sendspace.com 2->71 79 Suricata IDS alerts for network traffic 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 3 other signatures 2->85 10 9nobq4rqr0.exe 10 2->10         started        14 AcroBroker.exe 1 2->14         started        16 AcroBroker.exe 1 2->16         started        signatures3 process4 file5 59 C:\Users\user\sqlite.dll, PE32 10->59 dropped 61 C:\Users\user\AcroBroker.exe, PE32 10->61 dropped 63 C:\Users\user\msvcr90.dll, PE32 10->63 dropped 65 C:\Users\user\msvcp90.dll, PE32 10->65 dropped 113 Drops PE files to the user root directory 10->113 18 AcroBroker.exe 7 10->18         started        115 Maps a DLL or memory area into another process 14->115 117 Found direct / indirect Syscall (likely to bypass EDR) 14->117 22 cmd.exe 2 14->22         started        24 cmd.exe 1 16->24         started        signatures6 process7 file8 45 C:\Users\user\AppData\Roaming\...\sqlite.dll, PE32 18->45 dropped 47 C:\Users\user\AppData\...\AcroBroker.exe, PE32 18->47 dropped 49 C:\Users\user\AppData\Roaming\...\msvcr90.dll, PE32 18->49 dropped 51 C:\Users\user\AppData\Roaming\...\msvcp90.dll, PE32 18->51 dropped 87 Switches to a custom stack to bypass stack traces 18->87 89 Found direct / indirect Syscall (likely to bypass EDR) 18->89 26 AcroBroker.exe 1 18->26         started        53 C:\Users\user\AppData\Local\...\funlpmyqaaxbm, PE32+ 22->53 dropped 91 Writes to foreign memory regions 22->91 93 Maps a DLL or memory area into another process 22->93 29 ServiceFm_np_test.exe 22->29         started        31 conhost.exe 22->31         started        33 conhost.exe 24->33         started        signatures9 process10 signatures11 107 Maps a DLL or memory area into another process 26->107 109 Switches to a custom stack to bypass stack traces 26->109 111 Found direct / indirect Syscall (likely to bypass EDR) 26->111 35 cmd.exe 5 26->35         started        process12 file13 55 C:\Users\user\AppData\Local\Temp\hdrlfcew, PE32+ 35->55 dropped 57 C:\Users\user\...\ServiceFm_np_test.exe, PE32+ 35->57 dropped 95 Writes to foreign memory regions 35->95 97 Found hidden mapped module (file has been removed from disk) 35->97 99 Maps a DLL or memory area into another process 35->99 101 Switches to a custom stack to bypass stack traces 35->101 39 ServiceFm_np_test.exe 35->39         started        43 conhost.exe 35->43         started        signatures14 process15 dnsIp16 73 lagereku.sbs 188.114.96.3, 443, 49765, 49776 CLOUDFLARENETUS European Union 39->73 75 fs13n3.sendspace.com 69.31.136.57, 443, 49784, 49984 GTT-BACKBONEGTTDE United States 39->75 77 www.sendspace.com 172.67.170.105, 443, 49790 CLOUDFLARENETUS United States 39->77 103 Tries to harvest and steal Bitcoin Wallet information 39->103 105 Found direct / indirect Syscall (likely to bypass EDR) 39->105 signatures17
Score:
88%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0a35146706c4712aea807ce394aab0270d5c115ceb3d0e79695f49f763648a55
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a35146706c4712aea807ce394aab0270d5c115ceb3d0e79695f49f763648a55/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2024-10-11 08:55:39 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bi2rizygyrysv2uaptrzjkvqe4gvyek45m6q46ljl5e7oy3erjkq._file
Verdict:
suspicious
Label(s):
finfisherrat
Create hunting rule
Similar samples:
08e1d8d41bef83310ed290e5b8b3821d7ead8f66709c90cd4caa27c567ab4e80
84e059bb286a4d546c18b3e2f61d0bc0fe7c635fd2c1ca998722324d48d1c584
error
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/241012-ffnyhsthjd/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b840c7c8-abb5-4c0b-9454-bf0ed17bfa9e
Unpacked files
SH256 hash:
68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe
MD5 hash:
d4dae7149d6e4dab65ac554e55868e3b
SHA1 hash:
b3bea0a0a1f0a6f251bcf6a730a97acc933f269a
Link:
https://www.unpac.me/results/9708053c-3198-4465-aa84-31a7f6e74e09/
SH256 hash:
a6edb3fb6d21dd461da3767a7995034e208f7d6b08997f6cf7ee7b0ea833a8f0
MD5 hash:
cabb58bb5694f8b8269a73172c85b717
SHA1 hash:
9ed583c56385fed8e5e0757ddb2fdf025f96c807
Link:
https://www.unpac.me/results/9708053c-3198-4465-aa84-31a7f6e74e09/
SH256 hash:
4dabbe4da2773f85db3e4191bcc2d382af41b368a6bc0c196974e70072a1fffb
MD5 hash:
371fe401d4aa716fed91c211ee4592b9
SHA1 hash:
b72f11f8ec7684fddc4f29f81198076695925bc9
Link:
https://www.unpac.me/results/9708053c-3198-4465-aa84-31a7f6e74e09/
SH256 hash:
c21d1b07ef7a10d673dac93984388877972187560bfc7042438aaed3e8913358
MD5 hash:
a217e3921e160f1e20a758c687d8e6d4
SHA1 hash:
577029b6670f2ebdcc3a16bb1f831c5c60155c5d
Link:
https://www.unpac.me/results/9708053c-3198-4465-aa84-31a7f6e74e09/
SH256 hash:
526d458efdb36dfe3db5d74c3ed9e94f01c999543c0d5b6dd5595329603261fc
MD5 hash:
b7582587ce730d4a14d367aefbe6b101
SHA1 hash:
1526b310fb24cfe7a97e2348c5377a6c2961c100
Link:
https://www.unpac.me/results/9708053c-3198-4465-aa84-31a7f6e74e09/
SH256 hash:
ceb0947d898bc2a55a50f092f5ed3f7be64ac1cd4661022eefd3edd4029213b0
MD5 hash:
11d49148a302de4104ded6a92b78b0ed
SHA1 hash:
fd58a091b39ed52611ade20a782ef58ac33012af
Link:
https://www.unpac.me/results/9708053c-3198-4465-aa84-31a7f6e74e09/
SH256 hash:
0a35146706c4712aea807ce394aab0270d5c115ceb3d0e79695f49f763648a55
MD5 hash:
dc724c3aafa18b464c83bd5910407805
SHA1 hash:
f02ea54bb5d8b6b20016cd90892f4b56163d8e6b
Link:
https://www.unpac.me/results/9708053c-3198-4465-aa84-31a7f6e74e09/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0a35146706c4712aea807ce394aab0270d5c115ceb3d0e79695f49f763648a55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 0a35146706c4712aea807ce394aab0270d5c115ceb3d0e79695f49f763648a55

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3231056/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments


Avatar
zbet commented on 2024-10-12 04:48:52 UTC

url : hxxp://cache.ussc.org/dist/67081de6be937_ParticlerOps.exe