MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ca5c734d0f935bcb1d2ba2345150127daa31d05dc7b3363a2b5215de83ab16f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ca5c734d0f935bcb1d2ba2345150127daa31d05dc7b3363a2b5215de83ab16f
SHA3-384 hash: 2c4163b061550119bb5f6354d86b30f50b79865aaf92de76b7725a5cb249e2ac1296549f99628f24058ac0d76169e92d
SHA1 hash: e5f24f53a240d272898c0fb840609ff33b65e418
MD5 hash: ce57bbd49b5d3ba057486622d07fd6d4
humanhash: wyoming-mirror-music-island
File name:revolut_account_creator.exe
Download: download sample
File size:7'815'698 bytes
First seen:2022-09-11 13:50:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 389cdcc6d21e4b58a857eadddc380162
ssdeep 196608:4yAKcnqbtSycjZcsubdF22NjUPp5gRusZaThi:HAKklycjMGgFx
Threatray 8'693 similar samples on MalwareBazaar
TLSH T11276338829943A7ADB4DC7F956B40824170BB87F40CB905C9FB3E9D109137EC5AAFB58
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
341
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
revolut_account_creator.exe
Verdict:
No threats detected
Analysis date:
2022-09-11 13:56:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/911ea7ec-e682-467c-910d-3ad057a197b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309310/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.61969647.20051.26454.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed setupapi.dll
Link:
https://www.filescan.io/uploads/631de855bdec86ddb4628d21/reports/860f314e-48cd-46ce-ab90-d5262d49a2ff/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/55b30cae-12b1-4448-a235-b6e517a5dcf0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1068461
Signature
Hides threads from debuggers
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sets debug register (to hijack the execution of another thread)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 700993 Sample: revolut_account_creator.exe Startdate: 11/09/2022 Architecture: WINDOWS Score: 100 43 fasfsafas.xyz 2->43 49 Performs DNS queries to domains with low reputation 2->49 51 Machine Learning detection for sample 2->51 53 PE file contains section with special chars 2->53 8 revolut_account_creator.exe 2 2->8         started        signatures3 process4 dnsIp5 45 fasfsafas.xyz 188.114.97.3, 443, 49732, 49747 CLOUDFLARENETUS European Union 8->45 47 127.0.0.1 unknown unknown 8->47 41 C:\Users\user\AppData\Local\...\1310337b.dll, PE32+ 8->41 dropped 63 Query firmware table information (likely to detect VMs) 8->63 65 Tries to detect sandboxes and other dynamic analysis tools (window names) 8->65 67 Performs DNS queries to domains with low reputation 8->67 69 5 other signatures 8->69 13 cmd.exe 1 8->13         started        16 cmd.exe 1 8->16         started        18 cmd.exe 1 8->18         started        20 16 other processes 8->20 file6 signatures7 process8 signatures9 71 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 13->71 73 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 13->73 75 Queries memory information (via WMI often done to detect virtual machines) 13->75 22 WMIC.exe 1 13->22         started        25 WMIC.exe 1 16->25         started        27 findstr.exe 1 16->27         started        29 WMIC.exe 1 18->29         started        31 findstr.exe 18->31         started        33 WMIC.exe 1 20->33         started        35 WMIC.exe 1 20->35         started        37 WMIC.exe 1 20->37         started        39 14 other processes 20->39 process10 signatures11 55 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->55 57 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 22->57 59 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 22->59 61 2 other signatures 22->61
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ca5c734d0f935bcb1d2ba2345150127daa31d05dc7b3363a2b5215de83ab16f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bss4ongq7e23zmosxirukfibe7nkghif3r5tgy5cwuqv32b2wfxq._file
Verdict:
unknown
Similar samples:
09b9283286463b35ea2d5abfa869110eb124eb8c1788eb2630480d058e82abf2
0af4243d29cc211b18071fdacf963a1dbfea5ff09bd9b947d4d021e80fabccd4
0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81
15d06d1741cc8b5495da9c79c6f630e33060e80c73da9666500f6f0bdf5ff259
5879d39a0bab80032ebc751728e034cf7ec7fb30749090b5df8c37100034ef95
93fddb1a745fec7ae8bc3a7f8d66ce73b1841998e9b0589790e924ff6efb6a05
b8b162b8e561df015f29ea5282830830a427b041f4146676fbd4ed321bf69ac4
d6618f430c04b203394c7887803a2171402efa31427c0835e24c9dec935bf79c
daf37b9db90e49f7c8c30899951565491d54e15c794f193000e25fd3d98774d6
f8836908ca99f66289c94aa2f71948d9edd985d4320116a10c8d926af67987e0
+ 8'683 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/220911-q5s9msbff3/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
0ca5c734d0f935bcb1d2ba2345150127daa31d05dc7b3363a2b5215de83ab16f
MD5 hash:
ce57bbd49b5d3ba057486622d07fd6d4
SHA1 hash:
e5f24f53a240d272898c0fb840609ff33b65e418
Link:
https://www.unpac.me/results/e71e3d77-e7cf-4d39-8072-687b0f718764/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/0ca5c734d0f935bcb1d2ba2345150127daa31d05dc7b3363a2b5215de83ab16f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/309310/

Comments