MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cb44c4f8273750fa40497fca81e850f73927e70b13c8f80cdcfee9d1478e6f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cb44c4f8273750fa40497fca81e850f73927e70b13c8f80cdcfee9d1478e6f3
SHA3-384 hash: 9333575bdf0e86f333404daa2b85f4ad9ec185bd5395838fd0bfe60069f9ec0eda0fcb7aa43d4d6b093834c3135cb37c
SHA1 hash: 18a24aa0ac052d31fc5b56f5c0187041174ffc61
MD5 hash: 32f35b78a3dc5949ce3c99f2981def6b
humanhash: december-winter-july-arizona
File name:Preventivo24.01.11.exe
Download: download sample
File size:5'955'744 bytes
First seen:2024-01-23 11:06:48 UTC
Last seen:2024-01-23 14:04:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 36aca8edddb161c588fcf5afdc1ad9fa (2 x ValleyRAT, 1 x PrivateLoader, 1 x RedLineStealer)
ssdeep 98304:7azvMgOJRWT7tRyYsQdTEDdoJr7dJDqpbhUwkasM+u1JfJXibUPHI:7azvMgOJRWT7ukTE5oNqZX1WUA
Threatray 95 similar samples on MalwareBazaar
TLSH T10C569D30B15AC62ED56241F1192CDAAB911D6D3A0F6190DBB3DC7E6F2BB04C35236E27
TrID 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 3030113b29555163
Reporter Mangusta
Tags:exe signed UltraVNC vnvariant2024-ddnsfree-com

Code Signing Certificate

Organisation:CodeSigningCert
Issuer:CodeSigningCert
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-28T11:15:47Z
Valid to:2025-02-28T11:25:47Z
Serial number: 12e79e88324ccea94e0358ccb4a75075
Intelligence: 14 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0c21b06b3ede50f24284ddb567b4370193279f3e59a9a1bb602d9a9c230b4d28
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
356
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://www.dropbox.com/scl/fi/kcs0pwroc060awep6wrtr/Preventivo24.01.11.exe?rlkey=whqooo60ufh3ht7epj0nf6ii4&dl=1
Verdict:
Malicious activity
Analysis date:
2024-01-23 10:58:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c6adf0f3-8207-4605-ae70-0ed04c3070d7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/472489/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.71300584.22380.18394.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Creating a file
Running batch commands
Creating a process with a hidden window
Possible injection to a system process
Searching for the window
Creating a window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Launching a process
Modifying a system file
Creating a file in the Windows subdirectories
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/65af9dd887258803c23ca99a/reports/d417038d-5707-4553-9b93-cd82b4f3ca7e/overview
Verdict:
Suspicious
Labled as:
Adware.WebCompanion
Link:
https://www.hybrid-analysis.com/sample/0cb44c4f8273750fa40497fca81e850f73927e70b13c8f80cdcfee9d1478e6f3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/54edc17e-9f3e-454b-ba62-5c74e1ca43f8
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1379424
Signature
Contains functionalty to change the wallpaper
Contains VNC / remote desktop functionality (version string found)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1379424 Sample: Preventivo24.01.11.exe Startdate: 23/01/2024 Architecture: WINDOWS Score: 84 88 www.example.com 2->88 90 vnvariant2024.ddnsfree.com 2->90 100 Snort IDS alert for network traffic 2->100 102 Multi AV Scanner detection for dropped file 2->102 104 Multi AV Scanner detection for submitted file 2->104 13 viewer.exe 1 2->13         started        15 Preventivo24.01.11.exe 73 2->15         started        signatures3 process4 dnsIp5 19 cmd.exe 3 3 13->19         started        98 www.example.com 93.184.216.34, 49705, 80 EDGECASTUS European Union 15->98 80 C:\Users\user\AppData\...\vnchooks.dll, PE32 15->80 dropped 82 C:\Users\user\AppData\Roaming\...\viewer.exe, PE32 15->82 dropped 84 C:\Users\user\AppData\...\taskhost.exe, PE32 15->84 dropped 86 6 other files (none is malicious) 15->86 dropped 22 msiexec.exe 2 15->22         started        file6 process7 signatures8 106 Uses cmd line tools excessively to alter registry or file data 19->106 108 Uses netsh to modify the Windows network and firewall settings 19->108 110 Modifies the windows firewall 19->110 24 viewer.exe 1 19->24         started        26 cmd.exe 1 19->26         started        29 Acrobat.exe 8 63 19->29         started        31 11 other processes 19->31 process9 signatures10 33 cmd.exe 1 24->33         started        118 Uses cmd line tools excessively to alter registry or file data 26->118 35 reg.exe 1 26->35         started        37 AcroCEF.exe 29->37         started        process11 process12 39 cmd.exe 33->39         started        41 viewer.exe 33->41         started        43 cmd.exe 33->43         started        49 8 other processes 33->49 46 AcroCEF.exe 37->46         started        dnsIp13 51 taskhost.exe 39->51         started        55 mode.com 39->55         started        57 netsh.exe 39->57         started        65 3 other processes 39->65 59 cmd.exe 41->59         started        120 Uses cmd line tools excessively to alter registry or file data 43->120 61 reg.exe 43->61         started        96 184.25.164.138, 443, 49725 BBIL-APBHARTIAirtelLtdIN United States 46->96 63 cmd.exe 49->63         started        signatures14 process15 dnsIp16 92 vnvariant2024.ddnsfree.com 140.228.29.110, 49726, 5500 OARNET-ASUS United States 51->92 94 127.0.0.1 unknown unknown 51->94 114 Contains functionalty to change the wallpaper 51->114 116 Contains VNC / remote desktop functionality (version string found) 51->116 67 cmd.exe 59->67         started        70 conhost.exe 59->70         started        72 cmd.exe 59->72         started        76 2 other processes 59->76 74 conhost.exe 63->74         started        signatures17 process18 signatures19 112 Uses cmd line tools excessively to alter registry or file data 67->112 78 reg.exe 67->78         started        process20
Score:
18%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/0cb44c4f8273750fa40497fca81e850f73927e70b13c8f80cdcfee9d1478e6f3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0cb44c4f8273750fa40497fca81e850f73927e70b13c8f80cdcfee9d1478e6f3/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-01-22 12:56:58 UTC
File Type:
PE (Exe)
Extracted files:
288
AV detection:
14 of 38 (36.84%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bs2eyt4con2q7jaes76kqhufb5zze7tqwe6i7agnz7xj2fdy43zq._file
Verdict:
malicious
Similar samples:
03ef188886996b71ebe83d01ebce193443a003f61c85efe495eb3bbd58848a70
0a26a8670ec52d242cad7ac818bae83d38f4e15309334964249886e882192548
28ee91abd2a0efefab3b2e95ffe2ffaecd7ca0cf2a5bc5bf56b6810ba32eafb4
5428dbedf8e4476b2ba746ddbcde0b1104da52a4be9f64e4be0e95102fcc7f12
556b51b8c2e2516235372629d158d6a10e11e4fcbb8e4fa67a3f5a5a54846f08
85bdf691ddbeebf9a11faa642fc7767507014483a7d43ede19406bfe46b8969f
df2853a1bc08e8f9ee97a33a001e84597e85d5834c540d846dce4d4f8183bddd
e7258b68c24a165c0c61f1fe16a15dd642cf118eae9a4405d3d3cee174d1c72e
+ 85 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion
Link:
https://tria.ge/reports/240123-m7zbwsadf5/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Delays execution with timeout.exe
Disables Windows logging functionality
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates physical storage devices
Drops file in Windows directory
Blocklisted process makes network request
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
Unpacked files
SH256 hash:
dfc3603d63c61d8e6e8e24cfdf76eaa242e70208e935a53a741b9ed650045ef8
MD5 hash:
02b0d311d634723c7c5fe0df4113b211
SHA1 hash:
50167cac905cb5d0aca502b4ebac2fa9ff969b40
Link:
https://www.unpac.me/results/5ea8a67e-5ce5-4eee-8a78-46b3bed3dc06/
SH256 hash:
91b238d8940e6beba6f6d02b91d1e154e6e982cc042541ad6f7841751cf3f4e3
MD5 hash:
8c4941c6312067d64b49f16d0ba574d3
SHA1 hash:
26192888e70e614ea7dc1113c8e8a8f480f00edb
Link:
https://www.unpac.me/results/5ea8a67e-5ce5-4eee-8a78-46b3bed3dc06/
SH256 hash:
0cb44c4f8273750fa40497fca81e850f73927e70b13c8f80cdcfee9d1478e6f3
MD5 hash:
32f35b78a3dc5949ce3c99f2981def6b
SHA1 hash:
18a24aa0ac052d31fc5b56f5c0187041174ffc61
Link:
https://www.unpac.me/results/5ea8a67e-5ce5-4eee-8a78-46b3bed3dc06/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0cb44c4f8273750fa40497fca81e850f73927e70b13c8f80cdcfee9d1478e6f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 0cb44c4f8273750fa40497fca81e850f73927e70b13c8f80cdcfee9d1478e6f3

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/472489/
  
URLhaus
https://urlhaus.abuse.ch/url/2750756/
  
Delivery method
Distributed via web download

Comments