MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a4fb00dd58138f058c1dce7f1e2d8e9a3682e21e314d2b5d2618c4ebad5a939. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a4fb00dd58138f058c1dce7f1e2d8e9a3682e21e314d2b5d2618c4ebad5a939
SHA3-384 hash: 92556376f6e4a35ecf0ec9fd32f985d12da1bf2c2e5afc879230612629d47c0ccb36d2b88ad25df8580b455f1c9c36e5
SHA1 hash: 4063a434ec504cc5f808e766b21d0d32d43f5715
MD5 hash: bc6a35107c6d2cc2ec746897799b9164
humanhash: lactose-magnesium-glucose-missouri
File name:bc6a35107c6d2cc2ec746897799b9164.exe
Download: download sample
File size:4'177'120 bytes
First seen:2023-12-07 17:05:42 UTC
Last seen:2023-12-07 18:18:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 98531db40515fb8043e9239e78cac583
ssdeep 98304:YlLtxhLPSLPB+z2GpPNcjOcPB0o2D6buoDMOOzinbYOLj:Yl5zip+tpNcno6byOFPH
TLSH T16C1633D6DAACA281DA3382708E70164B4D272E32769837F91F1F93D01F50FE59F25692
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon c886ecdcdcc8e0b2 (1 x PrivateLoader, 1 x RiseProStealer, 1 x Neshta)
Reporter abuse_ch
Tags:exe signed

Code Signing Certificate

Organisation:Intel Core i5-13400 Raptor Lake-S LGA1700
Issuer:Intel Core i5-13400 Raptor Lake-S LGA1700
Algorithm:sha512WithRSAEncryption
Valid from:2023-10-07T06:29:26Z
Valid to:2026-02-17T00:00:00Z
Serial number: 5fbe9c93611c9e43b98e02278e890ad3
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: e175355885ce0b768bbd4caeb7f0dd3d630062558e66dccadcb14ab993b0b169
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
303
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/463331/
Detection(s):
SecuriteInfo.com.Win32.BankerX-gen.12292.12576.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Creating a file
Creating a file in the %temp% directory
Enabling the 'hidden' option for recently created files
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Sending a custom TCP request
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
lolbin overlay packed packed shell32 themidawinlicense
Link:
https://www.filescan.io/uploads/6571fb8047603edff3334671/reports/49aed796-65a5-4510-ba37-93a6991dbc3a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1a4fb00dd58138f058c1dce7f1e2d8e9a3682e21e314d2b5d2618c4ebad5a939
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cbfd51cd-1aa1-452c-9f58-cac998300048
Result
Threat name:
MicroClip
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1355663
Signature
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected MicroClip
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1355663 Sample: 5YHnqvKDY8.exe Startdate: 07/12/2023 Architecture: WINDOWS Score: 92 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected MicroClip 2->36 38 PE file contains section with special chars 2->38 9 5YHnqvKDY8.exe 4 2->9         started        13 XRJNZC.exe 2->13         started        15 XRJNZC.exe 2->15         started        17 3 other processes 2->17 process3 file4 32 C:\ProgramData\pinterests\XRJNZC.exe, PE32 9->32 dropped 48 Query firmware table information (likely to detect VMs) 9->48 50 Hides threads from debuggers 9->50 52 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->52 19 cmd.exe 1 9->19         started        54 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->54 signatures5 process6 process7 21 XRJNZC.exe 3 19->21         started        24 conhost.exe 19->24         started        26 timeout.exe 1 19->26         started        signatures8 40 Multi AV Scanner detection for dropped file 21->40 42 Query firmware table information (likely to detect VMs) 21->42 44 Tries to detect sandboxes and other dynamic analysis tools (window names) 21->44 46 3 other signatures 21->46 28 schtasks.exe 1 21->28         started        process9 process10 30 conhost.exe 28->30         started       
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1a4fb00dd58138f058c1dce7f1e2d8e9a3682e21e314d2b5d2618c4ebad5a939
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a4fb00dd58138f058c1dce7f1e2d8e9a3682e21e314d2b5d2618c4ebad5a939/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2023-12-06 18:03:17 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
18 of 22 (81.82%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=djh3adovqe4pawgb3tt7dywy5grwqlrb4mknfnosmgge5owvve4q._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/231207-vm9acsea64/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/7753eb11-f98d-4cfb-96d7-c2afbcbb0f0f/
SH256 hash:
2ee70ef8716d559aeac3ffe748499c40485f87e35635f3ab530b05b88e713709
MD5 hash:
699a5aab1d45af01cc5d285f5c98e03b
SHA1 hash:
a4721d48f89247135405f7b0ad7b481a8547d7e3
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/7753eb11-f98d-4cfb-96d7-c2afbcbb0f0f/
SH256 hash:
bb44fd5f87dff8c37559f7fc40cc1b7392919b679f84aa6292cc2e9d160667cd
MD5 hash:
19a2ae4afdbf3b6dbd023ab85b676d64
SHA1 hash:
13a5d01a1d74460ff050a41b60f2ea78a6db1edf
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/7753eb11-f98d-4cfb-96d7-c2afbcbb0f0f/
SH256 hash:
f561181fbbefb2ae69524a09f0e8ce76fe7b9b1d6a638aa3a61a61e21426e1e5
MD5 hash:
736cf9e2e572e28aeeaa529f72d05162
SHA1 hash:
705dd2571324fd4e618ede95b143cd70846ebc9e
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/7753eb11-f98d-4cfb-96d7-c2afbcbb0f0f/
SH256 hash:
1a4fb00dd58138f058c1dce7f1e2d8e9a3682e21e314d2b5d2618c4ebad5a939
MD5 hash:
bc6a35107c6d2cc2ec746897799b9164
SHA1 hash:
4063a434ec504cc5f808e766b21d0d32d43f5715
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/7753eb11-f98d-4cfb-96d7-c2afbcbb0f0f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/1a4fb00dd58138f058c1dce7f1e2d8e9a3682e21e314d2b5d2618c4ebad5a939

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 1a4fb00dd58138f058c1dce7f1e2d8e9a3682e21e314d2b5d2618c4ebad5a939

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2733619/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2737076/
  
URLhaus
https://urlhaus.abuse.ch/url/2735404/
Cape
Cape
https://www.capesandbox.com/analysis/463331/

Comments