MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b242c3226a5109e972f7cc2c64385f8f1fe128c67ebaa2f676dff4a18ba2dda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Lucifer


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b242c3226a5109e972f7cc2c64385f8f1fe128c67ebaa2f676dff4a18ba2dda
SHA3-384 hash: e49a88fffdd1a722575509943995cbd2e0c663c1d87742f4d4ac199a5d0a8e94566443d95972f24c5a314f25f70bc9df
SHA1 hash: 37485d960a2d54c3747fccbcb9e49f144ff9ac36
MD5 hash: f3bf7d6b65e792931e13f61c6617e233
humanhash: connecticut-zebra-neptune-vegan
File name:Chrome Browser Update.exe
Download: download sample
Signature Lucifer
Create hunting rule
File size:1'270'784 bytes
First seen:2024-12-13 16:01:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:RgyrqgUKW/PRS7yyoU3V8bqfvdhoqvFet52ULcHU4cP4Pg3wFOI9:CoeKsE7y3M8bqndhvwt52UA04pxT
Threatray 21 similar samples on MalwareBazaar
TLSH T12845689026E98705D42C46B225A8F9F412ADFD5CA411DD8F2AF5FB9BB433B1FCA03542
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon 70d4aacccc8ac460 (8 x AsyncRAT, 2 x QuasarRAT, 1 x njrat)
Reporter Anonymous
Tags:exe Lucifer

Intelligence

File Origin
# of uploads :
1
# of downloads :
403
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Chrome Browser Update.exe
Verdict:
Malicious activity
Analysis date:
2024-12-13 16:06:52 UTC
Tags:
evasion stealer loader arch-doc
Link:
https://app.any.run/tasks/bad6f77e-9c75-4666-bf07-fdfe650815a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.AgentTeslaNET.37.5076.23221.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=675c5b8d8fb73f13afc2cbd1
Tags:
trojan micro zeus word
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Restart of the analyzed sample
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a process from a recently created file
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Unauthorized injection to a recently created process
Moving of the original file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Query of malicious DNS domain
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/675c5a7ece802924eba6e811/reports/fdde4d8e-0f84-45f8-9d63-79896ef596f6/overview
Verdict:
Malicious
Labled as:
Ser.Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/1b242c3226a5109e972f7cc2c64385f8f1fe128c67ebaa2f676dff4a18ba2dda
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Lucifer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ee449e07-343a-4590-b7c1-27e220d668e7
Result
Threat name:
Predator
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1574834
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for URL or domain
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Predator
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1574834 Sample: Chrome Browser Update.exe Startdate: 13/12/2024 Architecture: WINDOWS Score: 100 73 gomotest.premiumprotectiondis.org 2->73 75 ip-api.com 2->75 81 Suricata IDS alerts for network traffic 2->81 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 14 other signatures 2->87 9 Chrome Browser Update.exe 7 2->9         started        13 gcTcgzuHVAXxwZ.exe 2->13         started        15 update_241311.exe 2->15         started        17 update_241311.exe 2->17         started        signatures3 process4 file5 65 C:\Users\user\AppData\...\gcTcgzuHVAXxwZ.exe, PE32 9->65 dropped 67 C:\...\gcTcgzuHVAXxwZ.exe:Zone.Identifier, ASCII 9->67 dropped 69 C:\Users\user\AppData\Local\Temp\tmp2DB.tmp, XML 9->69 dropped 71 C:\Users\...\Chrome Browser Update.exe.log, ASCII 9->71 dropped 101 Adds a directory exclusion to Windows Defender 9->101 103 Injects a PE file into a foreign processes 9->103 19 Chrome Browser Update.exe 16 23 9->19         started        24 powershell.exe 23 9->24         started        26 powershell.exe 22 9->26         started        34 2 other processes 9->34 105 Multi AV Scanner detection for dropped file 13->105 107 Machine Learning detection for dropped file 13->107 28 gcTcgzuHVAXxwZ.exe 13->28         started        30 schtasks.exe 13->30         started        32 gcTcgzuHVAXxwZ.exe 13->32         started        36 2 other processes 15->36 38 2 other processes 17->38 signatures6 process7 dnsIp8 77 gomotest.premiumprotectiondis.org 190.90.160.172, 49739, 49748, 49801 GTDCOLOMBIASASCO Colombia 19->77 79 ip-api.com 208.95.112.1, 49733, 49735, 49737 TUT-ASUS United States 19->79 59 C:\Users\user\AppData\Local\Temp\Zip.exe, PE32 19->59 dropped 61 C:\Users\user\Desktop61ewtonsoft.Json.dll, PE32 19->61 dropped 63 C:\Users\user\AppData\...63ewtonsoft.Json.dll, PE32 19->63 dropped 89 Moves itself to temp directory 19->89 91 Tries to steal Mail credentials (via file / registry access) 19->91 40 Zip.exe 19->40         started        93 Loading BitLocker PowerShell Module 24->93 43 conhost.exe 24->43         started        45 WmiPrvSE.exe 24->45         started        47 conhost.exe 26->47         started        95 Tries to harvest and steal browser information (history, passwords, etc) 28->95 49 conhost.exe 30->49         started        51 conhost.exe 34->51         started        53 conhost.exe 36->53         started        55 conhost.exe 38->55         started        file9 signatures10 process11 signatures12 97 Multi AV Scanner detection for dropped file 40->97 99 Machine Learning detection for dropped file 40->99 57 conhost.exe 49->57         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1b242c3226a5109e972f7cc2c64385f8f1fe128c67ebaa2f676dff4a18ba2dda
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b242c3226a5109e972f7cc2c64385f8f1fe128c67ebaa2f676dff4a18ba2dda/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-12-13 16:02:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
73
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dmscymrguuij5fzpptbmmq4f7dy74eumm7v2ul3hnx7uugf2fxna._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
Similar samples:
50087b010b52ec07a7f52a85b56dc43041aae17b428e6b0af3d52d797d427682
Lucifer
7a31e73a61251309c51a343c14af5149915110c0f818747f7de78344739f21c5
Lucifer
acfb69abba1ac633b684bfbd5a90212aecd15d5f571a6cb2fb75463e4ad02534
Lucifer
b35b2cdd55c218208aaf1848f827c0a82d6b4886ef21b2611ef834914cf48f8b
Lucifer
d30d43ea8f103340a2307145035f404873d3d345f310dbeba6fa20f85d3fb790
Lucifer
ec0c57ee02c554f4d9120e583ae49741d7699f6e893434c6de082fd7cf504b17
Lucifer
error
Lucifer
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection discovery execution persistence spyware stealer
Link:
https://tria.ge/reports/241213-tgryfsvpfm/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Drops desktop.ini file(s)
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
External_IP_Lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/4c22acbf-2ea2-4ff9-9391-ecc21dcc6964
Unpacked files
SH256 hash:
41bb07763250248ddd7273e9c2be51f095a4ad6cadb513bf186c92e5804e4d82
MD5 hash:
3331f4e716921b0a3710ef0291958254
SHA1 hash:
e5661e224e52476e0c463fae38e1c40fd3a40c16
Link:
https://www.unpac.me/results/e80ed872-bc35-4c7d-ab4c-b110852a014f/
SH256 hash:
ac339deed84cafab79d2a4bc7b232849a0232b2664dbd56c12b5c90e90a91c32
MD5 hash:
f532e03f70df6dd099be185f501d9fe0
SHA1 hash:
a637e7559d9e4963b74ce29bdf30dc4632e574f2
Link:
https://www.unpac.me/results/e80ed872-bc35-4c7d-ab4c-b110852a014f/
SH256 hash:
2fef79874cf9f038ce2e6892c03dea1cc23f39a1cebe6500beac276e0d00494b
MD5 hash:
77f472c207ec2cc123c04633607a4e61
SHA1 hash:
7b905cd11273520effaaf18642dce6f92e933b61
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/e80ed872-bc35-4c7d-ab4c-b110852a014f/
Parent samples :
227a47ab69a3e27af957a15c776726f2ba7983cc02dd6031d8c057ec3f915c9a
0ecf60ff337dc16beed8a7faff49d2992ef4fe0f4c76ffc07457a011b382da90
123afb912a466e9b9df29889e95595a3a38d8494d5a284a174ec44c243ea311d
015bd9fdf0c4d73684a6b6349fbdda67ba243e0f78923e1d9b4f535b5832b04a
8c9ecbc59525eb2696bc09eef4a3e15df74be78bf378594fb204349bc949edab
cefa40083339d42320bc1f9ba33c578b8abe47e15eb0dd6b0ba2f734aa8f3d6d
7de234e703b36c03b4952a55b0b00112d2bac77b5106225bf28d4fbb7154e049
d30d43ea8f103340a2307145035f404873d3d345f310dbeba6fa20f85d3fb790
bcdee41502d32ac1f8b9ef98a25047a18550caf4947cb8111c2276cabb106149
ec0c57ee02c554f4d9120e583ae49741d7699f6e893434c6de082fd7cf504b17
9b1796dd7887612da304445be63506b9677ba72c84f727d74ca5cabc5771d675
264363a6ad5f6720663cd201f8037f0c6f3bfda8216bb8f975e7df9fd9c699b9
8f382b44be98d01413be1f9dc3221e6565e35d73fe41a94f9727b9ce4c71d6c9
50087b010b52ec07a7f52a85b56dc43041aae17b428e6b0af3d52d797d427682
5ca92658980b5d1f46f53d78202bd40e442163622e2edb5220046f74e5748945
cd676542bbeac4ff5dea88783c4e93b89971bdf60eaa04128f1d36078a4c2ad4
7bc91b9cdac45afdf50b3d0172e853c20d2040ceeca205bf2fbce469e12bfa88
50b149ecd824e894ea0702c35f1c693cf8a44a664ae3895b97330b8e5d7de21c
50e5353cf814e1f75d7c18a99c897670905b7e119d5d02cb532e0466819d68ba
7a31e73a61251309c51a343c14af5149915110c0f818747f7de78344739f21c5
120a2be02a522354992cb67454631495bc3116385e14cc77448444cb5176178f
27a97b69d2d9ea5dfcbf049ecd2796b25027cbe5c827da030cbf0ce1aeba5e35
4d968bf8e1e18956b459f9fce7e574cdee06e48559bc107ef42cec7777d58991
51717d0028159660daf45caf1db519581acda095d1fd2e49380abaa09c208e72
6bf4d235aec53cebe445d895500e0b9f15a9a245a078bbd49a65373371227f70
325c502174ac471c5b880cc4672193ca5ee66c94b22dad9831fd415853c7023b
752b6b1cff0314248ea1dc2f2ee4a3c8fdf9ed49da3dee49cb128a0e7ef98bc9
647c7306c455afa936e4e7b24cf8b676c9bde8e824089e397347ace6e3de793a
1b242c3226a5109e972f7cc2c64385f8f1fe128c67ebaa2f676dff4a18ba2dda
1d409e94b935c68a4b4841a1b2e05c6abf1ea827c419eab8bf3ee23229574160
b71fb82589e3532a9390352bc87f7c2edc2cd7fae723fe203500350a31559e17
4c839863452a16a4d99b13065cf93b09547d04b86ba649a8b40976122ff67a74
2a8afcd73b04e7a6285d428d348753b5d4e91e8e0c62ec44a1e54f678923dc0c
d025bba170b25ae8d8fa113ff1c1ec0280f56ffc742ebaddeba285af3f704256
db1d735638bab763d8e3fcab6055873556fa4f7b9437f99cd594400839c077c5
72d3358ea74f770930e44d382a00387f1451399ef01a513d11ef80ba2f9da653
f2675f59a65add81d32683e6ec1a2aec2c37547df4ef331c21b5f498ccee7897
e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953
2e0e7afdab8ca0ee49b2e3df7d9c8c3ff3f38d615fa114bd9dd06b8705842d5b
3240d336a0955bb3bcaac9f177a7dfa3c6a06e302c37fcc1c83d26ed8c283160
e0e53651961939af9ea23e40529bec8418f5915d4a7faa23184adc4febb81b92
580d408a0d3f6bca3bf2ee5ed847e4eefb32eedf4941870109b78674d60da7e0
SH256 hash:
ed310cfdf4b0c24a86b5f1c0ecdb15a5b7cc0e2af5ebc290fc0af4d8124ef298
MD5 hash:
aaf62efe97735a88694ea59d3cd9a925
SHA1 hash:
51422a211b59675eb0b0b7e96209d584455eaa37
Detections:
INDICATOR_SUSPICIOUS_EXE_References_VPN
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Link:
https://www.unpac.me/results/e80ed872-bc35-4c7d-ab4c-b110852a014f/
Parent samples :
1b242c3226a5109e972f7cc2c64385f8f1fe128c67ebaa2f676dff4a18ba2dda
ed310cfdf4b0c24a86b5f1c0ecdb15a5b7cc0e2af5ebc290fc0af4d8124ef298
SH256 hash:
721beba0cd124bae9157b9fb135d16f1feb46162e7b3abe9611c8c7f064f8c31
MD5 hash:
55704e3cd9c3174fce694dc1233fcf17
SHA1 hash:
4a5607691b9c188efd1f9dedcf99ba6b380852c7
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/e80ed872-bc35-4c7d-ab4c-b110852a014f/
SH256 hash:
1b242c3226a5109e972f7cc2c64385f8f1fe128c67ebaa2f676dff4a18ba2dda
MD5 hash:
f3bf7d6b65e792931e13f61c6617e233
SHA1 hash:
37485d960a2d54c3747fccbcb9e49f144ff9ac36
Link:
https://www.unpac.me/results/e80ed872-bc35-4c7d-ab4c-b110852a014f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1b242c3226a5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments