MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b7cffb25778e9fd9c6e5f2622e6bd7a05dfd721aef908bcc4b16ccda1a74d23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b7cffb25778e9fd9c6e5f2622e6bd7a05dfd721aef908bcc4b16ccda1a74d23
SHA3-384 hash: 885784da2423742d83b1634088c443218ac674a547fa2f7334d54546d04b2baef481853eca25658b4330227bb1a195d1
SHA1 hash: 7c44a1de027ba8ae00248e30cc4ff9e3c0142438
MD5 hash: 20941aee4f8dbd27171226574df513d3
humanhash: bakerloo-mexico-south-romeo
File name:VirtControl
Download: download sample
File size:22'839'312 bytes
First seen:2025-03-22 11:25:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f4639a0b3116c2cfc71144b88a929cfd (115 x GuLoader, 55 x Formbook, 40 x VIPKeylogger)
ssdeep 393216:GUQjim0Q77FQv8wsxNPjx+YhtHkmpvzC0yfGj+Q9MOa4NPAGI8/kZep1kahQ5G:GXcvC7gQH5r+AxxR/kZeV1
TLSH T1FE37336E54452993FAE1FB7293F4097D8B2B42E561EA780E074CBB041ACF7E1BC45D28
TrID 37.3% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 494949496d6d6d6d
Reporter SquiblydooBlog
Tags:exe signed Sinyoo Technology (Wuxi) Co Ltd

Code Signing Certificate

Organisation:Sinyoo Technology (Wuxi) Co., Ltd.
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2025-02-07T07:29:49Z
Valid to:2026-02-08T07:29:49Z
Serial number: 5c5a8861e945052570898682
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 1697a2f9330b933cacd1ac0d9876f17beac7988fe78b8bf03002247e14924013
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
524
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
VirtControl
Verdict:
Malicious activity
Analysis date:
2025-03-22 11:26:03 UTC
Tags:
python arch-exec arch-doc
Link:
https://app.any.run/tasks/ef91b094-ca85-43b7-9e59-458ca2a0a1b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67de9e1f518d210202e7e822
Tags:
vmdetect extens virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file
Creating a file in the %temp% subdirectories
Searching for the Windows task manager window
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Launching a process
Сreating synchronization primitives
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context installer microsoft_visual_cc overlay signed
Link:
https://www.filescan.io/uploads/67de9e52a175d3177344d45a/reports/e78ba875-3830-459c-a2dd-cf7ca3b342b8/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1b7cffb25778e9fd9c6e5f2622e6bd7a05dfd721aef908bcc4b16ccda1a74d23
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
suspicious
Classification:
expl.evad
Score:
38 / 100
Link:
https://www.joesandbox.com/analysis/1645756
Signature
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Obfuscated command line found
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Dot net compiler compiles file from suspicious location
Suspicious powershell command line found
Uses whoami command line tool to query computer and username
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1645756 Sample: VirtControl.exe Startdate: 22/03/2025 Architecture: WINDOWS Score: 38 96 web-app.dasik14289.workers.dev 2->96 98 floral-paper-8eb1.pihara4672.workers.dev 2->98 104 Malicious sample detected (through community Yara rule) 2->104 106 Sigma detected: Dot net compiler compiles file from suspicious location 2->106 10 VirtControl.exe 2 38 2->10         started        13 mnt.exe 2->13         started        15 msiexec.exe 2->15         started        signatures3 process4 file5 86 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 10->86 dropped 88 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 10->88 dropped 90 C:\ProgramData\Microsoft\...\mnt.exe, PE32 10->90 dropped 92 8 other files (none is malicious) 10->92 dropped 17 7za.exe 251 10->17         started        20 unicodedata.exe 10->20         started        24 gpg.exe 4 10->24         started        32 8 other processes 10->32 26 cmd.exe 13->26         started        28 conhost.exe 13->28         started        30 msiexec.exe 1 1 15->30         started        process6 dnsIp7 66 C:\ProgramData\Microsoft\...\unicodedata.exe, PE32+ 17->66 dropped 68 C:\ProgramData\Microsoft\...\get-process.py, Python 17->68 dropped 70 C:\ProgramData\Microsoft\...\mnt.exe, PE32 17->70 dropped 82 83 other files (none is malicious) 17->82 dropped 34 conhost.exe 17->34         started        100 floral-paper-8eb1.pihara4672.workers.dev 172.67.176.175, 443, 49734, 49735 CLOUDFLARENETUS United States 20->100 72 C:\Users\user\AppData\...\drdeyrgl.cmdline, Unicode 20->72 dropped 108 Uses whoami command line tool to query computer and username 20->108 110 Reads the Security eventlog 20->110 112 Reads the System eventlog 20->112 36 csc.exe 20->36         started        51 2 other processes 20->51 74 C:\ProgramData\Microsoft\...\7za.dll, PE32+ 24->74 dropped 39 conhost.exe 24->39         started        114 Suspicious powershell command line found 26->114 116 Obfuscated command line found 26->116 41 powershell.exe 26->41         started        45 WmiPrvSE.exe 30->45         started        76 C:\Users\user\AppData\Local\...\MSIC153.tmp, PE32 32->76 dropped 78 C:\Users\user\AppData\Local\...\MSIC058.tmp, PE32 32->78 dropped 80 C:\ProgramData\Microsoft\...\7za.exe, PE32+ 32->80 dropped 47 conhost.exe 32->47         started        49 conhost.exe 32->49         started        53 5 other processes 32->53 file8 signatures9 process10 dnsIp11 84 C:\Users\user\AppData\Local\...\drdeyrgl.dll, PE32 36->84 dropped 55 conhost.exe 36->55         started        57 cvtres.exe 36->57         started        102 web-app.dasik14289.workers.dev 104.21.0.93, 443, 49768, 49770 CLOUDFLARENETUS United States 41->102 118 Uses whoami command line tool to query computer and username 41->118 120 Loading BitLocker PowerShell Module 41->120 59 csc.exe 41->59         started        62 whoami.exe 41->62         started        file12 signatures13 process14 file15 94 C:\Users\user\AppData\Local\...\nxfh4hml.dll, PE32 59->94 dropped 64 cvtres.exe 59->64         started        process16
Score:
22%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/1b7cffb25778e9fd9c6e5f2622e6bd7a05dfd721aef908bcc4b16ccda1a74d23
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dn6p7msxpdu73hdol4tcfzv5pic57vzbv34qrpgewfwm3inhjurq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/250322-njxc3a11ay/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Adds Run key to start application
Blocklisted process makes network request
Enumerates connected drives
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b7cffb25778e9fd9c6e5f2622e6bd7a05dfd721aef908bcc4b16ccda1a74d23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments