MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21478d3554f1ada7e36de85ad0a31af8f972331b65fdc6a8e5f95fec62f1a36f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 13

Intelligence 13 IOCs YARA 9 File information Comments 1

SHA256 hash:	21478d3554f1ada7e36de85ad0a31af8f972331b65fdc6a8e5f95fec62f1a36f
SHA3-384 hash:	666c19341615bf1f78b45c7b737ebb1299f2daa9a482616ac9ea3a045caab2a876d1845283882c89c2604354fc3f16ec
SHA1 hash:	779ae0126c76b1c871fdf47f4c61d046066bc321
MD5 hash:	890c68babb9ed68c17ac07e192040e6a
humanhash:	kilo-pasta-golf-virginia
File name:	890c68babb9ed68c17ac07e192040e6a
Download:	download sample
File size:	5'676'120 bytes
First seen:	2023-12-11 10:19:59 UTC
Last seen:	2023-12-11 12:42:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	edac19bae7a55f5a30336032d0b4ae67
ssdeep	98304:IKG9bCNdB+zndLbahANgmyii5yFsufONDIFlFlAXRmK5LEl:1ybCNyJbahwAyFsuOEfFlAXRpLEl
TLSH	T16C46334A48D7169DC49D22F4119AADFEF1F31DE0A0998E0598B4AFF3ED9380953376C2
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4505/5/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	f0f0f0f0f0f2e2e0
Reporter	zbetcheckin
Tags:	32 exe signed

Code Signing Certificate

Organisation:	Logitech H153 Wired Headset Black 2.0 overhead 20 Hz - 20000 Hz 22Ω corded cable - 1.8 m
Issuer:	Logitech H153 Wired Headset Black 2.0 overhead 20 Hz - 20000 Hz 22Ω corded cable - 1.8 m
Algorithm:	sha1WithRSAEncryption
Valid from:	2023-11-23T09:28:27Z
Valid to:	2033-11-24T09:28:27Z
Serial number:	4e042c42f9de688e4a6fc2f84140d4f9
Intelligence:	36 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	53f9f321a834fe6f455d9e9b92b50bd00ea2b7e68b524869c66568534ed981ca
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

317

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

https://cli.re/j1E8Kj

Verdict:

Malicious activity

Analysis date:

2023-12-11 09:34:14 UTC

Tags:

lumma stealer loader amadey botnet

Link:

https://app.any.run/tasks/316932fe-a768-44ec-bea1-c190d80f001a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/465005/

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.31449.3391.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Сreating synchronization primitives

Creating a file

Creating a file in the %temp% directory

Running batch commands

Creating a process with a hidden window

Enabling the 'hidden' option for recently created files

Launching a process

Creating a process from a recently created file

Enabling autorun by creating a file

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin overlay packed packed shell32 themidawinlicense vmprotect

Link:

https://www.filescan.io/uploads/6576e2568b5ba47db2dde1b4/reports/55290d49-5de3-4743-bba7-0c162c0e557e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/21478d3554f1ada7e36de85ad0a31af8f972331b65fdc6a8e5f95fec62f1a36f

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/483b89bc-dfed-4fe4-be12-c3ba880f1657

Result

Threat name:

MicroClip

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1358249

Signature

Hides threads from debuggers

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected MicroClip

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/21478d3554f1ada7e36de85ad0a31af8f972331b65fdc6a8e5f95fec62f1a36f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/21478d3554f1ada7e36de85ad0a31af8f972331b65fdc6a8e5f95fec62f1a36f/

Threat name:

Win32.Spyware.Lummastealer

Status:

Malicious

First seen:

2023-12-11 10:21:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 23 (73.91%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=efdy2nku6gw2py3n5bnnbiy27d4xemy3mx64nkhf7fp6yyxrunxq._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion themida trojan

Link:

https://tria.ge/reports/231211-mc32labhhl/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks whether UAC is enabled

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Unpacked files

SH256 hash:

6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c

MD5 hash:

c5124caf4aea3a83b63a9108fe0dcef8

SHA1 hash:

a43a5a59038fca5a63fa526277f241f855177ce6

Link:

https://www.unpac.me/results/48858e5d-7561-4b29-8d4f-f868d5700601/

SH256 hash:

f6a9715113a55554e5cafdcc7ac6c0a60abfd7bd634c628f258be129b2674349

MD5 hash:

92f669327dcada494339810462418069

SHA1 hash:

1d0e8482db5262f3a0b698ae92bf2855717e11c0

Detections:

INDICATOR_EXE_Packed_Themida

Link:

https://www.unpac.me/results/48858e5d-7561-4b29-8d4f-f868d5700601/

SH256 hash:

476700b522f1b398f01773d15e500db65a9cc6997a58cff78ab7ba3077f92f7a

MD5 hash:

cf66595a79abf057aa4532668caa9025

SHA1 hash:

a20b4e085180cc79d17346d1f8ad9a63c41b69a8

Detections:

INDICATOR_EXE_Packed_Themida

Link:

https://www.unpac.me/results/48858e5d-7561-4b29-8d4f-f868d5700601/

SH256 hash:

a26a45d7477cb7b5c9eee0f4025de4c2d18bd5f59034acd4a3648bd6d206ab26

MD5 hash:

c993fbcec8415b94cb964236b8c1a42f

SHA1 hash:

3feef20850dda04d0f2e3aa41cdabce10e148e56

Detections:

INDICATOR_EXE_Packed_Themida

Link:

https://www.unpac.me/results/48858e5d-7561-4b29-8d4f-f868d5700601/

SH256 hash:

21478d3554f1ada7e36de85ad0a31af8f972331b65fdc6a8e5f95fec62f1a36f

MD5 hash:

890c68babb9ed68c17ac07e192040e6a

SHA1 hash:

779ae0126c76b1c871fdf47f4c61d046066bc321

Detections:

INDICATOR_EXE_Packed_Themida

Link:

https://www.unpac.me/results/48858e5d-7561-4b29-8d4f-f868d5700601/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/21478d3554f1ada7e36de85ad0a31af8f972331b65fdc6a8e5f95fec62f1a36f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 21478d3554f1ada7e36de85ad0a31af8f972331b65fdc6a8e5f95fec62f1a36f

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2735404/

URLhaus

https://urlhaus.abuse.ch/url/2733619/

URLhaus

https://urlhaus.abuse.ch/url/2737076/

Cape

https://www.capesandbox.com/analysis/465005/

URLhaus

https://urlhaus.abuse.ch/url/2739592/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-12-11 10:20:00 UTC

url : hxxp://185.172.128.154/cp.exe