MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 289318d37312b17e1bc9240fe8055167502da2977e2722e64bf72a2bb9029d59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	289318d37312b17e1bc9240fe8055167502da2977e2722e64bf72a2bb9029d59
SHA3-384 hash:	b63630a7aa40aed728d62634d464dfa2686f82504598e25559912d73ad1d5d88ce7888b4f347195e15e8f3f3e9bcd661
SHA1 hash:	0ea97381ed6bc644f27da29a73b9f7d8c79ce468
MD5 hash:	4a7ea0c5bf309dc0391e00d0eb604ceb
humanhash:	thirteen-carpet-stream-seven
File name:	289318d37312b17e1bc9240fe8055167502da2977e2722e64bf72a2bb9029d59
Download:	download sample
File size:	4'422'760 bytes
First seen:	2024-10-03 08:11:20 UTC
Last seen:	2024-11-29 09:44:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	483f0c4259a9148c34961abbda6146c1 (17 x ValleyRAT, 8 x AsyncRAT, 7 x QuasarRAT)
ssdeep	98304:Iqzz0PuS6+nNbr8kgAixclc++HCXDAK39UJGjO:IcYPf6fNxic+yCzAQpO
TLSH	T17026230EA6833131EC3B613555E6C0686E027CB519D765262EFBFE1F2A793D13C726A0
TrID	74.1% (.EXE) Inno Setup installer (107240/4/30) 9.8% (.EXE) Win32 Executable Delphi generic (14182/79/4) 7.2% (.EXE) Win64 Executable (generic) (10523/12/4) 3.1% (.EXE) Win32 Executable (generic) (4504/4/1) 1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
File icon (PE):
dhash icon	8686b6ae96ecaae6
Reporter	JAMESWT_WT
Tags:	49-12-117-119 89-23-96-126 Binary Intellect Ltd D3Fck Loader exe signed

Code Signing Certificate

Organisation:	Binary Intellect Ltd
Issuer:	SSL.com EV Code Signing Intermediate CA RSA R3
Algorithm:	sha256WithRSAEncryption
Valid from:	2024-05-29T16:05:09Z
Valid to:	2025-05-29T16:05:09Z
Serial number:	60fac7dea1d94581674a68276485fcc5
Intelligence:	3 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Central Blocklist:	This certificate is on the Cert Central blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	ae66975744ccebdc6243fc2d5b8b44a752fdd573fdbd85f20691238d5ac7c27b
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

192

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

289318d37312b17e1bc9240fe8055167502da2977e2722e64bf72a2bb9029d59

Verdict:

Malicious activity

Analysis date:

2024-10-03 08:14:45 UTC

Tags:

telegram adware innosetup loader lumma stealer

Link:

https://app.any.run/tasks/d89bdb6e-445e-4697-a2d7-e34e92dafa3e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Adware.Siggen.31863.24335.23560.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66fe93ad0fdf88870979e85e

Tags:

Powershell Exploit Dropper Sage

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

embarcadero_delphi fingerprint installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/66fe51d6718049dcaee5ad1d/reports/b19d957f-4ad3-445a-9d08-f6dbeaa3c35f/overview

Verdict:

Malicious

Labled as:

Win/grayware_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/289318d37312b17e1bc9240fe8055167502da2977e2722e64bf72a2bb9029d59

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/852a329c-f578-4055-a6bf-f80b7a7edde4

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1524823

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

65%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/289318d37312b17e1bc9240fe8055167502da2977e2722e64bf72a2bb9029d59

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/289318d37312b17e1bc9240fe8055167502da2977e2722e64bf72a2bb9029d59/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fcjrru3tckyx4g6jeqh6qbkrm5ic3iuxpytsfzsl64vcxoictvmq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/241003-j3tztsxanb/

Behaviour

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Executes dropped EXE

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/4d19fdd2-357f-4ef0-9259-728810e03c87

Unpacked files

SH256 hash:

590beff18e862e27b2fb92dd65170297c6e6646c960cf6e742dcb8a0fa8c7988

MD5 hash:

e2996dff751f9eb7ed4bd1c4d86b33d6

SHA1 hash:

ed3a1dd17478d510619dcbe01cc138cdd02e3103

Link:

https://www.unpac.me/results/70b7aefb-fad7-44e3-a459-da2fee942581/

SH256 hash:

a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec

MD5 hash:

6faec01bf7a3d7f5c5dee2e6e3143a58

SHA1 hash:

603a36f817cab5574e58ab279379e5c112e5fb37

Link:

https://www.unpac.me/results/70b7aefb-fad7-44e3-a459-da2fee942581/

SH256 hash:

44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0

MD5 hash:

9c8886759e736d3f27674e0fff63d40a

SHA1 hash:

ceff6a7b106c3262d9e8496d2ab319821b100541

Link:

https://www.unpac.me/results/70b7aefb-fad7-44e3-a459-da2fee942581/

SH256 hash:

7520efc3b73ecc2d71772e4e430e4e12a825676eff2accb01e7bd3f304781966

MD5 hash:

daa47b828c0e97a74b4f62587ab5dbea

SHA1 hash:

9c28c0898517e2b21df9bd24eaa55aad2a34ba01

Link:

https://www.unpac.me/results/70b7aefb-fad7-44e3-a459-da2fee942581/

SH256 hash:

289318d37312b17e1bc9240fe8055167502da2977e2722e64bf72a2bb9029d59

MD5 hash:

4a7ea0c5bf309dc0391e00d0eb604ceb

SHA1 hash:

0ea97381ed6bc644f27da29a73b9f7d8c79ce468

Link:

https://www.unpac.me/results/70b7aefb-fad7-44e3-a459-da2fee942581/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/289318d37312b17e1bc9240fe8055167502da2977e2722e64bf72a2bb9029d59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessW advapi32.dll::OpenProcessToken kernel32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExW kernel32.dll::LoadLibraryW kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceW kernel32.dll::GetCommandLineW
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryW kernel32.dll::CreateFileW kernel32.dll::DeleteFileW kernel32.dll::GetWindowsDirectoryW kernel32.dll::GetFileAttributesW kernel32.dll::FindFirstFileW
WIN_BASE_USER_API	Retrieves Account Information	advapi32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExW advapi32.dll::RegQueryValueExW
WIN_USER_API	Performs GUI Actions	user32.dll::PeekMessageW user32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample