MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2aa9f15810e2c55dbc8522e386d76d1a8fb3a63a712b33e17bd2139a7b45c76b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Generic


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2aa9f15810e2c55dbc8522e386d76d1a8fb3a63a712b33e17bd2139a7b45c76b
SHA3-384 hash: 74dfefd1a54c4b785c363684e54fac4b6e4bda6bae91928f94c0f85e411e6a6c4c568920753ef9293047d5b4d3240e5c
SHA1 hash: 132151d26e61d2fda4e4b31eb376a41ea0d56e6d
MD5 hash: 0b5719e9fd40b85d4d95e475e9431cd0
humanhash: equal-thirteen-cola-potato
File name:2aa9f15810e2c55dbc8522e386d76d1a8fb3a63a712b33e17bd2139a7b45c76b
Download: download sample
Signature Adware.Generic
Create hunting rule
File size:265'600 bytes
First seen:2024-11-04 14:51:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 3072:mgXdZt9P6D3XJMzI7Op5KmEOm9Ek1ydrZeDAf1OnV8AHzsFypc95:me34qk7uUmq9EnvAH4F8u5
TLSH T19244D0A3D2808E5BFA13073160B1E239A7FB7F84D179851752E7BF6B7A33A43040A655
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10522/11/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon e8e4b00d26d3c9d8 (1 x Adware.Generic)
Reporter 0xSpicyBear
Tags:Adware.Generic exe signed

Code Signing Certificate

Organisation:Zoom Information Inc.
Issuer:DigiCert EV Code Signing CA (SHA2)
Algorithm:sha256WithRSAEncryption
Valid from:2019-09-13T00:00:00Z
Valid to:2022-09-16T12:00:00Z
Serial number: 0c95f23fdce8753e0c04a0d0d72cf2be
Thumbprint Algorithm:SHA256
Thumbprint: fa8468979adf549fba1f9f93177e0037e776537c8463c68facc98c9505f3cc21
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
spicy_bear_
ZoomInfoContactContributor.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
440
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ZoomInfoContactContributor.exe.7z
Verdict:
Malicious activity
Analysis date:
2023-09-22 18:47:57 UTC
Tags:
adware
Link:
https://app.any.run/tasks/a2a1cbaa-9e6b-4095-ad9b-abb42fe453fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.DomaIQ.24569.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6728df968d23d904913365b1
Tags:
powershell nsis
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
DNS request
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer microsoft_visual_cc overlay packed
Link:
https://www.filescan.io/uploads/6728df945c437fc3ad4fbeb0/reports/1064b57b-7710-49bd-9052-27156cdb20c4/overview
Verdict:
Malicious
Labled as:
Python_ZoomInfo_A_potentially_unwanted
Link:
https://www.hybrid-analysis.com/sample/2aa9f15810e2c55dbc8522e386d76d1a8fb3a63a712b33e17bd2139a7b45c76b
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ZoomInfo Contact Contributor
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0acaeccd-6308-44a1-b219-d05519b7392b
Result
Threat name:
n/a
Detection:
suspicious
Classification:
evad
Score:
24 / 100
Link:
https://www.joesandbox.com/analysis/1539564
Signature
Query firmware table information (likely to detect VMs)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 1539564 Sample: ZoomInfoContactContributor ... Startdate: 22/10/2024 Architecture: WINDOWS Score: 24 6 ZoomInfoContactContributor (2).exe 7 1023 2->6         started        10 cmd.exe 2->10         started        12 rundll32.exe 2->12         started        dnsIp3 44 142.250.65.243 GOOGLEUS United States 6->44 46 142.250.72.123 GOOGLEUS United States 6->46 32 C:\Users\user\AppData\Local\...\tcl85.dll, PE32+ 6->32 dropped 34 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 6->34 dropped 36 C:\Users\...\sklearn.utils.weight_vector.pyd, PE32+ 6->36 dropped 38 203 other files (191 malicious) 6->38 dropped 14 cmd.exe 1 6->14         started        16 chrome.exe 6->16         started        19 coordinator.exe 10->19         started        22 conhost.exe 10->22         started        file4 process5 dnsIp6 24 coordinator.exe 71 34 14->24         started        28 conhost.exe 14->28         started        40 192.168.11.20 unknown unknown 16->40 42 239.255.255.250 unknown Reserved 16->42 30 chrome.exe 16->30         started        60 Query firmware table information (likely to detect VMs) 19->60 signatures7 process8 dnsIp9 48 52.109.20.38 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->48 50 52.111.243.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->50 56 2 other IPs or domains 24->56 62 Query firmware table information (likely to detect VMs) 24->62 52 9.9.9.9 QUAD9-AS-1US United States 30->52 54 142.250.65.170 GOOGLEUS United States 30->54 58 24 other IPs or domains 30->58 signatures10
Score:
48%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/2aa9f15810e2c55dbc8522e386d76d1a8fb3a63a712b33e17bd2139a7b45c76b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2aa9f15810e2c55dbc8522e386d76d1a8fb3a63a712b33e17bd2139a7b45c76b/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fku7cwaq4lcv3pefelrynv3ndkh3hjr2oevthyl32ijzu62fy5vq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence pyinstaller
Link:
https://tria.ge/reports/241104-r8p7ts1fpd/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8ec6be23-409a-427d-805d-be5bf37f892d
Unpacked files
SH256 hash:
db09adb6e17b6a0b31823802431ff5209018ee8c77a193ac8077e42e5f15fb00
MD5 hash:
2e2412281a205ed8d53aafb3ef770a2d
SHA1 hash:
3cae4138e8226866236cf34f8fb00dafb0954d97
Link:
https://www.unpac.me/results/92cfef39-be74-4a5b-a099-d3bbce30d6c5/
SH256 hash:
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
MD5 hash:
c10e04dd4ad4277d5adc951bb331c777
SHA1 hash:
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
Link:
https://www.unpac.me/results/92cfef39-be74-4a5b-a099-d3bbce30d6c5/
SH256 hash:
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
MD5 hash:
c17103ae9072a06da581dec998343fc1
SHA1 hash:
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
Link:
https://www.unpac.me/results/92cfef39-be74-4a5b-a099-d3bbce30d6c5/
SH256 hash:
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
MD5 hash:
a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 hash:
168f3c158913b0367bf79fa413357fbe97018191
Link:
https://www.unpac.me/results/92cfef39-be74-4a5b-a099-d3bbce30d6c5/
SH256 hash:
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294
MD5 hash:
83cd62eab980e3d64c131799608c8371
SHA1 hash:
5b57a6842a154997e31fab573c5754b358f5dd1c
Link:
https://www.unpac.me/results/92cfef39-be74-4a5b-a099-d3bbce30d6c5/
SH256 hash:
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d
MD5 hash:
5f13dbc378792f23e598079fc1e4422b
SHA1 hash:
5813c05802f15930aa860b8363af2b58426c8adf
Link:
https://www.unpac.me/results/92cfef39-be74-4a5b-a099-d3bbce30d6c5/
SH256 hash:
2aa9f15810e2c55dbc8522e386d76d1a8fb3a63a712b33e17bd2139a7b45c76b
MD5 hash:
0b5719e9fd40b85d4d95e475e9431cd0
SHA1 hash:
132151d26e61d2fda4e4b31eb376a41ea0d56e6d
Link:
https://www.unpac.me/results/92cfef39-be74-4a5b-a099-d3bbce30d6c5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/2aa9f15810e2c55dbc8522e386d76d1a8fb3a63a712b33e17bd2139a7b45c76b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.virustotal.com/gui/file/2aa9f15810e2c55dbc8522e386d76d1a8fb3a63a712b33e17bd2139a7b45c76b

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileA
KERNEL32.dll::GetWindowsDirectoryA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments