MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f109b4bed56fa320c542f1d65eaddf1b2a01faa2a533654149ccf96b1eefa53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 18 File information Comments

SHA256 hash:	2f109b4bed56fa320c542f1d65eaddf1b2a01faa2a533654149ccf96b1eefa53
SHA3-384 hash:	8f454e32518dce66f211493663acfb671be19441628d9a85df3f2052f26848f193fcd2559f7843a8d8d4342a1f53ffa3
SHA1 hash:	a7e60e6b99dba0034e39ce17bf81004f23a8096f
MD5 hash:	cfc1ef6fa30df6ba9d5444c9d82def64
humanhash:	nineteen-sixteen-romeo-coffee
File name:	1734071470ec755c4a44898f12ebe7bfa0c17073ce8bd70b160ba998a5d6b54d6116fe3c66370.dat-decoded
Download:	download sample
File size:	1'503'336 bytes
First seen:	2024-12-13 06:31:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	529295aa9b240be7db9b818b8b066d77
ssdeep	24576:fv9pajQXDVAfWpqj/fcl7fMD1Nfa3t9+GEwObIfh6nRYeWy4mdPvAV5osxoso:HdFEjk9+G3pIQTmdQV4
Threatray	27 similar samples on MalwareBazaar
TLSH	T1E065CF52BAC24471F59201B112EAE77FBE39B2416721CAC7C3D0DC685D622E1AA3F35D
TrID	49.9% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win32 Executable (generic) (4504/4/1) 9.6% (.EXE) OS/2 Executable (generic) (2029/13) 9.5% (.EXE) Generic Win/DOS Executable (2002/3) 9.4% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
File icon (PE):
dhash icon	d292b0b2da36bcbe (11 x AsyncRAT, 7 x Metasploit, 6 x CoinMiner)
Reporter	abuse_ch
Tags:	base64-decoded exe signed

Code Signing Certificate

Organisation:	Simon Tatham
Issuer:	Sectigo Public Code Signing CA R36
Algorithm:	sha384WithRSAEncryption
Valid from:	2024-09-27T00:00:00Z
Valid to:	2027-09-27T23:59:59Z
Serial number:	be8e1d85c5d2521b6d33379e3b8501a9
Intelligence:	4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	c3256bedd1f5d35dca002b545406528a5ceb710d66242d07d7d9ce81d7f889b4
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

Malware dropped as base64 encoded payload

Intelligence

File Origin

# of uploads :

# of downloads :

429

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1734071470ec755c4a44898f12ebe7bfa0c17073ce8bd70b160ba998a5d6b54d6116fe3c66370.dat-decoded

Verdict:

Suspicious activity

Analysis date:

2024-12-13 06:39:11 UTC

Tags:

putty tool

Link:

https://app.any.run/tasks/5180a4df-f550-458c-ad52-0018e59b235a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packed.Razy-10038528-0

Verdict:

Clean

Score:

89.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=675bd5ff259e5b60544e1cc9

Tags:

injection extens earth

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Reading critical registry keys

Verdict:

Unknown

Threat level:

n/a -.1/10

Confidence:

100%

Tags:

adaptive-context fingerprint lolbin microsoft_visual_cc packed packed packer_detected remote stealer

Link:

https://www.filescan.io/uploads/675bd4ebe11c427f4489123d/reports/0a4d62ee-d1e3-427b-b84c-fb8c2375c7dc/overview

Verdict:

Malicious

Link:

https://www.hybrid-analysis.com/sample/2f109b4bed56fa320c542f1d65eaddf1b2a01faa2a533654149ccf96b1eefa53

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/96bd3821-9c95-4f3f-a151-bc3332138cc0

Result

Threat name:

n/a

Detection:

clean

Classification:

n/a

Score:

9 / 100

Link:

https://www.joesandbox.com/analysis/1574243

Behaviour

Behavior Graph:

n/a

Score:

93%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2f109b4bed56fa320c542f1d65eaddf1b2a01faa2a533654149ccf96b1eefa53

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2f109b4bed56fa320c542f1d65eaddf1b2a01faa2a533654149ccf96b1eefa53/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=f4ijws7nk35dedcuf4owl2w56gzkah5kfjjtmvautthznmpo7jjq._file

Verdict:

malicious

Label(s):

admintool_putty

173d644887fe55f54403e56181f9f4a61283332b264b2664bdd05f90317b9519

2f109b4bed56fa320c542f1d65eaddf1b2a01faa2a533654149ccf96b1eefa53

4a38db0744930e1f5bfc0a82f63c907f7dc94270b930a3950e6a0abbc903c47f

4b94270d77479578ce5d88659bc8e76024c8456578392a341971fbe006e01963

error

+ 17 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/241213-hal8va1khy/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

System Location Discovery: System Language Discovery

Verdict:

Malicious

Tags:

Win.Packed.Razy-10038528-0

YARA:

n/a

Link:

https://app.threat.zone/submission/5f9415a7-7b84-4135-ac91-e8a46827c373

Unpacked files

SH256 hash:

2f109b4bed56fa320c542f1d65eaddf1b2a01faa2a533654149ccf96b1eefa53

MD5 hash:

cfc1ef6fa30df6ba9d5444c9d82def64

SHA1 hash:

a7e60e6b99dba0034e39ce17bf81004f23a8096f

Link:

https://www.unpac.me/results/5a9348ea-f424-46cb-bd0e-538788de494e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.48

Link:

https://yomi.yoroi.company/submissions/2f109b4bed56fa320c542f1d65eaddf1b2a01faa2a533654149ccf96b1eefa53

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	CHM_File_Executes_JS_Via_PowerShell Create hunting rule
Author:	daniyyell
Description:	Detects a Microsoft Compiled HTML Help (CHM) file that executes embedded JavaScript to launch a messagebox via PowerShell

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RansomPyShield_Antiransomware Create hunting rule
Author:	XiAnzheng
Description:	Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ec755c4a44898f12ebe7bfa0c17073ce8bd70b160ba998a5d6b54d6116fe3c66

exe 2f109b4bed56fa320c542f1d65eaddf1b2a01faa2a533654149ccf96b1eefa53

(this sample)

Dropped by

SHA256 ec755c4a44898f12ebe7bfa0c17073ce8bd70b160ba998a5d6b54d6116fe3c66

Dropped by

MD5 d555984fbbc426054adf293bbb24924d

URLhaus

https://urlhaus.abuse.ch/url/3347315/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::CopySid ADVAPI32.dll::EqualSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::InitializeSecurityDescriptor
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::SetSecurityDescriptorDacl ADVAPI32.dll::SetSecurityDescriptorOwner
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteA
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessA KERNEL32.dll::OpenProcess KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA KERNEL32.dll::CreateFileMappingA KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileA KERNEL32.dll::GetWindowsDirectoryA KERNEL32.dll::GetSystemDirectoryA
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::GetUserNameA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegDeleteKeyA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryValueExA ADVAPI32.dll::RegSetValueExA
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuA USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowA USER32.dll::OpenClipboard USER32.dll::PeekMessageA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample