MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fc949e23c1f908288f59ee5f760cb3d7634bb1cb473072916eb770c69c553d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fc949e23c1f908288f59ee5f760cb3d7634bb1cb473072916eb770c69c553d5
SHA3-384 hash: 015247b5f70289691d629d8c978de9d9ed742568b3320fb0e81aad3260b33bde8683eb8a0ffe448a2893b1e7717b0a57
SHA1 hash: 8a70e11e29739079e4f3425ef4f3692801e92033
MD5 hash: 2cefa380de4493783aba97a50fee9a7f
humanhash: london-island-aspen-paris
File name:ChatGPT4.exe
Download: download sample
File size:11'450'304 bytes
First seen:2023-06-03 02:28:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4fda732de1b2293b2442d2996c840875
ssdeep 196608:WoTlRxfE99KNqO2pb8KNkr26Wt2EpfbV0tO1Z0JEFVpOiG5pAt6mF:HTXm99KNqOgFNkr2d4EpfbqtO7t7ljtd
Threatray 5 similar samples on MalwareBazaar
TLSH T1ABB6F131764AC42BC66305F0192CAADF5528BF661BB654C7B3CC2E6E0BB45C31636E27
TrID 85.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8c3371cccc71338e
Reporter milannshrestga
Tags:exe GPT signed

Code Signing Certificate

Organisation:ChatGPT_2023-6-2_15-19-1
Issuer:ChatGPT_2023-6-2_15-19-1
Algorithm:sha256WithRSAEncryption
Valid from:2023-06-02T08:09:20Z
Valid to:2024-06-02T08:29:20Z
Serial number: 4c4f00dca7167f9643e14924d3a4fb8d
Thumbprint Algorithm:SHA256
Thumbprint: fd3345de11f5e1c3757a8606b0466c0cd98e94cbf3e25c9216c81f1e4ba36290
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
milannshrestga
Droppe from: https://www.ai-chatgpt.ink/

@Namecheap

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
NP NP
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ChatGPT4.exe
Verdict:
Malicious activity
Analysis date:
2023-06-03 02:30:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/63c757aa-e10f-4b1b-a13a-fe5e062a672c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/395042/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Sending an HTTP GET request
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint greyware lolbin msiexec.exe overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/647aa56f1ee9a4fa787d9cb8/reports/567f9c14-3832-4d67-9008-fbdb6e1e13ea/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/2fc949e23c1f908288f59ee5f760cb3d7634bb1cb473072916eb770c69c553d5
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c31ac24e-a887-4fd3-abae-03a3c56b2f90
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1247969
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via ARP
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 880989 Sample: ChatGPT4.exe Startdate: 03/06/2023 Architecture: WINDOWS Score: 68 52 Multi AV Scanner detection for dropped file 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Uses the Telegram API (likely for C&C communication) 2->56 58 Performs a network lookup / discovery via ARP 2->58 7 msiexec.exe 102 53 2->7         started        10 ChatGPT4.exe 122 2->10         started        12 Setup.exe 8 2->12         started        process3 dnsIp4 32 win32crypt.pyd (copy), PE32+ 7->32 dropped 34 vcruntime140.dll (copy), PE32+ 7->34 dropped 36 unicodedata.pyd (copy), PE32+ 7->36 dropped 44 46 other files (45 malicious) 7->44 dropped 16 msiexec.exe 7->16         started        18 msiexec.exe 7->18         started        38 C:\Windows\SystemTemp\shi5F56.tmp, PE32+ 10->38 dropped 40 C:\Windows\SystemTemp\...\lzmaextractor.dll, PE32 10->40 dropped 42 C:\Users\user\AppData\...\win32crypt.pyd, PE32+ 10->42 dropped 46 53 other files (24 malicious) 10->46 dropped 20 ChatGPT4.exe 1 10->20         started        48 api.telegram.org 149.154.167.220, 443, 49702, 49703 TELEGRAMRU United Kingdom 12->48 50 lumtest.com 3.94.40.55, 49700, 49701, 80 AMAZON-AESUS United States 12->50 60 Tries to harvest and steal browser information (history, passwords, etc) 12->60 62 Performs a network lookup / discovery via ARP 12->62 22 conhost.exe 12->22         started        24 ARP.EXE 1 12->24         started        26 cmd.exe 1 12->26         started        file5 signatures6 process7 process8 28 WMIADAP.exe 4 20->28         started        30 msiexec.exe 20->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2fc949e23c1f908288f59ee5f760cb3d7634bb1cb473072916eb770c69c553d5/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-06-02 18:27:02 UTC
File Type:
PE (Exe)
Extracted files:
450
AV detection:
7 of 36 (19.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f7eutyr4d6iifchvt3s7oyglhv3djoy4wrzqokiw5n3qy2ofkpkq._file
Verdict:
unknown
Similar samples:
37a78be75ce8c01a57b12f589aacda2e8dd8fcd861bb09e279528d4dd0a1de24
61b16d71a76f83cef63d079b0735cd0a1cee24f1119063e28ef1f227f2bb27c4
73d7458f2325b5cf6ddc5bd22fba550654447ca0086c77e72bfebe909ae36541
7dd0f281b3da915e99690900150c0af179d057ca09e36bc33ef699d497e680aa
bc1669a5747c1c381b74017308f30427d1bdc0d70a3f3cbf4b28d8c78aa5503d
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230603-cykr2afb95/
Behaviour
Modifies system certificate store
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Unpacked files
SH256 hash:
2fc949e23c1f908288f59ee5f760cb3d7634bb1cb473072916eb770c69c553d5
MD5 hash:
2cefa380de4493783aba97a50fee9a7f
SHA1 hash:
8a70e11e29739079e4f3425ef4f3692801e92033
Link:
https://www.unpac.me/results/f0aea521-a1c3-4cd7-8740-a0b9f95729da/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.58
Link:
https://yomi.yoroi.company/submissions/2fc949e23c1f908288f59ee5f760cb3d7634bb1cb473072916eb770c69c553d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/395042/

Comments