MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fd281c29da243416deeee9780a5176031b9239a21fc9e40717662d97e2de598. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	2fd281c29da243416deeee9780a5176031b9239a21fc9e40717662d97e2de598
SHA3-384 hash:	fc5d81e3cb4301127a54221ae56039519640376664f4fdb30288749edf8d366b1e61d8a6e7a432ead74f0273e1cdafe0
SHA1 hash:	2a91518b973fe6ccbb11e606b7fc47152a316f5b
MD5 hash:	057d0f581381b1ca2f5f5c96bc4dd90b
humanhash:	march-oscar-delta-montana
File name:	PO I2241605CA_.pdf.exe
Download:	download sample
File size:	300'544 bytes
First seen:	2024-10-01 05:22:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	77b2e5e9b52fbef7638f64ab65f0c58c (12 x Formbook, 2 x Loki, 2 x AgentTesla)
ssdeep	6144:yYDhB6ActM8FbPt6a15RGkPNJAcb+k2WzoPiML3AYRYAe5mYklPI:V9BvctM85t35JPNJj2WzoRLQYRYzmY
Threatray	124 similar samples on MalwareBazaar
TLSH	T1A4541303F285A4EEEDE74331ACD3B68A17A6ED326B2313531379599FAC34624D433586
TrID	35.7% (.EXE) UPX compressed Win32 Executable (27066/9/6) 35.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
File icon (PE):
dhash icon	b150b26869b2d471 (468 x Formbook, 101 x RedLineStealer, 94 x AgentTesla)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

355

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO I2241605CA_.pdf.exe

Verdict:

No threats detected

Analysis date:

2024-10-01 05:29:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b27096d3-c1c7-4026-b6aa-05c81d12f0f0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27594.18136.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66fb8739936bd9db87720f6a

Tags:

Underscore Buzus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

fingerprint keylogger lolbin masquerade microsoft_visual_cc packed packed packed shell32 upx

Link:

https://www.filescan.io/uploads/66fb8737ac7403f51790d54a/reports/bd8cc925-9843-453b-8d44-8e5ef9207437/overview

Verdict:

Malicious

Labled as:

TrojWare.Buzus

Link:

https://www.hybrid-analysis.com/sample/2fd281c29da243416deeee9780a5176031b9239a21fc9e40717662d97e2de598

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

OP Auto Clicker

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/a52ec764-2dce-4732-a56c-6ce692038f4e

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1523140

Signature

AI detected suspicious sample

Contains functionality to detect sleep reduction / modifications

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Uses an obfuscated file name to hide its real file extension (double extension)

Behaviour

Behavior Graph:

Download SVG

Score:

56%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/2fd281c29da243416deeee9780a5176031b9239a21fc9e40717662d97e2de598

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2fd281c29da243416deeee9780a5176031b9239a21fc9e40717662d97e2de598/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=f7jidqu5ujbuc3po52lybjixmay3si42eh6j4qdrozrns7rn4wma._file

Verdict:

malicious

Label(s):

admintool_powerrun

10036157527a31b20c614f93ef5ea8101fc843c04704423bcda299b1d1e7c1a1

2fd281c29da243416deeee9780a5176031b9239a21fc9e40717662d97e2de598

93a039cd592c64a14e6e688f805b8f069cc2ec03a1d07ce6bb8db3b4fefe9745

9693e6a8bdaa7fa75e4a0215f8ba332db027c1ec11f7f4bf0a7fea17c73158ac

c9cf9ca824c529127e72e6eac74b9e1a7f78e8c0c5a906efbdf0b201fbee28cf

error

f080bf1c00fb050cc2a92fb17c08cd22d427782c6f47c532a2462ce3325905f0

+ 114 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery upx

Link:

https://tria.ge/reports/241001-f2618awhjd/

Behaviour

Enumerates physical storage devices

System Location Discovery: System Language Discovery

AutoIT Executable

UPX packed file

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/28bb3f90-3d98-475f-991f-aaa0f7a1ae52

Unpacked files

SH256 hash:

51badf1016ff2a5abbcb42731f65f49abb71185e5dab7cb59ce628ce0f8d1c59

MD5 hash:

f868d1091d3d3f4fc215ab305e12872f

SHA1 hash:

51967e1a2453f1022641bc83389eeae721aa8050

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/83674f6d-13a0-4f55-8301-184d8901165f/

SH256 hash:

2fd281c29da243416deeee9780a5176031b9239a21fc9e40717662d97e2de598

MD5 hash:

057d0f581381b1ca2f5f5c96bc4dd90b

SHA1 hash:

2a91518b973fe6ccbb11e606b7fc47152a316f5b

Link:

https://www.unpac.me/results/83674f6d-13a0-4f55-8301-184d8901165f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2fd281c29da243416deeee9780a5176031b9239a21fc9e40717662d97e2de598

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXv20MarkusLaszloReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::GetAce
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::timeGetTime
WIN_BASE_API	Uses Win Base API	KERNEL32.DLL::LoadLibraryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample