MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 346593feca8346078fc0d354e5533614e71b7147315e6ebdd3868f12a886303c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Neoreklami


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 346593feca8346078fc0d354e5533614e71b7147315e6ebdd3868f12a886303c
SHA3-384 hash: 55f85ede071eb6768a901b269b85fb270cee77500972add35b74e868ea6481895a7f77d24bc753227a90c46408e36dc0
SHA1 hash: 4103a34f0ca8d77b6ebebc7f6fffa335fb611d2a
MD5 hash: f20c0434e43c18a6aa9587f5879708aa
humanhash: don-helium-lamp-vegan
File name:file
Download: download sample
Signature Adware.Neoreklami
Create hunting rule
File size:2'944'000 bytes
First seen:2022-10-26 16:32:37 UTC
Last seen:2022-10-26 18:42:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep 49152:J1+dw3LQ8QIbx0oHr2EXAmjon3mIImKYe3tslHuAfzpcJOjH2f8PZKyqSUBeAjRO:DvLQ8QIb5LzQmUim4YHu+pcdfiQyqSUw
Threatray 40 similar samples on MalwareBazaar
TLSH T12FD533ADC864A5B1D1CE557E381561C2A15AE6C062C25CB4CE5AEEB7F1332F3A439333
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter andretavare5
Tags:Adware.Neoreklami exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc733883836_657594730?hash=chDN6UjDPRjWu2INIVJmq4zuY2y8B3Ae7E7q0HDXhTD&dl=G4ZTGOBYGM4DGNQ:1666791528:ZzvSjd5OopjOIZTeUzXz6RcMTMfdsXV7JSzCbsOxXH8&api=1&no_preview=1#555_1401

Intelligence

File Origin
# of uploads :
7
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-10-26 16:35:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/856f04e4-7e76-4196-9add-2f6877dc9e68

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/324471/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
Creating a file
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ngrok-server
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2dc481b2-b580-4203-8b10-1bc461332681
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1098598
Signature
Antivirus / Scanner detection for submitted sample
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 731248 Sample: file.exe Startdate: 26/10/2022 Architecture: WINDOWS Score: 52 19 Antivirus / Scanner detection for submitted sample 2->19 7 file.exe 1 2->7         started        process3 dnsIp4 15 youtube-ui.l.google.com 172.217.18.110, 443, 49692 GOOGLEUS United States 7->15 17 www.youtube.com 7->17 21 Tries to harvest and steal browser information (history, passwords, etc) 7->21 11 cmd.exe 1 7->11         started        signatures5 process6 process7 13 conhost.exe 11->13         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/346593feca8346078fc0d354e5533614e71b7147315e6ebdd3868f12a886303c/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-10-26 17:26:13 UTC
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=grszh7wkqndapd6a2nkokuzwcttrw4khgfpg5potq2hrfkegga6a._file
Verdict:
unknown
Similar samples:
025151770944d2875b37af1e9b199baa872242d72044bba39058603aec20e931
Adware.Neoreklami
18d59c3f392ac4b2b47b6fd2f5a5e171f45084ad43830ec7eadd67d6c0f69a31
Adware.Neoreklami
212033484641d51e968cecf3f8f2b7cf275f7c69e5c159093cecb73d07ddf1f3
Adware.Neoreklami
3648330cfd0c54f1e151467fbbcb87df9340deca638bf1a8b332e20915065728
Adware.Neoreklami
3af3279ede125805a47682382304f6b76af4e7c34c2bfeaa198e0dc38f3ad1b6
Adware.Neoreklami
3e12feacf2c7f28a71ade378c01afb4ff35c137e43840d3570cf1e820414f0c1
Adware.Neoreklami
6a4b9c18783615adb849fdf2951023243f4a7e70d050a912c9dfad60a537fe28
Adware.Neoreklami
8ead46f41d0798f3c8ae023ce0cafbcf79c5903e29dabcdaa22455cc765f8a79
Adware.Neoreklami
8ee34a2bd6c92d9bbeff8ae99add314d80b783c315d308bd520c3cc8a9d775a6
Adware.Neoreklami
+ 30 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer upx
Link:
https://tria.ge/reports/221026-t2hwaagcb9/
Behaviour
Suspicious use of WriteProcessMemory
Reads user/profile data of web browsers
UPX packed file
Unpacked files
SH256 hash:
2adff23aecbe935b9043ceffd4a7ec332102cb7f5282f84fffc1b2fe769cab91
MD5 hash:
21b0383eb967f3a4bbbdc5c719363e3b
SHA1 hash:
77306d85c8213c33ab16636e456aba35ddfd1c51
Link:
https://www.unpac.me/results/908dde0c-b412-43ac-a78d-aa1d3e2fb3c0/
SH256 hash:
346593feca8346078fc0d354e5533614e71b7147315e6ebdd3868f12a886303c
MD5 hash:
f20c0434e43c18a6aa9587f5879708aa
SHA1 hash:
4103a34f0ca8d77b6ebebc7f6fffa335fb611d2a
Link:
https://www.unpac.me/results/908dde0c-b412-43ac-a78d-aa1d3e2fb3c0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/346593feca8346078fc0d354e5533614e71b7147315e6ebdd3868f12a886303c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/324471/

Comments