MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12
SHA3-384 hash: 87277fa2edc1b770c013490a7102ee07417bde431bc88b12bb712f6dd39fd96fd2dcb85891df5acb4e4a9e31459ec705
SHA1 hash: 8fb5da182dea64c842953bf72fc573a74adaa155
MD5 hash: 40b9628354ef4e6ef3c87934575545f4
humanhash: lion-cat-pasta-winter
File name:Register.dll
Download: download sample
File size:1'081'320 bytes
First seen:2024-05-03 10:42:50 UTC
Last seen:2024-05-03 11:25:40 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash ee94d9d14cff80538936ff9d276ecfc1
ssdeep 24576:k0Rdvjw14ZCWQuTs54Qbz27j7BS2Nv+4BT8+u60:BDZ2zAj7pXT3i
Threatray 9 similar samples on MalwareBazaar
TLSH T143354D12A3D54433D0721F7A8D6AD6946C29BD312EA4D84E3EF8DB4C0F39B81AD34697
TrID 46.2% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
11.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
10.5% (.SCR) Windows screen saver (13097/50/3)
8.4% (.EXE) Win64 Executable (generic) (10523/12/4)
8.0% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
File icon (PE):PE icon
dhash icon f0dcb6cbab3ab4b0 (2 x Gh0stRAT, 2 x ACRStealer, 1 x RecordBreaker)
Reporter JoulK
Tags:dll signed

Code Signing Certificate

Organisation:IObit CO., LTD
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-03-25T00:00:00Z
Valid to:2024-03-24T23:59:59Z
Serial number: 8ba1f172fd50ba8d4c11b74ffac8a282
Intelligence: 7 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 12dbee7aa5dbb550ceedc6172e5c34ba577759d8926aaff08a781552b7fabde9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
328
Origin country :
GB GB
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Program.Unwanted.5065.22256.24121.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm cmd fingerprint keylogger lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6634bfb98441a327526f5525/reports/32aa1f96-a4c5-4608-8afe-94103ab3fd9e/overview
Verdict:
Malicious
Labled as:
Trojan[Downloader]/Rugmi
Link:
https://www.hybrid-analysis.com/sample/372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12
Malware family:
IObit
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b8c5c81d-1db6-4a02-8b51-5f56122d4580
Result
Threat name:
n/a
Detection:
suspicious
Classification:
evad
Score:
31 / 100
Link:
https://www.joesandbox.com/analysis/1435929
Signature
Contains functionality to infect the boot sector
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 1435929 Sample: Register.dll Startdate: 03/05/2024 Architecture: WINDOWS Score: 31 7 loaddll32.exe 1 2->7         started        10 chrome.exe 1 2->10         started        dnsIp3 43 Contains functionality to infect the boot sector 7->43 13 rundll32.exe 7->13         started        16 cmd.exe 1 7->16         started        18 rundll32.exe 7->18         started        23 12 other processes 7->23 37 192.168.2.6, 443, 49698, 49699 unknown unknown 10->37 39 192.168.2.7 unknown unknown 10->39 41 2 other IPs or domains 10->41 20 chrome.exe 10->20         started        signatures4 process5 dnsIp6 45 Contains functionality to infect the boot sector 13->45 25 WerFault.exe 16 13->25         started        27 rundll32.exe 16->27         started        29 WerFault.exe 3 16 18->29         started        35 www.google.com 142.250.80.100, 443, 49707, 49708 GOOGLEUS United States 20->35 31 WerFault.exe 23->31         started        signatures7 process8 process9 33 WerFault.exe 20 18 27->33         started       
Score:
3%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g4vrj7hc5m23ezhw2sxo66mh3jlnsuotucppqzwpkxwxe5r4vija._file
Verdict:
unknown
Similar samples:
066e912a337870ec99eff5c8eaffe49ff3ffe4d20838b892a76bc99d8496656a
276cbe0ca43aabec2125a96eb626dd419d0a4ebd275376113d84ade08bbaa3bf
9a80eb8aea03ed2b2306b53cb06542e8cae92b40008851bcc7d3eff62944c5b9
a027d527bf8e2d3682ee39f12379d113bc7d28193d36b2c448712e5c8009ff52
a93819565ddc518f1521737a16cc96d354672d6c6684750cf3d74d43632db164
e2a1ffc36a8c09c6944e33cdfecb9dced2221c2bf9b05c5a5037058f3a90839a
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240503-mr8wdseg36/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12
MD5 hash:
40b9628354ef4e6ef3c87934575545f4
SHA1 hash:
8fb5da182dea64c842953bf72fc573a74adaa155
Link:
https://www.unpac.me/results/819ae40e-eb18-4e3b-9541-688de261d386/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.24
Link:
https://yomi.yoroi.company/submissions/372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteW
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::TerminateProcess
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceW
WIN_BASE_IO_APICan Create Fileskernel32.dll::CopyFileW
kernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::MoveFileW
kernel32.dll::GetWindowsDirectoryW
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegCreateKeyExW
advapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowExW
user32.dll::FindWindowW
user32.dll::PeekMessageA
user32.dll::PeekMessageW

Comments