MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c80fd894036f549fb831d271595df775ebaba7d98fdeea579bfae3c9d42ec53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c80fd894036f549fb831d271595df775ebaba7d98fdeea579bfae3c9d42ec53
SHA3-384 hash: e1de3689462a43040fe8a8da1c0256f7e09e9a9eec542fb4c53d37df36342650f526e0dd81d93dbf72e64a6c0491c5a1
SHA1 hash: 88ab168cbfc19785caab11109b4682d3cfcfafae
MD5 hash: cd31545772cdb4e84902f25d3363c58d
humanhash: alanine-jig-august-don
File name:PL2303_Prolific_DriverInstaller_v110.exe
Download: download sample
File size:3'176'304 bytes
First seen:2024-07-05 07:13:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8f244019e52c417786599750d44c515a
ssdeep 49152:S5XjOui0/5LKqLhtbx/p/noQUhtm683Df7klWYBiCKhSOoSvbJp5+5q:ShjOp0hKqLhbpPoThM68377vBKepA4
TLSH T156E5E002BBEA816EF2B74A70E97B07B15BB5BC969E31811F7390B91C1C306A1D531B17
TrID 40.6% (.AX) DirectShow filter (201555/2/20)
11.9% (.EXE) Win32 EXE PECompact compressed (v2.x) (59069/9/14)
11.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
8.6% (.EXE) InstallShield setup (43053/19/16)
8.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
File icon (PE):PE icon
dhash icon 272737222a110313
Reporter Poas
Tags:exe signed

Code Signing Certificate

Organisation:Prolific Technology Inc.
Issuer:VeriSign Class 3 Code Signing 2004 CA
Algorithm:sha1WithRSAEncryption
Valid from:2009-04-29T00:00:00Z
Valid to:2010-05-07T23:59:59Z
Serial number: 06899f9218ffe732899bef8b6b686465
Thumbprint Algorithm:SHA256
Thumbprint: f9cbd2c71a4657f390a12af3257d1268ecdb4e74b6a10d8c0dd834e6d4e00d2f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
339
Origin country :
TR TR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3c80fd894036f549fb831d271595df775ebaba7d98fdeea579bfae3c9d42ec53.exe
Verdict:
No threats detected
Analysis date:
2024-07-05 07:34:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0d45955a-58d2-4dbb-971e-7d81531d5a6d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.HfsAutoB..11025.8987.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.AgentvS00Q.wdTF4.1736.21478.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.W32.PossibleThreat.26556.20771.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66879eb40fd7ad77c7342a38win10vpnfull_triage
Tags:
Encryption Generic Static Stealth Malware
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc explorer fingerprint installer lolbin microsoft_visual_cc overlay packed packed shell32
Link:
https://www.filescan.io/uploads/66879d3f6b8dba248b499e50/reports/7accaf57-8651-443a-878f-272c4ffa7ae2/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/3c80fd894036f549fb831d271595df775ebaba7d98fdeea579bfae3c9d42ec53
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TiVo Corporation
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/69cdb449-366c-4c82-af6b-90e5c1765fba
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1468027
Signature
AI detected suspicious sample
Installs new ROOT certificates
PE file has a writeable .text section
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1468027 Sample: PL2303_Prolific_DriverInsta... Startdate: 05/07/2024 Architecture: WINDOWS Score: 52 31 18.31.95.13.in-addr.arpa 2->31 33 PE file has a writeable .text section 2->33 35 AI detected suspicious sample 2->35 7 PL2303_Prolific_DriverInstaller_v110.exe 30 87 2->7         started        10 drvinst.exe 12 2->10         started        13 SrTasks.exe 1 2->13         started        signatures3 process4 file5 19 C:\Windows\Temp\Uninstall.exe (copy), PE32 7->19 dropped 21 C:\Windows\Temp\Unin8988.rra, PE32 7->21 dropped 23 C:\Windows\Temp\QRemover.exe (copy), PE32 7->23 dropped 29 34 other files (none is malicious) 7->29 dropped 15 ISBEW64.exe 7->15         started        25 C:\Windows\System32\...\ser2pl64.sys (copy), PE32+ 10->25 dropped 27 C:\Windows\System32\...\SET8EB9.tmp, PE32+ 10->27 dropped 37 Installs new ROOT certificates 10->37 17 conhost.exe 13->17         started        signatures6 process7
Score:
7%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/3c80fd894036f549fb831d271595df775ebaba7d98fdeea579bfae3c9d42ec53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c80fd894036f549fb831d271595df775ebaba7d98fdeea579bfae3c9d42ec53/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hsap3ckag32ut64ddutrlfo7o5plvot5td665jlzx6xdzhkc5rjq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240705-h2m98axape/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b7a60b24-4d08-4416-ac5e-7711f0c1af7c
Unpacked files
SH256 hash:
c68a9cb027392ebb6983ea851eddc964bfff1f4e9565c29c8fb125de3a63d9f5
MD5 hash:
094fa9383a1d9b8fd35169b2655bbb69
SHA1 hash:
06c438735ead02726527faf909a0b0386b5aa6c7
Link:
https://www.unpac.me/results/21f6335d-e140-4a23-87c0-aa4185fff7dc/
SH256 hash:
13223e7fbeb3dac968de77e6be974a36f86dc07884cc0e80eabf8b817ccb4a04
MD5 hash:
6c48e05107eb494620ab0dc96d3c5b80
SHA1 hash:
e6ced277de082bd8e2ccbfad7a1d5cd1e9db85ab
Link:
https://www.unpac.me/results/21f6335d-e140-4a23-87c0-aa4185fff7dc/
SH256 hash:
3c80fd894036f549fb831d271595df775ebaba7d98fdeea579bfae3c9d42ec53
MD5 hash:
cd31545772cdb4e84902f25d3363c58d
SHA1 hash:
88ab168cbfc19785caab11109b4682d3cfcfafae
Link:
https://www.unpac.me/results/21f6335d-e140-4a23-87c0-aa4185fff7dc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c80fd894036f549fb831d271595df775ebaba7d98fdeea579bfae3c9d42ec53

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:highestAvailable)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
RPC_APICan Execute Remote ProceduresRPCRT4.dll::RpcStringFreeA
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
KERNEL32.dll::WriteProcessMemory
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileMappingA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::GetWindowsDirectoryA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegQueryValueA
ADVAPI32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments