MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e133d377e35c3e536326356919cc8c7fcd657ef904c55812af4afec4ce2108a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e133d377e35c3e536326356919cc8c7fcd657ef904c55812af4afec4ce2108a
SHA3-384 hash: c6757c9a45526c408f55b50c988621fc272e1dc74c8384628a60e33cb348e2b2938045ac2441f70fd7cd514d6f0718b2
SHA1 hash: c53a949c2ca23ae30f7cb7d8cab9b18891a8f917
MD5 hash: 16728116244bab4558d49b9c50b03ecc
humanhash: florida-diet-nevada-oven
File name:SecuriteInfo.com.PUA.Ccproxy.10535.31162
Download: download sample
File size:5'357'472 bytes
First seen:2024-01-27 23:24:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'460 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 98304:yPcyXO0i3rZqHdFE938IYVJuWV5k0A6moeKwHDs6BAF8FzTM8eWkFdQXiqDO:VyXOp3rcHdCB8Nu0NmhKwIkAF8FcHdFR
Threatray 28 similar samples on MalwareBazaar
TLSH T10B4633A28B5858AFE2F242F01E8A574D8FE3BE3510BFA444710C9DBD2F63240D55E697
TrID 69.7% (.EXE) Inno Setup installer (107240/4/30)
9.2% (.EXE) Win32 Executable Delphi generic (14182/79/4)
8.5% (.SCR) Windows screen saver (13097/50/3)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.9% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe signed

Code Signing Certificate

Organisation:Youngzsoft Co., Ltd.
Issuer:VeriSign Class 3 Code Signing 2010 CA
Algorithm:sha1WithRSAEncryption
Valid from:2018-05-22T00:00:00Z
Valid to:2019-06-21T23:59:59Z
Serial number: 59c06be15bf27d2b5ef806bdf01338e3
Thumbprint Algorithm:SHA256
Thumbprint: 9e0421cffcf78a0237f20cb91f4c9e1634fed2b536e726a07a6d23cac7fa8aad
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
310
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ccproxysetup.exe
Verdict:
Malicious activity
Analysis date:
2022-05-30 16:25:39 UTC
Tags:
installer
Link:
https://app.any.run/tasks/56e26641-e5ca-48ba-9d50-5ae6c01f629b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473213/
Detection(s):
SecuriteInfo.com.PUA.Ccproxy.10535.31162.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65b590d13af306d5bedd4b67/reports/01b349a1-9031-448a-95af-6dfae86a08a7/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/3e133d377e35c3e536326356919cc8c7fcd657ef904c55812af4afec4ce2108a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8c23fd5c-c6e7-4933-8a5d-7d18b89e73fb
Result
Threat name:
HTMLPhisher
Create hunting rule
Detection:
suspicious
Classification:
phis.evad
Score:
26 / 100
Link:
https://www.joesandbox.com/analysis/665770
Signature
Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION
Yara detected HtmlPhish10
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 381812 Sample: ccproxysetup.exe Startdate: 05/04/2021 Architecture: WINDOWS Score: 26 61 Yara detected HtmlPhish10 2->61 8 ccproxysetup.exe 2 2->8         started        11 ccproxysetup.exe 2 2->11         started        13 ccproxysetup.exe 2 2->13         started        process3 file4 29 C:\Users\user\AppData\...\ccproxysetup.tmp, PE32 8->29 dropped 15 ccproxysetup.tmp 5 11 8->15         started        31 C:\Users\user\AppData\...\ccproxysetup.tmp, PE32 11->31 dropped 19 ccproxysetup.tmp 5 11 11->19         started        33 C:\Users\user\AppData\...\ccproxysetup.tmp, PE32 13->33 dropped 21 ccproxysetup.tmp 21 54 13->21         started        process5 file6 35 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 15->35 dropped 37 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 15->37 dropped 39 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 19->39 dropped 41 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->41 dropped 59 Tries to shutdown other security tools via broadcasted WM_QUERYENDSESSION 19->59 43 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 21->43 dropped 45 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->45 dropped 47 C:\CCProxy\is-LDOIN.tmp, PE32 21->47 dropped 49 3 other files (none is malicious) 21->49 dropped 23 CCProxy.exe 4 21->23         started        signatures7 process8 dnsIp9 51 new-fp-shed.wg1.b.yahoo.com 87.248.100.216, 49733, 80 YAHOO-IRDGB United Kingdom 23->51 53 127.0.0.1 unknown unknown 23->53 55 2 other IPs or domains 23->55 26 CCProxy.exe 23->26         started        process10 dnsIp11 57 update.youngzsoft.com 96.126.108.173, 49734, 80 LINODE-APLinodeLLCUS United States 26->57
Score:
8%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/3e133d377e35c3e536326356919cc8c7fcd657ef904c55812af4afec4ce2108a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e133d377e35c3e536326356919cc8c7fcd657ef904c55812af4afec4ce2108a/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hyjt2n36gxb6knrsmnljdhgiy76nmv7psbgflajk6sx6ythcccfa._file
Verdict:
unknown
Similar samples:
04b635cd65aa68c51fd4ad0a94d3f42cbd4485dd535e4c8c50166fd2addc7bef
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
2e085282467ab80f8064d2557f4afea9a82ba68e52ccd6f6f4c75e0f81dd0b30
3e133d377e35c3e536326356919cc8c7fcd657ef904c55812af4afec4ce2108a
41052dd1d4bceddb8765359ef8e1f319fed55ce6c427e47f7eddebaf740ac97d
644ecdd263538e3f6da1689a78b77101dd86451afb376e785b33d1e7c9cd6f82
6bc44ffdf5fb9a208f27e836635852620368c30c5320163f3fcde1f9931091e7
da3909ea1dfaa29dbd3f0ee74cbe629783826f97ae41e606f6db35890c59ec40
+ 18 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240127-3d9tjaeea9/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/849341a3-2d13-4287-ab66-ec390fc102df/
SH256 hash:
b20a8d88c550981137ed831f2015f5f11517aeb649c29642d9d61dea5ebc37d1
MD5 hash:
526426126ae5d326d0a24706c77d8c5c
SHA1 hash:
68baec323767c122f74a269d3aa6d49eb26903db
Link:
https://www.unpac.me/results/849341a3-2d13-4287-ab66-ec390fc102df/
SH256 hash:
8d980b2d57f4d87a7bfa420d335aaa311a87a242c248a450140f1a1541cdaf8d
MD5 hash:
107f81ecd2535861ed5c1e2972c3d05f
SHA1 hash:
da9a23f7bfacd3f7945cf519072b0b4c0805536a
Link:
https://www.unpac.me/results/849341a3-2d13-4287-ab66-ec390fc102df/
SH256 hash:
11ff2442bf2dc1fb08c5ae850750671d523af27faa0dd05869e7ce9f8f07b147
MD5 hash:
aec96e06a59237f61b77f70f77a6c941
SHA1 hash:
cf9f434096ba4f5dc207c7e4b117c13b5a90e7c4
Link:
https://www.unpac.me/results/849341a3-2d13-4287-ab66-ec390fc102df/
SH256 hash:
3e133d377e35c3e536326356919cc8c7fcd657ef904c55812af4afec4ce2108a
MD5 hash:
16728116244bab4558d49b9c50b03ecc
SHA1 hash:
c53a949c2ca23ae30f7cb7d8cab9b18891a8f917
Link:
https://www.unpac.me/results/849341a3-2d13-4287-ab66-ec390fc102df/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Adware
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/3e133d377e35c3e536326356919cc8c7fcd657ef904c55812af4afec4ce2108a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/473213/

Comments