MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41b1d1cd846ad2d038c7ff9f062aadaa2036e3c2202b7a57dce45b2a9e2fecee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41b1d1cd846ad2d038c7ff9f062aadaa2036e3c2202b7a57dce45b2a9e2fecee
SHA3-384 hash: d227e0351059ceb646c0b4e9f5802587ab652aeb591812a5f93692711747b5d1ef6e8accc9f62edd11babda84eabcb7c
SHA1 hash: b44643d580a9dbb10f66409f84db0fd43678f3a4
MD5 hash: edc85fcbd8f79e61687081ad99c9db93
humanhash: ack-purple-bakerloo-wyoming
File name:SecuriteInfo.com.Trojan.GenericKD.76505734.4290.21413
Download: download sample
File size:986'624 bytes
First seen:2025-05-28 01:46:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bfe6a082cd6dbf89845a1130f24825b4
ssdeep 24576:4Q72qZoU6jbnNLW7o+D0/rEaa8aksVLi8:4Q723VbntB+sEaa8cLi
TLSH T12D25F106B66500FDE16BC1B8C9424906DB727C160770DBDF1BA8AA961F376E0BE3DB11
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
453
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://google.com
Verdict:
Malicious activity
Analysis date:
2025-05-27 09:05:32 UTC
Tags:
loader
Link:
https://app.any.run/tasks/414909ee-18b1-4c77-8572-688a46bbdfa5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5956/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.76505734.4290.21413.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6836260bacf88f5815e7b4e5
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the system32 directory
Running batch commands
Launching a process
Creating a file
Searching for the window
Creating a service
Launching a service
Loading a system driver
Enabling autorun for a service
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/68366b21fd02ed5e058b62f4/reports/2c699200-312b-4759-9617-c940e61576da/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/41b1d1cd846ad2d038c7ff9f062aadaa2036e3c2202b7a57dce45b2a9e2fecee
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0ff03ba3-0abd-45fc-92dc-f95db380974c
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1700390
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1700390 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 28/05/2025 Architecture: WINDOWS Score: 76 74 Multi AV Scanner detection for dropped file 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 Joe Sandbox ML detected suspicious sample 2->78 9 SecuriteInfo.com.Trojan.GenericKD.76505734.4290.21413.exe 3 2->9         started        13 svchost.exe 2->13         started        15 svchost.exe 1 1 2->15         started        18 4 other processes 2->18 process3 dnsIp4 68 C:\Windows\System32\iqvw64o.sys, PE32+ 9->68 dropped 70 C:\Windows\System32\IntelGraphicsDriver.sys, PE32+ 9->70 dropped 80 Contains functionality to detect hardware virtualization (CPUID execution measurement) 9->80 82 Sample is not signed and drops a device driver 9->82 84 Tries to detect virtualization through RDTSC time measurements 9->84 20 cmd.exe 9->20         started        22 cmd.exe 9->22         started        24 cmd.exe 9->24         started        26 30 other processes 9->26 86 Changes security center settings (notifications, updates, antivirus, firewall) 13->86 72 127.0.0.1 unknown unknown 15->72 file5 signatures6 process7 process8 28 sc.exe 1 20->28         started        42 2 other processes 20->42 30 conhost.exe 22->30         started        32 sc.exe 22->32         started        34 conhost.exe 24->34         started        36 sc.exe 24->36         started        38 conhost.exe 26->38         started        40 conhost.exe 26->40         started        44 61 other processes 26->44 process9 46 Conhost.exe 28->46         started        48 Conhost.exe 30->48         started        50 Conhost.exe 34->50         started        52 Conhost.exe 38->52         started        54 Conhost.exe 38->54         started        56 Conhost.exe 40->56         started        58 Conhost.exe 44->58         started        60 Conhost.exe 44->60         started        62 6 other processes 44->62 process10 64 Conhost.exe 48->64         started        66 Conhost.exe 50->66         started       
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/41b1d1cd846ad2d038c7ff9f062aadaa2036e3c2202b7a57dce45b2a9e2fecee
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41b1d1cd846ad2d038c7ff9f062aadaa2036e3c2202b7a57dce45b2a9e2fecee/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/41b1d1cd846ad2d038c7ff9f062aadaa2036e3c2202b7a57dce45b2a9e2fecee
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-26 23:32:23 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=igy5dtmenljnaogh76pqmkvnviqdny6ceavxuv644rnsvhrp5txa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250528-b7lv1szwhy/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f9adf2fb-34ce-46ef-8b63-5f073bdcc97f
Unpacked files
SH256 hash:
41b1d1cd846ad2d038c7ff9f062aadaa2036e3c2202b7a57dce45b2a9e2fecee
MD5 hash:
edc85fcbd8f79e61687081ad99c9db93
SHA1 hash:
b44643d580a9dbb10f66409f84db0fd43678f3a4
Link:
https://www.unpac.me/results/d2144893-cb15-491a-8090-9e4dad227aa2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41b1d1cd846ad2d038c7ff9f062aadaa2036e3c2202b7a57dce45b2a9e2fecee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 41b1d1cd846ad2d038c7ff9f062aadaa2036e3c2202b7a57dce45b2a9e2fecee

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3553061/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/5956/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::CheckTokenMembership
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThreadpoolWork
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::GetFileAttributesW

Comments