MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4289b29d107b1ab367ab5ce45e9c457c5f33c9b2fba3f25305bc654855f4fca8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4289b29d107b1ab367ab5ce45e9c457c5f33c9b2fba3f25305bc654855f4fca8
SHA3-384 hash: 6d3a71b34ffee2ef6223e49619d2af592b801c21ccd5dc2ed1498a84c28df7deb90262059029be658ca3b0e944296c31
SHA1 hash: 8cd14bcbc349f5d2aa92834800939f0df09687af
MD5 hash: 41da209c453b8562a89db09f041b4ad9
humanhash: chicken-mobile-video-idaho
File name:chromsetup.exe
Download: download sample
File size:4'105'640 bytes
First seen:2025-01-15 21:07:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 08c13b38fc3caa49bf2d33f4d7664f01
ssdeep 98304:I8UH54VJXf5EyRWy+KdCCY9c6SpFbLCBoL/HlRb4:Izujhhr1dCf9cjmoL/Hnb4
TLSH T18A162324B5EF6919F078F6B91FDAD6BFE71CF4E9614B4A3B2280424B8B51B413E42431
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
File icon (PE):PE icon
dhash icon 696a6ee2b2b2c2cc (18 x RedLineStealer, 17 x LummaStealer, 17 x ValleyRAT)
Reporter juroots
Tags:exe signed

Code Signing Certificate

Organisation:固镇县极速网络科技有限公司
Issuer:Sectigo Public Code Signing CA EV R36
Algorithm:sha256WithRSAEncryption
Valid from:2023-07-24T00:00:00Z
Valid to:2024-07-23T23:59:59Z
Serial number: ff1336372d9037964b17c5b7f43d842b
Thumbprint Algorithm:SHA256
Thumbprint: 8aa9d80c0316627b358d8328ca56b647c4a5dbb22419d9b61b50b54effb2acf9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
xz6.w3766.com/down/105/chromsetup.exe
Verdict:
Malicious activity
Analysis date:
2025-01-15 20:50:56 UTC
Tags:
loader stealer aspack
Link:
https://app.any.run/tasks/d47412a1-3beb-4ad2-9435-d9057cc45be3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Worm.Chir-2282
Create hunting rule

SecuriteInfo.com.Win32.Ramnit.Dam.11879.8943.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% subdirectories
DNS request
Connection attempt
Sending an HTTP GET request
Changing a file
Creating a file
Running batch commands
Creating a process with a hidden window
Launching the process to change network settings
Sending a custom TCP request
Launching the process to change the firewall settings
Creating a process from a recently created file
Searching for synchronization primitives
Sending a UDP request
Sending an HTTP POST request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
aspack microsoft_visual_cc packed packed packed packer_detected
Link:
https://www.filescan.io/uploads/678823b5a8210c4ace646d30/reports/eea5f5af-971b-44fb-8792-e9a0ac393105/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/4289b29d107b1ab367ab5ce45e9c457c5f33c9b2fba3f25305bc654855f4fca8
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2af30d6c-93cd-4988-a2bd-c989a5c30021
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
57 / 100
Link:
https://www.joesandbox.com/analysis/1592190
Signature
AI detected suspicious sample
Detected unpacking (changes PE section rights)
Modifies the windows firewall
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1592190 Sample: chromsetup.exe Startdate: 15/01/2025 Architecture: WINDOWS Score: 57 81 Multi AV Scanner detection for submitted file 2->81 83 PE file has a writeable .text section 2->83 85 AI detected suspicious sample 2->85 9 chromsetup.exe 4 103 2->9         started        process3 dnsIp4 69 106.225.241.95 CT-JIANGXI-IDCCHINANETJiangxprovinceIDCnetworkCN China 9->69 71 121.40.205.23 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 9->71 73 2 other IPs or domains 9->73 53 C:\Users\user\AppData\...\Secure Preferences, JSON 9->53 dropped 55 C:\Users\user\AppData\Local\...\Preferences, JSON 9->55 dropped 57 C:\Users\user\AppData\Local\Temp\...\xldl.dll, PE32 9->57 dropped 59 13 other files (none is malicious) 9->59 dropped 87 Detected unpacking (changes PE section rights) 9->87 89 Tries to harvest and steal browser information (history, passwords, etc) 9->89 91 Modifies the windows firewall 9->91 14 cmd.exe 1 9->14         started        17 ???????????2025-01-15.exe 9->17         started        20 MiniThunderPlatform.exe 15 27 9->20         started        23 6 other processes 9->23 file5 signatures6 process7 dnsIp8 93 Uses netsh to modify the Windows network and firewall settings 14->93 25 conhost.exe 14->25         started        27 netsh.exe 2 14->27         started        47 C:\Users\user\AppData\Local\...\setup.exe, PE32+ 17->47 dropped 29 setup.exe 17->29         started        61 47.101.159.232 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 20->61 63 47.92.164.165 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 20->63 65 11 other IPs or domains 20->65 49 C:\Users\...\___________2025-01-15.exe.td, PE32+ 20->49 dropped 51 C:\Users\...\___________2025-01-15.exe (copy), PE32+ 20->51 dropped 31 conhost.exe 23->31         started        33 conhost.exe 23->33         started        35 conhost.exe 23->35         started        37 9 other processes 23->37 file9 signatures10 process11 process12 39 chrome.exe 29->39         started        42 setup.exe 29->42         started        dnsIp13 67 192.168.2.4 unknown unknown 39->67 44 chrome.exe 39->44         started        process14 dnsIp15 75 199.91.74.185 ZNETUS United States 44->75 77 199.91.74.209 ZNETUS United States 44->77 79 32 other IPs or domains 44->79
Score:
85%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4289b29d107b1ab367ab5ce45e9c457c5f33c9b2fba3f25305bc654855f4fca8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4289b29d107b1ab367ab5ce45e9c457c5f33c9b2fba3f25305bc654855f4fca8/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ike3fhiqpmnlgz5lltsf5hcfprpthsns7or7euyfxrsuqvpu7sua._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
aspackv2 discovery
Link:
https://tria.ge/reports/250115-zyvnkawngq/
Behaviour
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Loads dropped DLL
Verdict:
Malicious
Tags:
trojan upatre Win.Worm.Chir-2282
YARA:
WIN32_MAL_TROJ_UPATRE_SMBG
Link:
https://app.threat.zone/submission/1db3dd42-abd0-420c-8ff4-5bf60dca4e7d
Unpacked files
SH256 hash:
7e5dc57141f2fc424d4f4ac259fceb9f77ad52f061d20c33b2318d026f0067a6
MD5 hash:
da5ea81a727f3bc1f285cc9f741b8440
SHA1 hash:
3424aa785f8955d6ed25baa209592541d99a3963
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
d98ed2f98dd6f69c5c399bf38a2bca330178a9d95f7a371a4db9d7c53735b13c
MD5 hash:
4197cb7ecfb6a11ff0615675053077fa
SHA1 hash:
6a5e25e76a140365a4daecdfe9cfd84bce74b51e
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
4cef857d4596dc15efb29e8917ef3b793d27b999fa243cf88110141b49075349
MD5 hash:
571faab62b91b7c6c4b6f3c9d17408ff
SHA1 hash:
96eb8e2d5a2ca892c629d5adc56f44c9f4c3a1f7
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
1292e6417e7c79906be6f0c9f0c4c1048ddd2652c5ff57e1ed034e832a5ae5f5
MD5 hash:
e2c0e2fb08636cb85c3b6dcccc38292a
SHA1 hash:
8b406fe1ceb1c47bc99eb74ff14ba5f85dc604eb
Detections:
win_9002_g0
Create hunting rule
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
Parent samples :
88083616d5d1d89a87c62b9feb7ae2630c58c50ef4e1a4234c3a080843587e33
a77c845d54b9cef4f7a88820b7ef5f8813cd99fd3cc7cbef423c59fe812a72db
d4c203e51d0bd26b2535ba5116882cfa7801bbd57383163e784519384a2fecc7
4289b29d107b1ab367ab5ce45e9c457c5f33c9b2fba3f25305bc654855f4fca8
SH256 hash:
3dad9a96867963fff41d4db91cb047b7cafe99b6d9b2b69ce39109097a4b7a69
MD5 hash:
f132069d7d31a69cbc9c66ac13d383c6
SHA1 hash:
84a5104dc3fe88ee1dd5ad47823e80807e098b12
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
c318cb4e763704890309226405624af807381e8a7af7c433e67b77f1e0b08fce
MD5 hash:
5d2f4086e89e11e4b1c76688df768e31
SHA1 hash:
6fa7e3d26a6196ba04dcc31d18c09b264a5aca97
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
9eb712bec0c2b58c305bd87fe6b5d5d0b1654020b83ed49b7254789c8b957864
MD5 hash:
d86135ac3886307cf57339ed928fcff2
SHA1 hash:
486a5e39069cb7dacb054ee016aee76b4a24f7c8
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
85dadd79b607f70cf81e5487c5d79a115c37659006f93451fa10a49f8f1becb1
MD5 hash:
bb256a24d4140aeedc3ea48c48ff17b3
SHA1 hash:
3ba9a460bd28c76702dd9decc2fcb2768f483c33
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
20484bd6e58d8e8780d803bbf82746b55c9c531444cc53012f19679ce2a069a6
MD5 hash:
1d958fe090fb96fc69536202666acab8
SHA1 hash:
212a44823cf0533dbab8712287b4df8042f0a506
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
343a9a9d2c767a1b6b2d604f377a67e11d06550c7f123f2eb22e40ee13be644d
MD5 hash:
dc88fe29fbed0ec02e59d30eb027577f
SHA1 hash:
1f45914872e2b6aae22a1a40d58df850f3fc149d
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
b9caf5ea8e3707a95fbee0981de15e869ebee7e21500e3af11712e358b3c728e
MD5 hash:
74755262b6cd7190a57bf1834220d16d
SHA1 hash:
02abf32e162c220c4a6f5ce81035d29a060d2ade
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
fc10c877e2bcfab35758446a72a8db704d8e8455470d65a6de5492c10c8d6786
MD5 hash:
7fd4f79aca0b09fd3a60841a47ca96e7
SHA1 hash:
6a84b131399d207bf00605d33f938617b1a7c391
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
f02fa7ddab2593492b9b68e3f485e59eb755380a9235f6269705f6d219dff100
MD5 hash:
58bb62e88687791ad2ea5d8d6e3fe18b
SHA1 hash:
0ffb029064741d10c9cf3f629202aa97167883de
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
cb0b0c42dae0a1e946f97f6bda522eb5ad943cb632ba3d19f597ecb3e1f5eb94
MD5 hash:
40e8d381da7c2badc4b6f0cdb4b5378f
SHA1 hash:
3646338c6a20f17bf4383a8d053ce37681df8ead
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb
MD5 hash:
ca2f560921b7b8be1cf555a5a18d54c3
SHA1 hash:
432dbcf54b6f1142058b413a9d52668a2bde011d
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56
MD5 hash:
89f6488524eaa3e5a66c5f34f3b92405
SHA1 hash:
330f9f6da03ae96dfa77dd92aae9a294ead9c7f7
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
abaeb5121548256577ddd8b0fc30c9ff3790649ad6a0704e4e30d62e70a72964
MD5 hash:
1a87ff238df9ea26e76b56f34e18402c
SHA1 hash:
2df48c31f3b3adb118f6472b5a2dc3081b302d7c
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a
MD5 hash:
79cb6457c81ada9eb7f2087ce799aaa7
SHA1 hash:
322ddde439d9254182f5945be8d97e9d897561ae
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9
MD5 hash:
a94dc60a90efd7a35c36d971e3ee7470
SHA1 hash:
f936f612bc779e4ba067f77514b68c329180a380
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26
MD5 hash:
dba9a19752b52943a0850a7e19ac600a
SHA1 hash:
3485ac30cd7340eccb0457bca37cf4a6dfda583d
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
64f8d68cc1cfc5b9cc182df3becf704af93d0f1cc93ee59dbf682c75b6d4ffc0
MD5 hash:
67c767470d0893c4a2e46be84c9afcbb
SHA1 hash:
00291089b13a93f82ee49a11156521f13ea605cd
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
MD5 hash:
f0372ff8a6148498b19e04203dbb9e69
SHA1 hash:
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
1845df41da539bca264f59365bf7453b686b9098cc94cd0e2b9a20c74a561096
MD5 hash:
92154e720998acb6fa0f7bad63309470
SHA1 hash:
385817793b9f894ca3dd3bac20b269652df6cbc6
Detections:
win_9002_g0
Create hunting rule
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
12d6cc86fdc69e1aa8d94d38715bbe271994c0f86f85283fa2190da7c322f4c8
MD5 hash:
0c8f2b0ee5bf990c6541025e94985c9f
SHA1 hash:
be942f5fef752b0070ba97998bfe763b96529aa2
Detections:
win_9002_g0
Create hunting rule
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
af560c7ceafee2cb5fb4acfdef4503e3f797ca19f930a75998cdef72a2ab6b3b
MD5 hash:
7075f2cb8ace84cb108d92d8a9625c8a
SHA1 hash:
6eb13297cc7bec24ea4fc444f1efc99f8d7d2a40
Detections:
INDICATOR_EXE_Packed_ASPack
Create hunting rule
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
SH256 hash:
4289b29d107b1ab367ab5ce45e9c457c5f33c9b2fba3f25305bc654855f4fca8
MD5 hash:
41da209c453b8562a89db09f041b4ad9
SHA1 hash:
8cd14bcbc349f5d2aa92834800939f0df09687af
Link:
https://www.unpac.me/results/de61d4d2-3425-4e60-b0ad-30ac72b3a7d1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Sogou
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/4289b29d107b1ab367ab5ce45e9c457c5f33c9b2fba3f25305bc654855f4fca8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ASPackv212AlexeySolodovnikov
Create hunting rule
Author:malware-lu
Rule name:ASProtectV2XDLLAlexeySolodovnikov
Create hunting rule
Author:malware-lu
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:WIN32_MAL_TROJ_UPATRE_SMBG
Create hunting rule
Author:Auto-generated rule
Description:Detects UPATRE Trojan variant.
Reference:Not provided

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play Multimediawinmm.dll::PlaySoundW
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
WIN_BASE_IO_APICan Create Filesversion.dll::GetFileVersionInfoW
WIN_CRYPT_APIUses Windows Crypt APIcrypt32.dll::CertOpenStore
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW

Comments