MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 486398f4ad2893c6fa6f17c00c35c7240ead7812c6ca2d282de6f5738f686055. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 486398f4ad2893c6fa6f17c00c35c7240ead7812c6ca2d282de6f5738f686055
SHA3-384 hash: 2c4c8bc876ddf71c6b98d5adfad2531115490647538318c693388d6495cf19c9214025310abf1afdb13b92330bf780ca
SHA1 hash: ba808f7e645ad3f8e9be248a6377a341d3acb279
MD5 hash: c94b912d6522020372342c328fab4bc9
humanhash: nebraska-neptune-saturn-november
File name:c94b912d6522020372342c328fab4bc9
Download: download sample
File size:7'839'744 bytes
First seen:2024-08-05 16:35:45 UTC
Last seen:2024-08-05 18:28:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ff774b7f77cb7f48854b8436dceff24b
ssdeep 196608:u2GfcMp7LWAWBnQ4SgbnHtYc0GdjuB7DMWcMq:alWAWBfSOHz0G4uWL
TLSH T1658633A303BA0045F4E98C3DC53BBDE471F683AECA42F8BD45AAFCC525655A4F642943
TrID 54.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
8.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.8% (.EXE) Win32 Executable (generic) (4504/4/1)
3.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 58cccce0e8f0d468 (1 x Chaos)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
345
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c94b912d6522020372342c328fab4bc9
Verdict:
Malicious activity
Analysis date:
2024-08-05 16:37:37 UTC
Tags:
vmprotect ip-check
Link:
https://app.any.run/tasks/1b33ef39-16ee-4583-b677-8fdfe530eee2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b0ff7b037b02d0daedc353
Tags:
Static
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin packed packed packed shell32 vmprotect
Link:
https://www.filescan.io/uploads/66b0ff7584afcda962653240/reports/3bdea1cf-cd29-4cd8-82e7-415125e93538/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/486398f4ad2893c6fa6f17c00c35c7240ead7812c6ca2d282de6f5738f686055
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c2b2b856-1bf3-43df-9c0c-acd63af11697
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1488206
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Detected VMProtect packer
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/486398f4ad2893c6fa6f17c00c35c7240ead7812c6ca2d282de6f5738f686055
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/486398f4ad2893c6fa6f17c00c35c7240ead7812c6ca2d282de6f5738f686055/
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2024-08-05 15:38:22 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jbrzr5fnfcj4n6tpc7aaynoheqhk26asy3fc2kbn432xhd3imbkq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery vmprotect
Link:
https://tria.ge/reports/240805-t38hbssalp/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
System Location Discovery: System Language Discovery
Loads dropped DLL
VMProtect packed file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/03e51b16-dde7-4a5b-bcf8-a4042c730d62
Unpacked files
SH256 hash:
486398f4ad2893c6fa6f17c00c35c7240ead7812c6ca2d282de6f5738f686055
MD5 hash:
c94b912d6522020372342c328fab4bc9
SHA1 hash:
ba808f7e645ad3f8e9be248a6377a341d3acb279
Link:
https://www.unpac.me/results/55d4f4f3-067e-4588-8862-3928112ba26f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/486398f4ad2893c6fa6f17c00c35c7240ead7812c6ca2d282de6f5738f686055

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 486398f4ad2893c6fa6f17c00c35c7240ead7812c6ca2d282de6f5738f686055

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3090719/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoFreeUnusedLibraries
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
SHELL_APIManipulates System ShellSHELL32.dll::SHFileOperationW
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::UrlMkSetSessionOption
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA

Comments


Avatar
zbet commented on 2024-08-05 16:35:46 UTC

url : hxxp://107.150.51.202/1.exe