MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4915139f1b3cb601ac2c3642daf6dc2c0ef560501f04fd1836f699d926d73cbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4915139f1b3cb601ac2c3642daf6dc2c0ef560501f04fd1836f699d926d73cbd
SHA3-384 hash: 1debe6f78f49dad84c7648b17f4a0b18a2e9e980c6b5c7f3801b4b33bed20f2aac8aa5e46544024bd71c3574f2058d26
SHA1 hash: 5568c3e48c753f2545b3f3b36fec55e31161388d
MD5 hash: 6c7d35858dfcf2a345aff05b01342651
humanhash: equal-cola-double-virginia
File name:Cunola.exe
Download: download sample
File size:86'223'412 bytes
First seen:2024-02-27 22:07:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:A/WHHr90/uSkiYkC7cCA5LhowmX4yYQ6tWUDZRs8nGZC+L7:A/8L9EuSkivWBArmoyHcbD7WE+L7
TLSH T15E183305E0FDDE6ADE0F12F321924CD3529366084417EE8D25ED2F9F896695A088CF9F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
dhash icon 98e5676565a5a198 (20 x EpsilonStealer, 2 x NovaSentinel, 1 x LummaStealer)
Reporter JaffaCakes118
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
465
Origin country :
GB GB
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Searching for synchronization primitives
Unauthorized injection to a recently created process
Launching a process
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Launching many processes
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65de5d47c5e1a083fbfae868/reports/7d56a781-c0b6-400b-be6d-95f5599c8aaa/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/4915139f1b3cb601ac2c3642daf6dc2c0ef560501f04fd1836f699d926d73cbd
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1399929
Signature
Drops large PE files
Multi AV Scanner detection for dropped file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1399929 Sample: Cunola.exe Startdate: 27/02/2024 Architecture: WINDOWS Score: 52 55 www.google.com 2->55 57 ipinfo.io 2->57 59 chrome.cloudflare-dns.com 2->59 65 Multi AV Scanner detection for dropped file 2->65 9 Cunola.exe 179 2->9         started        signatures3 process4 file5 43 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 9->43 dropped 45 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 9->45 dropped 47 C:\Users\user\AppData\Local\...\libGLESv2.dll, PE32+ 9->47 dropped 49 8 other files (5 malicious) 9->49 dropped 67 Drops large PE files 9->67 13 Cunola.exe 5 9->13         started        signatures6 process7 dnsIp8 61 www.google.com 172.253.115.103, 49717, 80 GOOGLEUS United States 13->61 63 ipinfo.io 34.117.186.192, 443, 49719 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 13->63 51 d7c4160d-455a-46a8...f9582c3699.tmp.node, PE32+ 13->51 dropped 53 040419ce-0444-4f54...5d009eb39f.tmp.node, PE32+ 13->53 dropped 17 cmd.exe 1 13->17         started        19 cmd.exe 1 13->19         started        21 cmd.exe 13->21         started        23 35 other processes 13->23 file9 process10 process11 25 WMIC.exe 1 17->25         started        27 conhost.exe 17->27         started        29 tasklist.exe 1 19->29         started        31 conhost.exe 19->31         started        33 tasklist.exe 1 21->33         started        35 conhost.exe 21->35         started        37 conhost.exe 23->37         started        39 conhost.exe 23->39         started        41 61 other processes 23->41
Score:
13%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/4915139f1b3cb601ac2c3642daf6dc2c0ef560501f04fd1836f699d926d73cbd
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jekrhhy3hs3adlbmgzbnv5w4fqhpkycqd4cp2gbw62m5sjwxhs6q._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/240227-118hwacf98/
Behaviour
Checks processor information in registry
Detects videocard installed
Enumerates processes with tasklist
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4915139f1b3cb601ac2c3642daf6dc2c0ef560501f04fd1836f699d926d73cbd

(this sample)

  
Delivery method
Distributed via web download

Comments