MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49cd63e293adf099e468e6612b0d7cff4c4d5b3cf23cb67a7ed701e19381c2db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49cd63e293adf099e468e6612b0d7cff4c4d5b3cf23cb67a7ed701e19381c2db
SHA3-384 hash: fa8dc907ac01ac22b7c59535018bb2d1cbb309e7ee518bf0ac58b96cb95700f4a11aca422f1b43d0b4bb4ec00d1f75ac
SHA1 hash: 63f088c9339787ba92cf3527b592447ddd2e5806
MD5 hash: 53091df7c4510366396b3e916ca52609
humanhash: gee-pennsylvania-indigo-fanta
File name:SecuriteInfo.com.Adware.PowerOffer.A.29205.8025
Download: download sample
File size:1'549'119 bytes
First seen:2023-06-15 16:27:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'463 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 24576:5naPgVOVmMtom6KZSVvxr/c7T0pKCsHjsBuzV/qN6ZMTUMUGvKrTD3rOMeFoHGQl:5azm0Gvxr0nCsHjsBkVyTOGvWrh
TLSH T1E7653324C762C175E7564CB0AA23C5589E6778B9CF395AA372AD0CDD1B720C5BE0B332
TrID 76.6% (.EXE) Inno Setup installer (109740/4/30)
9.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.1% (.EXE) Win32 Executable (generic) (4505/5/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Adware.PowerOffer.A.29205.8025
Verdict:
Suspicious activity
Analysis date:
2023-06-15 16:40:46 UTC
Tags:
installer
Link:
https://app.any.run/tasks/2d779790-aa22-4656-b4a9-135638371ccf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/399253/
Detection(s):
SecuriteInfo.com.Adware.PowerOffer.A.29205.8025.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Searching for synchronization primitives
Launching a tool to kill processes
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware installer lolbin overlay packed shell32.dll unknown virus
Link:
https://www.filescan.io/uploads/648b3c18064850ba70231479/reports/97f861b5-276a-4f2b-9751-2f44a47a8d2a/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/49cd63e293adf099e468e6612b0d7cff4c4d5b3cf23cb67a7ed701e19381c2db
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/71ee93af-40d9-4f81-9d18-b82dfa56033f
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
40 / 100
Link:
https://www.joesandbox.com/analysis/1255473
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 888490 Sample: SecuriteInfo.com.Adware.Pow... Startdate: 15/06/2023 Architecture: WINDOWS Score: 40 72 Antivirus / Scanner detection for submitted sample 2->72 74 Multi AV Scanner detection for dropped file 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 3 other signatures 2->78 8 SecuriteInfo.com.Adware.PowerOffer.A.29205.8025.exe 2 2->8         started        11 PLauncher.exe 2->11         started        14 Pos.exe 2->14         started        process3 dnsIp4 50 SecuriteInfo.com.A...er.A.29205.8025.tmp, PE32 8->50 dropped 16 SecuriteInfo.com.Adware.PowerOffer.A.29205.8025.tmp 24 26 8->16         started        66 www.poweroffer.net 85.94.194.169, 49720, 49721, 49723 SEEWEBWebhostingcolocationandcloudservicesIT Italy 11->66 68 application.poweroffer.net 11->68 19 PService.exe 11->19         started        70 application.poweroffer.net 14->70 file5 process6 dnsIp7 42 C:\Users\user\AppData\...\unins000.exe (copy), PE32 16->42 dropped 44 C:\Users\user\AppData\Local\is-JLDFD.tmp, PE32 16->44 dropped 46 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 16->46 dropped 48 30 other files (20 malicious) 16->48 dropped 23 InstallHelper.exe 16->23         started        28 InstallHelper.exe 16->28         started        30 InstallHelper.exe 16->30         started        32 17 other processes 16->32 56 www.poweroffer.net 19->56 58 application.poweroffer.net 19->58 80 Tries to harvest and steal browser information (history, passwords, etc) 19->80 file8 signatures9 process10 dnsIp11 60 application.poweroffer.net 23->60 52 C:\Users\user\AppData\...\Web Data-journal, data 23->52 dropped 82 Tries to harvest and steal browser information (history, passwords, etc) 23->82 54 C:\Users\user\AppData\Local\...\Preferences, JSON 28->54 dropped 62 application.poweroffer.net 30->62 64 cm.mibatech.com 32->64 34 conhost.exe 32->34         started        36 conhost.exe 32->36         started        38 conhost.exe 32->38         started        40 3 other processes 32->40 file12 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49cd63e293adf099e468e6612b0d7cff4c4d5b3cf23cb67a7ed701e19381c2db/
Threat name:
Win32.Adware.PowerOffer
Create hunting rule
Status:
Malicious
First seen:
2013-01-11 15:09:00 UTC
File Type:
PE (Exe)
Extracted files:
122
AV detection:
13 of 37 (35.14%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jhgwhyutvxyjtzdi4zqswdl475ge2wz46i6lm6t624a6de4bylnq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230615-tynblaae38/
Behaviour
Kills process with taskkill
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
6302b0a1597a8f4332e29d95e481528c6f0a3dfc689b0ec6eb113fe19d8671e9
MD5 hash:
38f999e202067bd144253d4dbf626e41
SHA1 hash:
f4ba1c86bf7086e6de0d92df88a9f940878f69f8
Link:
https://www.unpac.me/results/6e07b2ca-6a9a-4f4d-88d2-99eb37a782a7/
SH256 hash:
933e8e4bc2252014b113ac8e68116185f4c248648023c531a2d968574334ac5a
MD5 hash:
844857e66d691f8e5247cc30820149c2
SHA1 hash:
eeeebb1e91377ce502c980c5e39be4a293b5f9b4
Link:
https://www.unpac.me/results/6e07b2ca-6a9a-4f4d-88d2-99eb37a782a7/
SH256 hash:
8ed5a7fa7d48f8632577d6020e7d9130835a7a3171ccca1ac57066f8fff530fe
MD5 hash:
7fb36f32521e22138a67be9a90d72887
SHA1 hash:
eb5f04ef3846ded0f8102fbf04ea2fcfaf47cbb6
Link:
https://www.unpac.me/results/6e07b2ca-6a9a-4f4d-88d2-99eb37a782a7/
SH256 hash:
3b69e2dd23a7a9e71176a56c27df5bfd924479e34d1593673905c9ed47d9c6a1
MD5 hash:
43b6e27d0a6a69dc7282982f9493f0e0
SHA1 hash:
e941b2b57c078e8810f5da282b124cbcbec48746
Link:
https://www.unpac.me/results/6e07b2ca-6a9a-4f4d-88d2-99eb37a782a7/
SH256 hash:
04128794c3f33e7b1cfcc4ce2e74327ddb4cc60a8cc1a4db51199161de925e0c
MD5 hash:
eaebe4d11eb9f90488a7c9de7840a958
SHA1 hash:
e0fabc6dfda90a0766add6282b474bc02fca9c10
Link:
https://www.unpac.me/results/6e07b2ca-6a9a-4f4d-88d2-99eb37a782a7/
SH256 hash:
63dbe8d71fd5ce002406a1896d2116f88d3dfa378e022c28fc8fef406ab832d7
MD5 hash:
09ddd9f3ca7719661c7d721731f39884
SHA1 hash:
a618284107ee359d595704c13f251c475f3fa682
Link:
https://www.unpac.me/results/6e07b2ca-6a9a-4f4d-88d2-99eb37a782a7/
SH256 hash:
dfabfd3d7d729ccfb1f8cde87c8896687ac684193daafe2777ed87d9db94fc1d
MD5 hash:
3cbffd9e14200a4881282f2a384ff986
SHA1 hash:
6e985c4645d4f89fcbb06fe2ef039bf72c38bf81
Link:
https://www.unpac.me/results/6e07b2ca-6a9a-4f4d-88d2-99eb37a782a7/
SH256 hash:
78ff237df2d1f31496ccd6d388f0cbe8a72feced944b2dfdcc7760709af8972f
MD5 hash:
9b86362ac420584df8b669ced48cd525
SHA1 hash:
12c680c0552ddce9ea1ab31d5606f4fc5fbb1467
Link:
https://www.unpac.me/results/6e07b2ca-6a9a-4f4d-88d2-99eb37a782a7/
SH256 hash:
824b4c86eb5ec13d71fc275b3ecb44a983191235ba35c8fef118de7ab406097b
MD5 hash:
18451ab2056d6afbc44639b7a3582d94
SHA1 hash:
07dd17faa2a0aa8a3061d2489a19932256da5e6e
Link:
https://www.unpac.me/results/6e07b2ca-6a9a-4f4d-88d2-99eb37a782a7/
SH256 hash:
bdbb1d0f510eb3c770b598e5444d0e1182117d6a4a9f6d592c3bcb8053831322
MD5 hash:
37f5eba3852f31a20cdc949f9083c239
SHA1 hash:
4f29824daa82c02ac40dfa5b95d4db6a6f264774
Link:
https://www.unpac.me/results/6e07b2ca-6a9a-4f4d-88d2-99eb37a782a7/
SH256 hash:
49cd63e293adf099e468e6612b0d7cff4c4d5b3cf23cb67a7ed701e19381c2db
MD5 hash:
53091df7c4510366396b3e916ca52609
SHA1 hash:
63f088c9339787ba92cf3527b592447ddd2e5806
Link:
https://www.unpac.me/results/6e07b2ca-6a9a-4f4d-88d2-99eb37a782a7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49cd63e293adf099e468e6612b0d7cff4c4d5b3cf23cb67a7ed701e19381c2db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/399253/

Comments