MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f2d5d155fe7497f9ab429cae34c5ebbdd711b0256b3bae83d9038cf1526c724. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Generic


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f2d5d155fe7497f9ab429cae34c5ebbdd711b0256b3bae83d9038cf1526c724
SHA3-384 hash: 841fe8d484515edbdd5e040180389b05c7d23eb3b06b431652c5fd6454dfbff2ff3a0a8ba1a2fb1fee9627099b5dc019
SHA1 hash: f8460d05dbdb1c171818510c9685847d00468349
MD5 hash: 2deaf2be4672bf6457e136d78a7a3940
humanhash: one-may-alanine-mike
File name:4f2d5d155fe7497f9ab429cae34c5ebbdd711b0256b3bae83d9038cf1526c724
Download: download sample
Signature Adware.Generic
Create hunting rule
File size:1'671'954 bytes
First seen:2023-12-06 13:32:03 UTC
Last seen:2023-12-06 15:23:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (266 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/dszKic6QL3E2vVsjECUAQT45deRV9Rg:sBuZrEUiKIy029s4C1eH9e
TLSH T15575BF3FF268A13EC5AA1B3245B38310997BBA51B81A8C1E47FC344DCF765601E3B656
TrID 39.3% (.EXE) Inno Setup installer (107240/4/30)
21.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
15.7% (.EXE) InstallShield setup (43053/19/16)
15.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (112 x Adware.Generic, 70 x OffLoader, 43 x LummaStealer)
Reporter adrian__luca
Tags:Adware.Generic exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
372
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4f2d5d155fe7497f9ab429cae34c5ebbdd711b0256b3bae83d9038cf1526c724.zip
Verdict:
Malicious activity
Analysis date:
2023-12-06 19:51:21 UTC
Tags:
adware loader evasion
Link:
https://app.any.run/tasks/9034af96-c200-4709-b6e5-2d318c74d645

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462865/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.17699.18162.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/6570780feba108031486109b/reports/2cf764e3-63d2-4fa6-9e2b-acfa4ad0a0ce/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/4f2d5d155fe7497f9ab429cae34c5ebbdd711b0256b3bae83d9038cf1526c724
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/afc42c78-f9c0-43e1-9a8c-e1950a5a39c7
Result
Threat name:
NetSupport RAT, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1354609
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Connects to many ports of the same IP (likely port scanning)
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected Generic Downloader
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1354609 Sample: ZmWSzgevgt.exe Startdate: 06/12/2023 Architecture: WINDOWS Score: 92 212 sidemark.xyz 2->212 214 send.planewool.xyz 2->214 216 21 other IPs or domains 2->216 248 Snort IDS alert for network traffic 2->248 250 Antivirus detection for URL or domain 2->250 252 Antivirus detection for dropped file 2->252 256 8 other signatures 2->256 14 msiexec.exe 2->14         started        17 ZmWSzgevgt.exe 2 2->17         started        19 Windows Updater.exe 2->19         started        22 6 other processes 2->22 signatures3 254 Performs DNS queries to domains with low reputation 214->254 process4 dnsIp5 196 C:\Windows\Installer\MSIFEC8.tmp, PE32 14->196 dropped 198 C:\Windows\Installer\MSIFDAD.tmp, PE32 14->198 dropped 200 C:\Windows\Installer\MSIFD2F.tmp, PE32 14->200 dropped 206 109 other malicious files 14->206 dropped 24 msiexec.exe 14->24         started        28 msiexec.exe 14->28         started        31 msiexec.exe 14->31         started        41 2 other processes 14->41 202 C:\Users\user\AppData\...\ZmWSzgevgt.tmp, PE32 17->202 dropped 33 ZmWSzgevgt.tmp 23 18 17->33         started        218 allroadslimit.com 104.21.74.109 CLOUDFLARENETUS United States 19->218 204 C:\Windows\Temp\...\Windows Updater.exe, PE32 19->204 dropped 35 Windows Updater.exe 19->35         started        37 conhost.exe 22->37         started        39 conhost.exe 22->39         started        43 4 other processes 22->43 file6 process7 dnsIp8 170 4 other files (none is malicious) 24->170 dropped 268 Query firmware table information (likely to detect VMs) 24->268 45 taskkill.exe 24->45         started        47 taskkill.exe 24->47         started        49 taskkill.exe 24->49         started        234 pstbbk.com 157.230.96.32 DIGITALOCEAN-ASNUS United States 28->234 236 collect.installeranalytics.com 54.165.145.62 AMAZON-AESUS United States 28->236 172 2 other files (none is malicious) 28->172 dropped 51 taskkill.exe 28->51         started        174 2 other files (none is malicious) 31->174 dropped 238 sparksteam.site 104.21.52.223, 49704, 80 CLOUDFLARENETUS United States 33->238 240 sidemark.xyz 172.67.165.204, 49705, 80 CLOUDFLARENETUS United States 33->240 160 C:\Users\user\AppData\Local\...\is-AU4B5.tmp, PE32 33->160 dropped 162 C:\Program Files (x86)\...\is-PFMO7.tmp, PE32 33->162 dropped 164 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 33->164 dropped 53 setup.exe 2 33->53         started        242 dl.likeasurfer.com 172.67.150.192 CLOUDFLARENETUS United States 35->242 166 C:\ProgramData\AW Manager\...\v114.exe.part, PE32 35->166 dropped 168 C:\ProgramData\AW Manager\...\v113.exe.part, PE32 35->168 dropped 56 v113.exe 35->56         started        58 v114.exe 35->58         started        176 2 other files (none is malicious) 41->176 dropped file9 signatures10 process11 file12 60 conhost.exe 45->60         started        62 conhost.exe 47->62         started        64 conhost.exe 49->64         started        66 conhost.exe 51->66         started        134 C:\Users\user\AppData\Local\...\setup.tmp, PE32 53->134 dropped 68 setup.tmp 5 26 53->68         started        136 C:\Windows\Temp\MSI8071.tmp, PE32 56->136 dropped 138 C:\Windows\Temp\MSI7EBB.tmp, PE32 56->138 dropped 140 C:\Windows\Temp\INA7D61.tmp, PE32 56->140 dropped 148 4 other files (3 malicious) 56->148 dropped 72 msiexec.exe 56->72         started        142 C:\Windows\Temp\MSICE82.tmp, PE32 58->142 dropped 144 C:\Windows\Temp\MSICE04.tmp, PE32 58->144 dropped 146 C:\Windows\Temp\INACC6B.tmp, PE32 58->146 dropped 150 4 other files (3 malicious) 58->150 dropped process13 dnsIp14 226 www.agenment.cloud 185.23.108.224, 443, 49716, 49717 TENET-ASUA Hungary 68->226 228 mysoftwareusa.info 37.1.198.251 LEASEWEB-DE-FRA-10DE Ukraine 68->228 230 3 other IPs or domains 68->230 152 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 68->152 dropped 154 C:\Users\user\AppData\Local\Temp\...\a3.exe, PE32 68->154 dropped 156 C:\Users\user\AppData\Local\Temp\...\a1.exe, PE32 68->156 dropped 158 2 other files (1 malicious) 68->158 dropped 74 a0.exe 2 68->74         started        77 a3.exe 68->77         started        80 a1.exe 68->80         started        file15 process16 file17 178 C:\Users\user\AppData\Local\Temp\...\a0.tmp, PE32 74->178 dropped 82 a0.tmp 26 23 74->82         started        180 C:\Users\user\AppData\...\1938229521.exe, PE32 77->180 dropped 182 C:\Users\user\AppData\...\1922353491.exe, PE32 77->182 dropped 184 C:\Users\user\AppData\Local\...\promo[1].exe, PE32 77->184 dropped 186 C:\Users\user\AppData\Local\...\promo[1].exe, PE32 77->186 dropped 272 Multi AV Scanner detection for dropped file 77->272 274 Binary is likely a compiled AutoIt script file 77->274 86 1922353491.exe 77->86         started        188 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 80->188 dropped 190 C:\Users\user\AppData\...\Windows Updater.exe, PE32 80->190 dropped 192 C:\Users\user\AppData\Local\...\MSI2B5C.tmp, PE32 80->192 dropped 194 3 other files (2 malicious) 80->194 dropped 89 msiexec.exe 80->89         started        signatures18 process19 dnsIp20 118 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 82->118 dropped 120 C:\Program Files (x86)\...\is-SGBP1.tmp, PE32 82->120 dropped 122 C:\Program Files (x86)\...\is-R280H.tmp, PE32 82->122 dropped 124 5 other files (2 malicious) 82->124 dropped 258 Obfuscated command line found 82->258 91 cmd.exe 1 82->91         started        93 cmd.exe 1 82->93         started        95 cmd.exe 13 82->95         started        97 wmiprvse.exe 17 82->97         started        232 tankqueueipjsh.pw 104.21.83.145 CLOUDFLARENETUS United States 86->232 260 Detected unpacking (changes PE section rights) 86->260 262 Query firmware table information (likely to detect VMs) 86->262 264 Tries to detect sandboxes and other dynamic analysis tools (window names) 86->264 266 6 other signatures 86->266 file21 signatures22 process23 dnsIp24 100 expand.exe 21 91->100         started        103 conhost.exe 91->103         started        105 reg.exe 1 1 93->105         started        108 conhost.exe 93->108         started        110 chrome.exe 95->110         started        113 conhost.exe 95->113         started        208 myptofgrtulo.info 95.142.47.11, 1203, 49721 VDSINA-ASRU Russian Federation 97->208 210 geo.netsupportsoftware.com 62.172.138.67, 49722, 80 BTGB United Kingdom 97->210 process25 dnsIp26 126 C:\...\f30fa2050fab9a4e9730e495e7217769.tmp, PE32 100->126 dropped 128 C:\...\bcbe912d67afa2439ce32b324e7130e1.tmp, PE32+ 100->128 dropped 130 C:\...\9c66f20de619a94580bb93030dc1aea6.tmp, PE32 100->130 dropped 132 6 other files (5 malicious) 100->132 dropped 270 Creates an undocumented autostart registry key 105->270 244 192.168.2.5, 1203, 443, 49703 unknown unknown 110->244 246 239.255.255.250 unknown Reserved 110->246 115 chrome.exe 110->115         started        file27 signatures28 process29 dnsIp30 220 accounts.google.com 142.251.111.84, 443, 49726 GOOGLEUS United States 115->220 222 clients.l.google.com 142.251.16.101, 443, 49727 GOOGLEUS United States 115->222 224 13 other IPs or domains 115->224
Score:
88%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4f2d5d155fe7497f9ab429cae34c5ebbdd711b0256b3bae83d9038cf1526c724
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f2d5d155fe7497f9ab429cae34c5ebbdd711b0256b3bae83d9038cf1526c724/
Threat name:
Win32.Trojan.OffLoader
Create hunting rule
Status:
Malicious
First seen:
2023-11-24 04:14:00 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
11 of 37 (29.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j4wv2fk745ex7gvufhfogtc6xpoxcgyck2z3v2b5sa4m6fjgy4sa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231206-qsz7esdd3z/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
d5485ba921c2d67df5d63763c4650cad24d8b7d7c65202a8f9cb5f3dafdfcf12
MD5 hash:
be0e74dc6ac70c5b8cc74c42b6999a70
SHA1 hash:
47c9e3346f8c051ea7415289e25e7836ad47500c
Link:
https://www.unpac.me/results/8621c799-f0c6-4f45-bea8-a7f492e042b9/
SH256 hash:
4f2d5d155fe7497f9ab429cae34c5ebbdd711b0256b3bae83d9038cf1526c724
MD5 hash:
2deaf2be4672bf6457e136d78a7a3940
SHA1 hash:
f8460d05dbdb1c171818510c9685847d00468349
Link:
https://www.unpac.me/results/8621c799-f0c6-4f45-bea8-a7f492e042b9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f2d5d155fe7497f9ab429cae34c5ebbdd711b0256b3bae83d9038cf1526c724

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/462865/

Comments