MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f2e6dc8e4d8e0dfcc44a28d34c10653bd833abb8832e47e609d255f246c67f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	4f2e6dc8e4d8e0dfcc44a28d34c10653bd833abb8832e47e609d255f246c67f0
SHA3-384 hash:	73e58f9f22a71fb64bf484ff7412286e177263a6e1862c112e5a114916883cbb0d35a58225d750464115b623ca423a17
SHA1 hash:	9f45cfe6014c839b7921ee456883de89b8b7176b
MD5 hash:	63cd9aa92682a95d15e69c9b21369c6f
humanhash:	sink-april-november-hamper
File name:	E-statement#02002581.exe
Download:	download sample
File size:	1'972'880 bytes
First seen:	2024-08-02 16:12:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep	49152:D1wfEW0BFC/rfKIQLhnA6D6SwUn61nJfeM+qrBfn3P+:JwfEJuSIQtA62ZQWNeM9fn3m
Threatray	1 similar samples on MalwareBazaar
TLSH	T19F952343FB99DCF6FB6A117116B069530F61F47990288D4F620EBB2A3F74641801B97B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	74e4d4d4ecf4d4d4 (23 x GuLoader, 20 x LummaStealer, 19 x AgentTesla)
Reporter	malwarelabnet
Tags:	exe signed

Code Signing Certificate

Organisation:	Siam Computer (MD Kamrul Hassan)
Issuer:	Sectigo Public Code Signing CA EV R36
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-03-03T00:00:00Z
Valid to:	2025-03-02T23:59:59Z
Serial number:	e9e59f1418040e5a1e8ae92f0aec83d8
Intelligence:	21 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	80b7c22c5659dd209dc6750bc8141ccc53130dd903eeff9b382be9a8c8164347
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

394

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

E-statement#02002581.exe

Verdict:

Malicious activity

Analysis date:

2024-08-02 16:13:52 UTC

Tags:

meshagent

Link:

https://app.any.run/tasks/5c8d50cb-5d78-4726-b433-ae8245c51d74

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Clean

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66ad0592037b02d0daed26e2

Tags:

m a l w a r e

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a file

Modifying a system file

Creating a process from a recently created file

Сreating synchronization primitives

Searching for the window

Connection attempt

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Searching for synchronization primitives

Launching a service

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

installer lolbin masquerade microsoft_visual_cc overlay packed shell32

Link:

https://www.filescan.io/uploads/66ad05963acdc8d8268e6c36/reports/ea2e725f-e73c-4db0-ad5c-44c11cb91cbe/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/4f2e6dc8e4d8e0dfcc44a28d34c10653bd833abb8832e47e609d255f246c67f0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/d499a695-d79e-466d-8e85-fa961c9757e2

Result

Threat name:

n/a

Detection:

clean

Classification:

evad

Score:

13 / 100

Link:

https://www.joesandbox.com/analysis/1486932

Behaviour

Behavior Graph:

n/a

Score:

72%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4f2e6dc8e4d8e0dfcc44a28d34c10653bd833abb8832e47e609d255f246c67f0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4f2e6dc8e4d8e0dfcc44a28d34c10653bd833abb8832e47e609d255f246c67f0/

Threat name:

Win32.Dropper.Malgent

Status:

Malicious

First seen:

2024-08-02 16:13:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

5 of 24 (20.83%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j4xg3she3dqn7tceukgtjqigko6ygov3razoi7tatusv6jdmm7ya._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

4/10

Tags:

discovery

Link:

https://tria.ge/reports/240802-tn3crsvhmf/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/68778c94-012f-48de-8a67-8e36f98ac29d

Unpacked files

SH256 hash:

d22d363771a2f325d05954d729d4c2fc71b4271369804da58d30068a3497e995

MD5 hash:

6be429d063043fec5802114c86f83ce3

SHA1 hash:

79cb51f80b40e88654b382658a95916ba836453f

Link:

https://www.unpac.me/results/679262ae-3b6e-4554-8742-f629b9c07b7c/

SH256 hash:

7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

MD5 hash:

bf712f32249029466fa86756f5546950

SHA1 hash:

75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

Link:

https://www.unpac.me/results/679262ae-3b6e-4554-8742-f629b9c07b7c/

SH256 hash:

6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

MD5 hash:

c7ce0e47c83525983fd2c4c9566b4aad

SHA1 hash:

38b7ad7bb32ffae35540fce373b8a671878dc54e

Link:

https://www.unpac.me/results/679262ae-3b6e-4554-8742-f629b9c07b7c/

SH256 hash:

416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

MD5 hash:

4ccc4a742d4423f2f0ed744fd9c81f63

SHA1 hash:

704f00a1acc327fd879cf75fc90d0b8f927c36bc

Link:

https://www.unpac.me/results/679262ae-3b6e-4554-8742-f629b9c07b7c/

SH256 hash:

3b6086e77e7c3cf8c34704c0eecf20e9884afed75de2a316b96198991e8b82d0

MD5 hash:

811abb6f1a61a1b74562d4a8b273db07

SHA1 hash:

b9b433e469a1db87d3aba57641ae9dc8ae6af840

Link:

https://www.unpac.me/results/679262ae-3b6e-4554-8742-f629b9c07b7c/

SH256 hash:

2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

MD5 hash:

adb29e6b186daa765dc750128649b63d

SHA1 hash:

160cbdc4cb0ac2c142d361df138c537aa7e708c9

Detections:

INDICATOR_TOOL_UAC_NSISUAC

Link:

https://www.unpac.me/results/679262ae-3b6e-4554-8742-f629b9c07b7c/

Parent samples :

f5f3e5658f8ec6c1e7ffa7e7d6df06d04af1f3a5941206ce23b8be979c60ccb1
6e22c0f2732195063cb4984c6520c3b85e1236e967f8bb05b3c1b35139d2917b
713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94
dbde8a4bd71bb1fbc0511cdb657dfeffdaedc513aa425f856043532a7cba6fce
ac142a8087949b5ad4e3a503ca37609845112c4f7e0cd1376669c9d5c8f5cdf2
15d4dbafb6fb1770507db7769b2df6f3857da0ad3203a71c5f82a99688dac2b3
b96862087581adb9ecfb9615a46eedb29d13c606e708b7b532ce6ed3217925a4
4f2e6dc8e4d8e0dfcc44a28d34c10653bd833abb8832e47e609d255f246c67f0
df61dc2d24f2e475e0a8971c5d21c1c48e9505be67714aafb4afd670aad297e3
60b1aa37a4ac40d5c5adf2de28782976934731408b6c2e89511e1bc5947d5bbd
f7ae58f22cbdeb69318f6cb3ff3757a9888e8731febd66e85ee9938f874705c9
fbfe2108631e3ccaa8db2f5c4439009c7a5a53136481b422236eefe2e48b690f
340b93c76e6f489982a23d2e04df0ad05a03c3d744ecb5badc3c041eca945af2
34a5c9c0106b37687fbdd51a60a026d06e7301ec40b1f7fb49384d8fe748e9e6
503c9fae00b047a77059de8e9ff6dddb6d2584f18ccf6480d69d395c65492ad4

SH256 hash:

4f2e6dc8e4d8e0dfcc44a28d34c10653bd833abb8832e47e609d255f246c67f0

MD5 hash:

63cd9aa92682a95d15e69c9b21369c6f

SHA1 hash:

9f45cfe6014c839b7921ee456883de89b8b7176b

Link:

https://www.unpac.me/results/679262ae-3b6e-4554-8742-f629b9c07b7c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4f2e6dc8e4d8e0dfcc44a28d34c10653bd833abb8832e47e609d255f246c67f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW KERNEL32.dll::OpenProcess KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetDiskFreeSpaceW KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuW USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::OpenClipboard USER32.dll::PeekMessageW USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample