MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50e25133fb38cd007ff5095978f8426734e7e2680c95cf34ff710291decc8eaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50e25133fb38cd007ff5095978f8426734e7e2680c95cf34ff710291decc8eaa
SHA3-384 hash: 3c840d0c82db3f16648342218fd9ea6ecf73dcd545b50a71cee8612358e4f7707f89e5c446b4e8980fdd67f62c93101f
SHA1 hash: f522aac60faa23979dc4c917f2396cbbdc16b3f4
MD5 hash: 46091b4a882ea41a0125c5fa4acc8c60
humanhash: thirteen-magazine-eight-comet
File name:free-minecraft-clien_690175494.exe
Download: download sample
File size:10'261'976 bytes
First seen:2021-04-18 18:41:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eb5bc6ff6263b364dfbfb78bdb48ed59 (54 x Adware.Generic, 18 x RaccoonStealer, 8 x Adware.ExtenBro)
ssdeep 196608:YmZompPTJUP58pbdaEmFmd5daKwgWipY8+fDp+rnP5WBY:TTG5KUzFk5daKKiG8GN+DBWBY
Threatray 1 similar samples on MalwareBazaar
TLSH 85A62327B299653EC4AA27360633A15058FFA66DF91ABD1673F4C4CCCF750C00E3AA65
Reporter Anonymous

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
free-minecraft-clien_690175494.exe
Verdict:
No threats detected
Analysis date:
2021-04-18 18:44:24 UTC
Tags:
installer
Link:
https://app.any.run/tasks/4a74468e-7be9-425d-8ab4-975f2a635db0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/137896/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Win.Trojan.Generic-9839045-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Searching for the window
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Creating a file
Sending a UDP request
DNS request
Launching the default Windows debugger (dwwin.exe)
Deleting a recently created file
Creating a file in the Windows subdirectories
Launching a process
Connection attempt to an infection source
Sending an HTTP POST request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/685384
Signature
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 391641 Sample: free-minecraft-clien_690175... Startdate: 18/04/2021 Architecture: WINDOWS Score: 80 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Antivirus detection for URL or domain 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 2 other signatures 2->45 8 free-minecraft-clien_690175494.exe 2 2->8         started        process3 file4 27 C:\...\free-minecraft-clien_690175494.tmp, PE32 8->27 dropped 11 free-minecraft-clien_690175494.tmp 18 64 8->11         started        process5 file6 29 C:\Program Files (x86)\...\is-J1VL2.tmp, PE32 11->29 dropped 31 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 11->31 dropped 33 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 11->33 dropped 35 17 other files (none is malicious) 11->35 dropped 14 AweClone.exe 11->14         started        17 wmfdist.exe 11->17         started        process7 dnsIp8 37 grigblog.club 172.67.190.230, 49718, 80 CLOUDFLARENETUS United States 14->37 19 WerFault.exe 20 9 14->19         started        21 WerFault.exe 9 14->21         started        23 WerFault.exe 9 14->23         started        25 2 other processes 14->25 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/50e25133fb38cd007ff5095978f8426734e7e2680c95cf34ff710291decc8eaa/
Gathering data
Verdict:
suspicious
Similar samples:
ff5d04582ebc24f95416e178c35178b30db559438b66848afe8038e4028c07ab
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/210418-42b6slv4pn/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Checks installed software on the system
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/137896/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-18 19:04:02 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
2) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
3) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
4) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
5) [C0021] Cryptography Micro-objective::Generate Pseudo-random Sequence
6) [C0032.001] Data Micro-objective::CRC32::Checksum
7) [C0026.002] Data Micro-objective::XOR::Encode Data
9) [C0046] File System Micro-objective::Create Directory
10) [C0048] File System Micro-objective::Delete Directory
11) [C0047] File System Micro-objective::Delete File
12) [C0049] File System Micro-objective::Get File Attributes
13) [C0052] File System Micro-objective::Writes File
14) [C0007] Memory Micro-objective::Allocate Memory
15) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
16) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
17) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
18) [C0017.003] Process Micro-objective::Create Suspended Process::Create Process
19) [C0017] Process Micro-objective::Create Process
20) [C0038] Process Micro-objective::Create Thread
21) [C0041] Process Micro-objective::Set Thread Local Storage Value
22) [C0055] Process Micro-objective::Suspend Thread
23) [C0018] Process Micro-objective::Terminate Process