MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5377fdf4a8c5b2de8f21a23a0770fbc497d3ba1ff58d50d1ec952216e84a3c4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Generic


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5377fdf4a8c5b2de8f21a23a0770fbc497d3ba1ff58d50d1ec952216e84a3c4f
SHA3-384 hash: 68082a1ffee11e70652e917d0faffd000d85feed307f41fc1bd69623186665f724239d2c9cb76a212480cd552959e91c
SHA1 hash: aeb03943ce5274832cb00ec56703108ceeaf4c02
MD5 hash: daa4394f0cbf5145c7e8c03e7fd87b02
humanhash: connecticut-low-blue-nineteen
File name:Microsoft Windows and Office ISO Downol 8.15 + Crack 2019.exe
Download: download sample
Signature Adware.Generic
Create hunting rule
File size:12'144'523 bytes
First seen:2023-08-07 10:36:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (262 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 196608:dwjsCRr3bEztMc0foz7r8YSMLYjsCRr3bEztac0foz7r8YSMLYjsCRr3bEztac0O:rCd3bqSc0m8KCd3bqEc0m8KCd3bqEc0O
Threatray 56 similar samples on MalwareBazaar
TLSH T121C6232FF298A53EC42D563045B386509ABBBA62B8178C0E47FC394CDF325B11D3B656
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter xr1pper
Tags:Adware.Generic exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
341
Origin country :
EG EG
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Microsoft Windows and Office ISO Downol 8.15 + Crack 2019.exe
Verdict:
No threats detected
Analysis date:
2023-08-07 10:38:19 UTC
Tags:
installer
Link:
https://app.any.run/tasks/79daa35b-7218-4f75-8e20-d044299223db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/441046/
Detection(s):
SecuriteInfo.com.FileRepMalware.8682.12439.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Gathering data
Verdict:
Malicious
Labled as:
TR/Downloader.Generic
Link:
https://www.hybrid-analysis.com/sample/5377fdf4a8c5b2de8f21a23a0770fbc497d3ba1ff58d50d1ec952216e84a3c4f
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/63bab770-ce2b-4198-9be2-5dca18e310e2
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1287029
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to modify clipboard data
Creates files with lurking names (e.g. Crack.exe)
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1287029 Sample: Microsoft_Windows_and_Offic... Startdate: 07/08/2023 Architecture: WINDOWS Score: 92 168 bapp.digitalpulsedata.com 2->168 214 Multi AV Scanner detection for domain / URL 2->214 216 Malicious sample detected (through community Yara rule) 2->216 218 Antivirus detection for URL or domain 2->218 220 8 other signatures 2->220 13 Microsoft_Windows_and_Office_ISO_Downol_8.15_+_Crack_2019.exe 2 2->13         started        17 msiexec.exe 2->17         started        19 Windows Updater.exe 2->19         started        22 3 other processes 2->22 signatures3 process4 dnsIp5 144 Microsoft_Windows_...15_+_Crack_2019.tmp, PE32 13->144 dropped 238 Creates files with lurking names (e.g. Crack.exe) 13->238 24 Microsoft_Windows_and_Office_ISO_Downol_8.15_+_Crack_2019.tmp 23 19 13->24         started        146 C:\Windows\Installer\MSIF0AA.tmp, PE32 17->146 dropped 148 C:\Windows\Installer\MSIF07A.tmp, PE32 17->148 dropped 150 C:\Windows\Installer\MSIEC32.tmp, PE32 17->150 dropped 154 14 other malicious files 17->154 dropped 29 msiexec.exe 17->29         started        31 msiexec.exe 17->31         started        33 msiexec.exe 17->33         started        35 msiexec.exe 17->35         started        170 allroadslimit.com 19->170 152 C:\Windows\Temp\...\Windows Updater.exe, PE32 19->152 dropped 37 Windows Updater.exe 19->37         started        172 win-peer-pbm-ecs-lb-495161369.ca-central-1.elb.amazonaws.com 52.60.194.232, 443, 49737 AMAZON-02US United States 22->172 174 updater.digitalpulsedata.com 22->174 176 2 other IPs or domains 22->176 file6 signatures7 process8 dnsIp9 182 sistersshame.xyz 104.21.25.118, 49722, 80 CLOUDFLARENETUS United States 24->182 184 woolcalendar.online 188.114.96.7, 443, 49721, 49731 CLOUDFLARENETUS European Union 24->184 126 C:\Users\user\AppData\...\setup.exe (copy), PE32 24->126 dropped 140 5 other files (4 malicious) 24->140 dropped 232 Performs DNS queries to domains with low reputation 24->232 234 Creates files with lurking names (e.g. Crack.exe) 24->234 39 setup.exe 2 24->39         started        186 pstbbk.com 157.230.96.32, 49749, 80 DIGITALOCEAN-ASNUS United States 29->186 188 collect.installeranalytics.com 52.71.211.199, 443, 49750, 49752 AMAZON-AESUS United States 29->188 128 C:\Users\user\AppData\Local\...\shiE445.tmp, PE32 29->128 dropped 130 C:\Users\user\AppData\Local\...\shiE3A7.tmp, PE32 29->130 dropped 236 Query firmware table information (likely to detect VMs) 29->236 42 taskkill.exe 29->42         started        132 C:\Users\user\AppData\Local\...\shiD214.tmp, PE32 31->132 dropped 134 C:\Users\user\AppData\Local\...\shiD148.tmp, PE32 31->134 dropped 136 C:\Windows\Temp\shi2D44.tmp, PE32 33->136 dropped 138 C:\Windows\Temp\shi2C78.tmp, PE32 33->138 dropped 190 dl.likeasurfer.com 104.21.32.100, 443, 49756 CLOUDFLARENETUS United States 37->190 142 4 other malicious files 37->142 dropped 44 v113.exe 37->44         started        file10 signatures11 process12 file13 102 C:\Users\user\AppData\Local\...\setup.tmp, PE32 39->102 dropped 46 setup.tmp 3 25 39->46         started        51 conhost.exe 42->51         started        104 C:\Windows\Temp\shi298B.tmp, PE32+ 44->104 dropped 106 C:\Windows\Temp\MSI2C1D.tmp, PE32 44->106 dropped 108 C:\Windows\Temp\MSI2AF3.tmp, PE32 44->108 dropped 110 2 other malicious files 44->110 dropped 53 msiexec.exe 44->53         started        process14 dnsIp15 192 bon.cribcelery.xyz 46->192 194 ambasoftgroup.info 77.246.100.5, 49723, 49724, 80 MEDIAL-ASRU Russian Federation 46->194 196 5 other IPs or domains 46->196 156 C:\Users\user\AppData\Local\Temp\...\s2.exe, PE32 46->156 dropped 158 C:\Users\user\AppData\Local\Temp\...\s1.exe, PE32 46->158 dropped 160 C:\Users\user\AppData\Local\Temp\...\s0.exe, PE32+ 46->160 dropped 162 2 other files (1 malicious) 46->162 dropped 200 Performs DNS queries to domains with low reputation 46->200 55 s0.exe 16 46->55         started        60 s1.exe 2 46->60         started        62 s2.exe 46->62         started        file16 signatures17 process18 dnsIp19 178 iplogger.com 148.251.234.93, 443, 49725, 49726 HETZNER-ASDE Germany 55->178 180 m10b18tu.info 55->180 112 C:\Users\user\AppData\Local\...\simbian.exe, PE32 55->112 dropped 114 C:\Users\user\AppData\Local\...\file[1].exe, PE32 55->114 dropped 222 Multi AV Scanner detection for dropped file 55->222 224 May check the online IP address of the machine 55->224 226 Binary is likely a compiled AutoIt script file 55->226 228 Contains functionality to modify clipboard data 55->228 64 simbian.exe 15 5 55->64         started        68 cmd.exe 1 55->68         started        116 C:\Users\user\AppData\Local\Temp\...\s1.tmp, PE32 60->116 dropped 70 s1.tmp 60->70         started        118 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 62->118 dropped 120 C:\Users\user\AppData\...\Windows Updater.exe, PE32 62->120 dropped 122 C:\Users\user\AppData\Local\...\shiB8AC.tmp, PE32+ 62->122 dropped 124 3 other malicious files 62->124 dropped 230 Antivirus detection for dropped file 62->230 73 msiexec.exe 62->73         started        file20 signatures21 process22 dnsIp23 164 b47n300.info 77.105.136.3, 49727, 80 PLUSTELECOM-ASRU Russian Federation 64->164 166 api.ip.sb 64->166 202 Multi AV Scanner detection for dropped file 64->202 204 Detected unpacking (changes PE section rights) 64->204 206 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 64->206 212 8 other signatures 64->212 208 Uses ping.exe to check the status of other devices and networks 68->208 75 conhost.exe 68->75         started        77 PING.EXE 1 68->77         started        94 C:\Users\user\AppData\...\unins000.exe (copy), PE32 70->94 dropped 96 C:\Users\user\AppData\...\is-KIUET.tmp, PE32 70->96 dropped 98 C:\Users\user\AppData\...\is-FJS5O.tmp, PE32+ 70->98 dropped 100 4 other files (3 malicious) 70->100 dropped 210 Uses schtasks.exe or at.exe to add and modify task schedules 70->210 79 DigitalPulseService.exe 70->79         started        82 _setup64.tmp 70->82         started        84 schtasks.exe 70->84         started        86 schtasks.exe 70->86         started        file24 signatures25 process26 dnsIp27 198 bapp.digitalpulsedata.com 3.98.219.138, 443, 49738, 49744 AMAZON-02US United States 79->198 88 conhost.exe 82->88         started        90 conhost.exe 84->90         started        92 conhost.exe 86->92         started        process28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5377fdf4a8c5b2de8f21a23a0770fbc497d3ba1ff58d50d1ec952216e84a3c4f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-08-07 10:37:07 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
12 of 24 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kn3735fiywzn5dzbui5ao4h3ysl5hoq76wgvbupmsurbn2ckhrhq._file
Verdict:
malicious
Similar samples:
4e55c10e79e88019cc44951789afefd670fadaa18570a9ad3bfac0a495b7278f
Adware.Generic
82e3523dc7d162e55eaa4f69c2dba9555592661eadcc6807898da7196e57289a
Adware.Generic
84860b1d90de1d371ece5e4e4cf34cef1e3e174569024c29be70c61a478f9401
Adware.Generic
88ab1357fe12b53be4b4f143d3b82d6b0f8a5fe08d23a0c53f2f588f7d181d41
Adware.Generic
97ff84a22b9ae106c9c6d6893575360411773f084d600ae3ae21bec7b26a4c66
Adware.Generic
c62cf1352a697a30572caaed469cf5c6add3570cada2e4086e4effb14cb848c1
Adware.Generic
c9daa467a96f84c12457a5d112cf5e3e6afa80b08a2215e0886d1fc964fb5762
Adware.Generic
ce87832b753df5480849c61df4e05bfd2bfbd72af88ad52093a54555f3d96f0e
Adware.Generic
e346a42b76e6531e78a20eae1553875e15290d67ae14f794902fd6f480d44e66
Adware.Generic
+ 46 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230807-mns1rsga91/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
8df742d33efc8b53cc13082690020bfca17351a2f5af31f876f1ad503222f755
MD5 hash:
594aaea16e9d7921c0beff1df6f36b18
SHA1 hash:
70376463d5fe5b220cb91469c68917789233ed14
Link:
https://www.unpac.me/results/e8f83b6c-1714-4f02-9726-86fe8d491e58/
SH256 hash:
5377fdf4a8c5b2de8f21a23a0770fbc497d3ba1ff58d50d1ec952216e84a3c4f
MD5 hash:
daa4394f0cbf5145c7e8c03e7fd87b02
SHA1 hash:
aeb03943ce5274832cb00ec56703108ceeaf4c02
Link:
https://www.unpac.me/results/e8f83b6c-1714-4f02-9726-86fe8d491e58/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5377fdf4a8c5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5377fdf4a8c5b2de8f21a23a0770fbc497d3ba1ff58d50d1ec952216e84a3c4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Adware.Generic

Executable exe 5377fdf4a8c5b2de8f21a23a0770fbc497d3ba1ff58d50d1ec952216e84a3c4f

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/441046/

Comments