MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5587bf02ffb8815b46e187b147b7502c0d1496c63d0f552dae007035cb11d1cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5587bf02ffb8815b46e187b147b7502c0d1496c63d0f552dae007035cb11d1cc
SHA3-384 hash: aa3135c1ea132b36e7ed379878b090245daacb47543ec1f675e831d55f054e65e881dfec8be4702944fea9754ae53c7b
SHA1 hash: 9a071e3bd5dc1b1ba4347fa02ac940f377c4fc9b
MD5 hash: b44dc07fd8d850216052c23ae6556e33
humanhash: west-butter-alaska-connecticut
File name:5587bf02ffb8815b46e187b147b7502c0d1496c63d0f552dae007035cb11d1cc.exe
Download: download sample
File size:61'588'576 bytes
First seen:2025-03-22 09:34:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ff847646487d56f85778df99ff3728a (4 x RedLineStealer, 3 x Nitol, 2 x Gh0stRAT)
ssdeep 1572864:vWBDH5UzfI+bnu0P08V+nrzKR4KWDPYq6:uBZUzfFC0PRYnrm41D6
TLSH T14CD73364271DE8B0D4529C3D4672E3A7AE702C677335E4E37BA5610CEDB03C4B1B4AA6
TrID 33.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
28.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
11.3% (.EXE) Win64 Executable (generic) (10522/11/4)
7.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon fadadac2a2b8c4e4 (11 x Nitol, 2 x Amadey, 2 x AgentTesla)
Reporter JAMESWT_WT
Tags:154-23-184-120 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
498
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5587bf02ffb8815b46e187b147b7502c0d1496c63d0f552dae007035cb11d1cc.exe
Verdict:
Malicious activity
Analysis date:
2025-03-22 09:36:01 UTC
Tags:
todesk rmm-tool upx
Link:
https://app.any.run/tasks/a29ac20b-0399-4c60-ad62-c660c104d4ea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67de845dc8a812f780e7ffe9
Tags:
dropper virus blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Searching for synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Searching for the window
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Running batch commands
Launching the process to change network settings
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer microsoft_visual_cc obfuscated overlay packed packed packed packer_detected xor-pe
Link:
https://www.filescan.io/uploads/67de844da175d3177344c99e/reports/8cca20eb-89d9-48b5-aa9c-d75d873635a3/overview
Verdict:
Malicious
Labled as:
Trojan.Fsysna
Link:
https://www.hybrid-analysis.com/sample/5587bf02ffb8815b46e187b147b7502c0d1496c63d0f552dae007035cb11d1cc
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1645729
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Encrypted powershell cmdline option found
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: MMC Spawning Windows Shell
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ipconfig to lookup or modify the Windows network settings
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1645729 Sample: lWDSvzPgNB.exe Startdate: 22/03/2025 Architecture: WINDOWS Score: 92 111 jf.huoying666.com 2->111 117 Multi AV Scanner detection for dropped file 2->117 119 Multi AV Scanner detection for submitted file 2->119 121 Connects to many ports of the same IP (likely port scanning) 2->121 123 3 other signatures 2->123 9 msiexec.exe 88 45 2->9         started        12 lWDSvzPgNB.exe 4 2->12         started        14 mmc.exe 2->14         started        16 7 other processes 2->16 signatures3 process4 dnsIp5 97 C:\Windows\Installer\MSIEF33.tmp, PE32 9->97 dropped 99 C:\Windows\Installer\MSIEEE4.tmp, PE32 9->99 dropped 101 C:\Windows\Installer\MSIEE75.tmp, PE32 9->101 dropped 107 7 other malicious files 9->107 dropped 20 HttpDownloaderUI.exe 9->20         started        23 msiexec.exe 9->23         started        103 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 12->103 dropped 105 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 12->105 dropped 25 irsetup.exe 4 7 12->25         started        27 HuoChat.exe 14->27         started        109 127.0.0.1 unknown unknown 16->109 115 Changes security center settings (notifications, updates, antivirus, firewall) 16->115 31 cmd.exe 16->31         started        33 MpCmdRun.exe 16->33         started        file6 signatures7 process8 dnsIp9 69 C:\ProgramData\Q368Q\B2mkF~w3\p, PE32 20->69 dropped 71 C:\ProgramData\Q368Q\B2mkF~w3\HuoChat.exe, PE32 20->71 dropped 73 C:\ProgramData\Q368Q\...verything32.dll, PE32 20->73 dropped 75 C:\ProgramData\Q368Q\B2mkF~w3\w, data 20->75 dropped 35 cmd.exe 20->35         started        38 cmd.exe 20->38         started        77 C:\sysdiag-all-x64-6.0.5.4-2025.03.19.1.exe, PE32 25->77 dropped 40 sysdiag-all-x64-6.0.5.4-2025.03.19.1.exe 25 25->40         started        43 msiexec.exe 4 25->43         started        113 154.23.184.120, 15628, 49722 COGENT-174US United States 27->113 79 C:\Users\user\Videos\...\sqlite3.dll, PE32 27->79 dropped 81 C:\Users\user\Videos\...verything32.dll, PE32 27->81 dropped 83 C:\Users\user\Videos3EC90F3~w3\Bscpio.exe, PE32 27->83 dropped 129 Encrypted powershell cmdline option found 27->129 131 Tries to harvest and steal browser information (history, passwords, etc) 27->131 45 powershell.exe 27->45         started        47 cmd.exe 27->47         started        85 C:\ProgramData\Q368Q\B2mkF~w3\sqlite3.dll, PE32 31->85 dropped 49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        file10 signatures11 process12 file13 125 Uses netsh to modify the Windows network and firewall settings 35->125 127 Uses ipconfig to lookup or modify the Windows network settings 35->127 53 conhost.exe 35->53         started        55 ipconfig.exe 35->55         started        57 conhost.exe 38->57         started        59 netsh.exe 38->59         started        61 netsh.exe 38->61         started        87 C:\Users\user\AppData\Local\...\sqlite.dll, PE32 40->87 dropped 89 C:\Users\user\...\installer-helper.dll, PE32 40->89 dropped 91 C:\Users\user\AppData\Local\...\System.dll, PE32 40->91 dropped 95 3 other malicious files 40->95 dropped 93 C:\ProgramData\Q368Q\B2mkF~w3\...\apps.txt, Unicode 45->93 dropped 63 conhost.exe 45->63         started        65 conhost.exe 47->65         started        67 ipconfig.exe 47->67         started        signatures14 process15
Score:
26%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/5587bf02ffb8815b46e187b147b7502c0d1496c63d0f552dae007035cb11d1cc
Gathering data
Threat name:
Win32.Ransomware.Generic
Create hunting rule
Status:
Malicious
First seen:
2025-03-22 05:16:44 UTC
File Type:
PE (Exe)
Extracted files:
539
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kwd36ax7xcavwrxbq6yupn2qfqgrjfwghuhvklnoabydlsyr2hga._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution persistence privilege_escalation spyware stealer upx
Link:
https://tria.ge/reports/250322-lkd7rsvmz4/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Gathers network information
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
UPX packed file
Checks installed software on the system
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:highestAvailable)high
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::RemoveDirectoryA
KERNEL32.dll::GetTempPathA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments