MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 564b8e327a13c948cea21587245b7b0005f786ea57f62bd602ef4ecec66171c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Adware.Generic

Vendor detections: 15

Intelligence 15 IOCs YARA 4 File information Comments

SHA256 hash:	564b8e327a13c948cea21587245b7b0005f786ea57f62bd602ef4ecec66171c6
SHA3-384 hash:	5945da26bf8f285d673d5f5353ea5c3c5127f474421d9b4b1ff29c305d9f3c045fd53eb59c8453ab4d5c2b27f6bacfb8
SHA1 hash:	242815e66819f32d46c37a57ed707030f57ca2c2
MD5 hash:	4cef35cb56164e4427c8890cf5cdfd85
humanhash:	floor-wyoming-seven-louisiana
File name:	SecuriteInfo.com.Trojan.InstallCore.4085.22781.373
Download:	download sample
Signature	Adware.Generic Create hunting rule
File size:	2'513'624 bytes
First seen:	2024-07-06 17:24:11 UTC
Last seen:	2025-11-09 15:08:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e569e6f445d32ba23766ad67d1e3787f (262 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep	49152:eBuZrEUNje0NQq5rISAGFuf79j6pjIMGFTKakp:YkLtNNC7eE9aEbJcp
TLSH	T191C5E03BF268A13ED4AE1A3245B383209977BA61781A8C1E07FC354DCF765701E3B656
TrID	39.3% (.EXE) Inno Setup installer (107240/4/30) 21.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 15.7% (.EXE) InstallShield setup (43053/19/16) 15.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):
dhash icon	5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter	SecuriteInfoCom
Tags:	Adware.Generic exe signed

Code Signing Certificate

Organisation:	Invenivia
Issuer:	Sectigo Public Code Signing CA R36
Algorithm:	sha384WithRSAEncryption
Valid from:	2023-11-16T00:00:00Z
Valid to:	2024-11-15T23:59:59Z
Serial number:	82b4d836e1b37beed11585e28e667b89
Intelligence:	5 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:	This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:	SHA256
Thumbprint:	b42e4832383b0d3d8c61c3b60f432a78cf143bef70f65ac77a37a4c1821fd79a
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

426

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

564b8e327a13c948cea21587245b7b0005f786ea57f62bd602ef4ecec66171c6.exe.000

Verdict:

Suspicious activity

Analysis date:

2024-07-04 17:34:52 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d80a38c7-f83c-4969-ad4d-0d68c4d9fb05

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.InstallCore.4085.22781.373.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66897f2a3b2ddaaafa49a222win10vpnfull_triage

Tags:

Encryption Static Stealth Trojan Offercore

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

embarcadero_delphi fingerprint installer lolbin masquerade overlay packed setupapi shell32

Link:

https://www.filescan.io/uploads/66897def9fd5f9d592118db7/reports/7b90ee9b-af12-4834-b20d-b8f0e103183b/overview

Verdict:

Malicious

Labled as:

Win32_OfferCore_B_potentially_unwanted

Link:

https://www.hybrid-analysis.com/sample/564b8e327a13c948cea21587245b7b0005f786ea57f62bd602ef4ecec66171c6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Breakout Technologies, Inc.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/6f4a46c9-224c-4c96-84f9-e88ba0451a56

Result

Threat name:

n/a

Detection:

suspicious

Classification:

n/a

Score:

28 / 100

Link:

https://www.joesandbox.com/analysis/1468549

Signature

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

82%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/564b8e327a13c948cea21587245b7b0005f786ea57f62bd602ef4ecec66171c6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/564b8e327a13c948cea21587245b7b0005f786ea57f62bd602ef4ecec66171c6/

Threat name:

Win32.PUA.OfferCore

Status:

Malicious

First seen:

2024-05-30 16:03:26 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

14 of 24 (58.33%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kzfy4mt2cpeurtvccwdsiw33aac7pbxkk73cxvqc55hm5rtbohda._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/240706-vy912awgrl/

Behaviour

Modifies system certificate store

Script User-Agent

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Executes dropped EXE

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ef6654f8-f633-4d1f-bc33-1ccb871709e9

Unpacked files

SH256 hash:

a6497ddddd577caefe5a39958a604f9ee4bfe93e9da285b147ba6fc6788e75ca

MD5 hash:

02b1d8ff84bcd4ebcb01156636269b99

SHA1 hash:

15ba86430b90264da7d9f2c05be57c56640d4ba9

Link:

https://www.unpac.me/results/5629c5c3-ccc0-4ea8-a216-bae6821efebe/

SH256 hash:

564b8e327a13c948cea21587245b7b0005f786ea57f62bd602ef4ecec66171c6

MD5 hash:

4cef35cb56164e4427c8890cf5cdfd85

SHA1 hash:

242815e66819f32d46c37a57ed707030f57ca2c2

Link:

https://www.unpac.me/results/5629c5c3-ccc0-4ea8-a216-bae6821efebe/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/564b8e327a13c948cea21587245b7b0005f786ea57f62bd602ef4ecec66171c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	advapi32.dll::ConvertSidToStringSidW advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges advapi32.dll::GetTokenInformation
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessW advapi32.dll::OpenProcessToken kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryA kernel32.dll::LoadLibraryExW kernel32.dll::LoadLibraryW kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoW kernel32.dll::GetDiskFreeSpaceW
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryW kernel32.dll::CreateFileW kernel32.dll::DeleteFileW kernel32.dll::GetWindowsDirectoryW kernel32.dll::GetSystemDirectoryW kernel32.dll::GetFileAttributesW
WIN_BASE_USER_API	Retrieves Account Information	advapi32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExW advapi32.dll::RegQueryValueExW
WIN_USER_API	Performs GUI Actions	user32.dll::PeekMessageW user32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample