MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58511975e989a92826ee57cd50db6b59f508b3166d13957ac42c6754433dbfd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments

SHA256 hash: 58511975e989a92826ee57cd50db6b59f508b3166d13957ac42c6754433dbfd7
SHA3-384 hash: 6281186e0c03fe5a749403138588a9a5c29f91ca8a32d63fe79b0513fed64d2644a6a317ec2c995d36d5609adfa56d65
SHA1 hash: 44b047120bd43af613754640505d0dfc6af4624a
MD5 hash: 76968b1ed9e18dc3d630bcdb2d3e298c
humanhash: mars-venus-sixteen-sodium
File name:setup.exe
Download: download sample
File size:8'581'178 bytes
First seen:2021-11-16 15:45:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 483f0c4259a9148c34961abbda6146c1 (17 x ValleyRAT, 8 x AsyncRAT, 7 x QuasarRAT)
ssdeep 196608:hfn6/VSl6K8qczrBWVricC5wBQd3+KYLBwXFOKyghYAtWMA:hPAklQ/B4rit5wBQdOP+8Kn7tXA
Threatray 23 similar samples on MalwareBazaar
TLSH T1C1863382BBC31439F4A0583A5D22D4241E23BDA51CE4B9251EF8DF8F0AB935766F6770
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter Anonymous
Tags:exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
adwa.evad
Score:
28 / 100
Signature
Modifies the hosts file
Obfuscated command line found
PE file has a writeable .text section
PE file has nameless sections
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 523002 Sample: setup.exe Startdate: 16/11/2021 Architecture: WINDOWS Score: 28 61 yt3.ggpht.com 2->61 63 youtube-ui.l.google.com 2->63 65 32 other IPs or domains 2->65 71 PE file has nameless sections 2->71 73 PE file has a writeable .text section 2->73 9 setup.exe 2 2->9         started        signatures3 process4 file5 45 C:\Users\user\AppData\Local\...\setup.tmp, PE32 9->45 dropped 75 Obfuscated command line found 9->75 13 setup.tmp 25 67 9->13         started        signatures6 process7 dnsIp8 69 192.168.2.1 unknown unknown 13->69 53 C:\Users\user\AppData\Local\...\hosts.exe, PE32 13->53 dropped 55 C:\Users\user\AppData\Local\Temp\...\x3.exe, PE32 13->55 dropped 57 C:\Users\user\AppData\Local\...\wintb.dll, PE32 13->57 dropped 59 40 other files (none is malicious) 13->59 dropped 17 cmd.exe 1 13->17         started        19 unins000.exe 1 1 13->19         started        22 chrome.exe 10 35 13->22         started        25 FlushFileCache.exe 1 13->25         started        file9 process10 dnsIp11 27 hosts.exe 7 17->27         started        31 hosts.exe 4 17->31         started        33 hosts.exe 4 17->33         started        41 6 other processes 17->41 43 C:\Users\user\AppData\Local\...\_iu14D2N.tmp, PE32 19->43 dropped 35 _iu14D2N.tmp 1 8 19->35         started        67 239.255.255.250 unknown Reserved 22->67 37 chrome.exe 10 22->37         started        39 conhost.exe 25->39         started        file12 process13 file14 47 C:\Windows\System32\drivers\etc\hosts, ASCII 27->47 dropped 77 Modifies the hosts file 27->77 49 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 35->49 dropped 51 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 35->51 dropped signatures15
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
09af8004b85478e1eca09fa4cb5e3081dddcb2f68a353f3ef6849d92be47b449
MD5 hash:
ae9890548f2fcab56a4e9ae446f55b3f
SHA1 hash:
e17c970eebbe6d7d693c8ac5a7733218800a5a96
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
SH256 hash:
58511975e989a92826ee57cd50db6b59f508b3166d13957ac42c6754433dbfd7
MD5 hash:
76968b1ed9e18dc3d630bcdb2d3e298c
SHA1 hash:
44b047120bd43af613754640505d0dfc6af4624a
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments