MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b74eb73697a853a9d2d138a270a97a4edbcdc38ba46c5ea3cd79076ba4cecb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b74eb73697a853a9d2d138a270a97a4edbcdc38ba46c5ea3cd79076ba4cecb4
SHA3-384 hash: d37e7db3dd9450190d2e83aed6227191c4b546b8f390e43a9e361b5e9e3aba2492aa689b271125504b3e8beaa7e416c4
SHA1 hash: e1a12595f8c9d48416ec342cd4037a32f3fdda24
MD5 hash: 849bf640bf914ec675b9477a802a22f9
humanhash: bulldog-earth-iowa-oklahoma
File name:ACTIVATE____SETUP__4695.exe
Download: download sample
File size:762'830 bytes
First seen:2022-01-30 14:22:19 UTC
Last seen:2022-01-30 16:06:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f49c381e5ec0c6dbf3537665412bd82
ssdeep 12288:7ykdiekWhrZfOrvnm4wYvPnEBzlLBwzofxzlHRF3f+BVM/JwHmA7RW2a8HBhpugm:+kYeF6O4wYX+T1+rM5A7tao0DRN
Threatray 3'343 similar samples on MalwareBazaar
TLSH T10BF4F102BBFA4A79F1F74B756F792A64463BFD762E10CA0F1364250E49B0EC09961363
File icon (PE):PE icon
dhash icon 02005303474e010a
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ACTIVATE____SETUP__4695.exe
Verdict:
Malicious activity
Analysis date:
2022-01-30 14:08:51 UTC
Tags:
trojan opendir loader
Link:
https://app.any.run/tasks/23fbac0a-40fb-4e47-a679-d76a8dfcdeaa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/225884/
Detection(s):
SecuriteInfo.com.FileRepMalware.28504.8143.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Sending a custom TCP request
DNS request
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Running batch commands
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5517/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61f69f4b533699b5ff251486/reports/fe486b26-d88e-4ae6-a0bf-68108abda2c8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/effdc206-c70b-4904-8b20-9dff77d6040a
Result
Threat name:
ClipBanker
Create hunting rule
Detection:
malicious
Classification:
bank.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/930375
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
DLL reload attack detected
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Obfuscated command line found
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected ClipBanker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 562853 Sample: ACTIVATE____SETUP__4695.exe Startdate: 30/01/2022 Architecture: WINDOWS Score: 100 75 Antivirus detection for URL or domain 2->75 77 Antivirus detection for dropped file 2->77 79 Yara detected ClipBanker 2->79 81 4 other signatures 2->81 10 ACTIVATE____SETUP__4695.exe 6 2->10         started        13 IntelRapid.exe 2->13         started        15 IntelRapid.exe 2->15         started        process3 signatures4 93 Contains functionality to register a low level keyboard hook 10->93 17 cmd.exe 1 10->17         started        20 dllhost.exe 10->20         started        95 Query firmware table information (likely to detect VMs) 13->95 97 Hides threads from debuggers 13->97 99 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->99 process5 signatures6 71 Obfuscated command line found 17->71 73 Drops PE files with a suspicious file extension 17->73 22 cmd.exe 3 17->22         started        26 conhost.exe 17->26         started        process7 file8 53 C:\Users\user\AppData\...\Accostarmi.exe.pif, PE32 22->53 dropped 83 Obfuscated command line found 22->83 28 Accostarmi.exe.pif 17 22->28         started        33 tasklist.exe 1 22->33         started        35 tasklist.exe 1 22->35         started        37 4 other processes 22->37 signatures9 process10 dnsIp11 65 cutblv10.top 193.106.175.12, 49771, 49772, 80 IQHOSTRU Russian Federation 28->65 67 faohaj710.top 91.238.105.43, 49770, 80 BYTES-ASCZ Czech Republic 28->67 69 KyIDzgJwXBTcplKaEhIFNWfcM.KyIDzgJwXBTcplKaEhIFNWfcM 28->69 57 C:\Users\user\AppData\Local\Temp\File1.exe, PE32+ 28->57 dropped 59 C:\Users\user\AppData\Local\...\unipod[1].exe, PE32+ 28->59 dropped 61 C:\Users\user\AppData\Local\...\gQCSdkwXO.dll, PE32 28->61 dropped 101 DLL reload attack detected 28->101 103 Tries to harvest and steal browser information (history, passwords, etc) 28->103 105 Renames NTDLL to bypass HIPS 28->105 107 2 other signatures 28->107 39 File1.exe 4 28->39         started        44 cmd.exe 1 28->44         started        file12 signatures13 process14 dnsIp15 63 192.168.2.1 unknown unknown 39->63 55 C:\Users\user\AppData\...\IntelRapid.exe, PE32+ 39->55 dropped 85 Antivirus detection for dropped file 39->85 87 Query firmware table information (likely to detect VMs) 39->87 89 Machine Learning detection for dropped file 39->89 91 2 other signatures 39->91 46 IntelRapid.exe 39->46         started        49 conhost.exe 44->49         started        51 timeout.exe 1 44->51         started        file16 signatures17 process18 signatures19 109 Query firmware table information (likely to detect VMs) 46->109 111 Hides threads from debuggers 46->111 113 Tries to detect sandboxes / dynamic malware analysis system (registry check) 46->113
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b74eb73697a853a9d2d138a270a97a4edbcdc38ba46c5ea3cd79076ba4cecb4/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-30 14:23:12 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0b1396805e736275f16550f3ecc5361cfcccc468094b4ea910ded8eaf430a5b3
199f2dc4388a96b80edc0881ac6e70b33833ddb801d15a53981e0ce7624fe371
20a605a18b48b55adb6ae9c0024013be69ec884e7407ca50b39177035dc7b948
56637e06a35402eda9bf01f868a88cd3e3a683ed0ee092b8bfcb8118c36d04a4
5ecfe4ce56696312991f74569ffbe173a6dda8878dd2eb2c2ee109a4a4d4740f
95a8297d2caf13fad5e926dbb798b985d811ed8666b2ff59360c560bf4869853
9bf4c9b6c5e930ce91b84920a73d9111793e6d31477458043e94b649147ebf71
9f86527e3ca4530bb3209d8608dae083afab4ef2cf7b0ae23bcd6fdc322a0c33
be6d8a6d979ab788d3eea3908878988623449c2b163ac3494bd9c046b7d31c23
+ 3'333 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/220130-rp54yadaa7/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates processes with tasklist
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
12c1387a6991ee115e6f7cf9119ce711949a7123aa320cd32380a14a27ca0502
MD5 hash:
bef9b64a3645f6fe3d3f34222f573ee7
SHA1 hash:
51682d152440eb2458043e206982c6efe8075161
Link:
https://www.unpac.me/results/9e5bd1e5-c59f-4847-9503-b64462933bf4/
SH256 hash:
5b74eb73697a853a9d2d138a270a97a4edbcdc38ba46c5ea3cd79076ba4cecb4
MD5 hash:
849bf640bf914ec675b9477a802a22f9
SHA1 hash:
e1a12595f8c9d48416ec342cd4037a32f3fdda24
Link:
https://www.unpac.me/results/9e5bd1e5-c59f-4847-9503-b64462933bf4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5b74eb73697a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b74eb73697a853a9d2d138a270a97a4edbcdc38ba46c5ea3cd79076ba4cecb4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/225884/

Comments