MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c7d96455bbb045cb3cb3726d7b4fff2d0810a21d7fdb34ad134696aa7f47d5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c7d96455bbb045cb3cb3726d7b4fff2d0810a21d7fdb34ad134696aa7f47d5e
SHA3-384 hash: c4ccf5ee2d60309d0401ec31cddc1c70fdedee6cb4b66052bd68bd72555c0336cd6bd097370c87289fd20ac61c788883
SHA1 hash: c703685ac6221d7de624039d7351886b21ca53fc
MD5 hash: eb54116db322c49ec2faca86f725931e
humanhash: florida-april-oven-music
File name:Roblox Account Manager.exe
Download: download sample
File size:5'717'504 bytes
First seen:2024-07-02 03:32:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 98304:8H6+2bT1Qm7d9G3s2tIfKLUXk8zdywnr5a0kqXf0Fb7WnZhP+MQuPN5Ppauz+l:5Qm59siyLU0lY9a0kSIb7aZhP+MQuPNw
TLSH T11746E02A72A04335E5AB453405A9C1B496FE7E396A68E19EE7C0BD4F3EF57D09830313
TrID 49.8% (.RLL) Microsoft Resource Library (x86) (177572/6/26)
20.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
16.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
3.6% (.SCR) Windows screen saver (13097/50/3)
2.9% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter stdptr
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
455
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5c7d96455bbb045cb3cb3726d7b4fff2d0810a21d7fdb34ad134696aa7f47d5e.exe
Verdict:
Malicious activity
Analysis date:
2024-07-02 05:36:46 UTC
Tags:
github
Link:
https://app.any.run/tasks/f9d03ebb-c65d-4ae4-b319-cbab317d0230

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6683752ebe8570b8fa890b1dwin10vpnfull_triage
Tags:
Generic Network Static Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Creating a process with a hidden window
Launching a service
Moving a recently created file
Modifying a system file
Moving a system file
Replacing system executable files
Changing a file
Moving a file to the %temp% directory
Possible injection to a system process
Setting a single autorun event
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
90%
Tags:
anti-vm cmd evasive explorer fingerprint lolbin macros-on-close macros-on-open packed risepro shell32 update
Link:
https://www.filescan.io/uploads/668374efef9fdf64aa716142/reports/2e80c0b9-5207-454e-abeb-49db576bda9f/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/5c7d96455bbb045cb3cb3726d7b4fff2d0810a21d7fdb34ad134696aa7f47d5e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8e787c65-3f05-4dcc-8600-c613f9a072ab
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1465800
Signature
.NET source code contains potential unpacker
Infects executable files (exe, dll, sys, html)
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465800 Sample: Roblox Account Manager.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 52 63 titanium.roblox.com 2->63 65 raw.githubusercontent.com 2->65 67 7 other IPs or domains 2->67 75 .NET source code contains potential unpacker 2->75 77 Yara detected Costura Assembly Loader 2->77 10 msiexec.exe 2->10         started        14 Roblox Account Manager.exe 10 2->14         started        16 VC_redist.x86.exe 2->16         started        18 SrTasks.exe 2->18         started        signatures3 process4 file5 51 C:\Windows\SysWOW64\vcruntime140.dll, PE32 10->51 dropped 53 C:\Windows\SysWOW64\vcomp140.dll, PE32 10->53 dropped 55 C:\Windows\SysWOW64\vccorlib140.dll, PE32 10->55 dropped 57 35 other files (10 malicious) 10->57 dropped 79 Infects executable files (exe, dll, sys, html) 10->79 20 Roblox Account Manager.exe 15 15 14->20         started        24 VC_redist.x86.exe 16->24         started        26 conhost.exe 18->26         started        signatures6 process7 dnsIp8 69 ip-api.com 208.95.112.1, 49748, 49749, 49750 TUT-ASUS United States 20->69 71 edge-term4-ams2.roblox.com 128.116.21.3, 443, 49736 ROBLOX-PRODUCTIONUS United States 20->71 73 4 other IPs or domains 20->73 45 C:\Users\user\Desktop\libsodium.dll, PE32 20->45 dropped 47 C:\Users\user\AppData\Local\...\vcredist.tmp, PE32 20->47 dropped 28 vcredist.tmp 3 20->28         started        31 WerFault.exe 20->31         started        33 VC_redist.x86.exe 24->33         started        file9 process10 file11 59 C:\Windows\Temp\...\vcredist.tmp, PE32 28->59 dropped 35 vcredist.tmp 71 28->35         started        61 C:\Users\user\AppData\Local\...\wixstdba.dll, PE32 33->61 dropped process12 file13 41 C:\Windows\Temp\...\VC_redist.x86.exe, PE32 35->41 dropped 43 C:\Windows\Temp\...\wixstdba.dll, PE32 35->43 dropped 38 VC_redist.x86.exe 34 18 35->38         started        process14 file15 49 C:\ProgramData\...\VC_redist.x86.exe, PE32 38->49 dropped
Score:
9%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/5c7d96455bbb045cb3cb3726d7b4fff2d0810a21d7fdb34ad134696aa7f47d5e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c7d96455bbb045cb3cb3726d7b4fff2d0810a21d7fdb34ad134696aa7f47d5e/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lr6zmrk3xmcfzm6lg4tnpnh76liiccrb2763gswrgruwvj7upvpa._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/240702-d37b9stemg/
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Program crash
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a15a26ac-0367-46da-9a60-04098d39e165
Unpacked files
SH256 hash:
24bafcc570cc9bbb6b6e6652a57a519e0464e3996891aaba6f55299cce20b04f
MD5 hash:
89f845fc4898f2d47a3a81f0b57c60f1
SHA1 hash:
b04a2347a0f94e87215424d816f9912c7bc248d5
Link:
https://www.unpac.me/results/1b4f8310-7d5d-48af-915b-7f16b094a7d7/
SH256 hash:
28a1e3627deded98e1620b815422ae15f1dd1d4d643b7b92af97412961791a6a
MD5 hash:
662695b661699886ce83550a037bf659
SHA1 hash:
437f6d847cf8b1a16075f78e1e1474ac97f9a15b
Link:
https://www.unpac.me/results/1b4f8310-7d5d-48af-915b-7f16b094a7d7/
SH256 hash:
84c22579ca09f4fd8a8d9f56a6348c4ad2a92d4722c9f1213dd73c2f68a381e3
MD5 hash:
9f637fba2d680e23da0266c1507f870f
SHA1 hash:
05d4842c6e9b5f9430dad76a20c2a4a6feae0bf0
Link:
https://www.unpac.me/results/1b4f8310-7d5d-48af-915b-7f16b094a7d7/
SH256 hash:
28c85f29ac63a2aac0aeaa41b37f640296b1bf2ff672e9452ed30527065d5c54
MD5 hash:
b5a33f68e98ef6f08cc4d1dbce872e16
SHA1 hash:
07a4a43009951a56ba3cd89f8f4be181aebb9cfd
Link:
https://www.unpac.me/results/1b4f8310-7d5d-48af-915b-7f16b094a7d7/
SH256 hash:
ff9b3fc49bb3cd9a2ffea2dd8075a34908346fb8393aa2bf13aa15ac72583928
MD5 hash:
49a57a409ded6c2c8c90ad22656c99e9
SHA1 hash:
c4b8fd568f66bd9dbdc724ec1b14c0d792092823
Link:
https://www.unpac.me/results/1b4f8310-7d5d-48af-915b-7f16b094a7d7/
SH256 hash:
5c7d96455bbb045cb3cb3726d7b4fff2d0810a21d7fdb34ad134696aa7f47d5e
MD5 hash:
eb54116db322c49ec2faca86f725931e
SHA1 hash:
c703685ac6221d7de624039d7351886b21ca53fc
Detections:
INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
INDICATOR_EXE_Packed_Fody
Create hunting rule
Link:
https://www.unpac.me/results/1b4f8310-7d5d-48af-915b-7f16b094a7d7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c7d96455bbb045cb3cb3726d7b4fff2d0810a21d7fdb34ad134696aa7f47d5e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_OneNote
Create hunting rule
Author:spatronn
Description:Hard-Detect One

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments