MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d5e2231b8a8febafd04afef45760857c1a601b91dfb0c7c81881c9eadcf0e8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Generic


Vendor detections: 10


Intelligence 10 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d5e2231b8a8febafd04afef45760857c1a601b91dfb0c7c81881c9eadcf0e8a
SHA3-384 hash: 79a76c0eabc42c81cc1953bd3d21cb0c54c265a5e4ea816e52c856cec0accee9fdebb5d53b2fe5c89c7cae78b9a8d0df
SHA1 hash: 4e613ac6fe5f02f862071c589827eff6d64914a2
MD5 hash: f1f8d8392d39bde421594d058c21a88a
humanhash: fillet-stream-floor-july
File name:LAUNCHER_v3.13_patched.exe
Download: download sample
Signature Adware.Generic
Create hunting rule
File size:8'342'528 bytes
First seen:2025-02-02 14:22:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f838362cf3a6b98d8a81387b38f950f0 (1 x Adware.Generic, 1 x Rhadamanthys, 1 x LummaStealer)
ssdeep 98304:7kdL9GfSZPm2x4dYvK6PMCPY3sKr5qR6cl+j75TnX:7kdbZPRY+02OsKdBcl+j75TnX
TLSH T17B86D026FA65C43BD05251744E1BA6B679357E74AE098883F3E07E0DBEF12D06E29313
TrID 38.0% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
28.4% (.EXE) InstallShield setup (43053/19/16)
8.5% (.EXE) DOS Executable Borland C++ (13007/5/3)
6.9% (.EXE) Win64 Executable (generic) (10522/11/4)
6.6% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
Magika pebin
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter aachum
Tags:de-pumped exe


Avatar
iamaachum
https://ailzszhds.cfd/?v1ichH54P8YxoMmQWnLX2TkDzJuUj7qO=9pEXT8aFrMWgGDB4LHv7edY1VCsi3hNJmtIRzPfl6kuQycj=qhGon7Z2Mxmdl5yNUHzID4Tvkp19ujS8gfAJieVQPwW#oRiQXfJuvVSxs2GD9691F0pPXtRJFgn9XlgFxvxcEUPckZqePuo => https://mega.nz/file/EL9XCYgI#UTKlOfSaIRV03hC3jVnPTvPfTI6m4B53ZonRtXKchq0

Intelligence

File Origin
# of uploads :
1
# of downloads :
469
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
LAUNCHER_v3.13_patched.exe
Verdict:
Malicious activity
Analysis date:
2025-02-02 14:19:27 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/d4884767-b4cd-4597-8d02-4bc4003c557c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679f7fe3416a81ccc3c5005d
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for the window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Creating a file in the %temp% directory
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context borland_c fingerprint keylogger overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/679f7fda06d12bc30bf56f12/reports/6120842b-3bef-46a2-860a-319adec756af/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/5d5e2231b8a8febafd04afef45760857c1a601b91dfb0c7c81881c9eadcf0e8a
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LummaC2 Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4db51043-13db-4955-9265-f099e7ba90a8
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1605040
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to steal Mail credentials (via file / registry access)
Behaviour
Behavior Graph:
Download SVG
Score:
11%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/5d5e2231b8a8febafd04afef45760857c1a601b91dfb0c7c81881c9eadcf0e8a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d5e2231b8a8febafd04afef45760857c1a601b91dfb0c7c81881c9eadcf0e8a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-02-02 14:23:18 UTC
File Type:
PE (Exe)
Extracted files:
171
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lvpcemnyvd7lv7iev7xuk5qik7a2manzdx5qy7ebraoj5lopb2fa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250202-rqapesxnbj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/81908810-c580-4662-8f05-ddae3a840d3a
Unpacked files
SH256 hash:
5d5e2231b8a8febafd04afef45760857c1a601b91dfb0c7c81881c9eadcf0e8a
MD5 hash:
f1f8d8392d39bde421594d058c21a88a
SHA1 hash:
4e613ac6fe5f02f862071c589827eff6d64914a2
Link:
https://www.unpac.me/results/00bb9d49-4497-404b-bff1-3b976c325fee/
SH256 hash:
678359c47ac8bbbd30d02b4a3663a7b644d24b40255dd1029cc1b1fc0d454fd6
MD5 hash:
d3b55e81d22181faac45025fa324fbb6
SHA1 hash:
46dd39a49d024acc0a659b8e26014fa29dcc7e5e
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/00bb9d49-4497-404b-bff1-3b976c325fee/
Parent samples :
822b737a9db5ead10aec86a34feb57141e43c5679b620ce3191d335997a3f44d
59ae8d923ec039ce1f269ac6bd85486842f399d9e027bf113c53628410bad6bc
810cb4d332ade84e4bb0a4d952180ccb4e5428e19445f9f5d71cd57a7030cf2b
debc847630bcb249642a771c7c1559f847abd436bd93b83d2ce2bb41a55ea364
5d5e2231b8a8febafd04afef45760857c1a601b91dfb0c7c81881c9eadcf0e8a
9fe86d6c49079c5c47955ea7b2c04a1b9e16340b88799fc02bceaee4e4f3e99e
SH256 hash:
a6edb3fb6d21dd461da3767a7995034e208f7d6b08997f6cf7ee7b0ea833a8f0
MD5 hash:
cabb58bb5694f8b8269a73172c85b717
SHA1 hash:
9ed583c56385fed8e5e0757ddb2fdf025f96c807
Link:
https://www.unpac.me/results/00bb9d49-4497-404b-bff1-3b976c325fee/
SH256 hash:
68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe
MD5 hash:
d4dae7149d6e4dab65ac554e55868e3b
SHA1 hash:
b3bea0a0a1f0a6f251bcf6a730a97acc933f269a
Link:
https://www.unpac.me/results/00bb9d49-4497-404b-bff1-3b976c325fee/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5d5e2231b8a8febafd04afef45760857c1a601b91dfb0c7c81881c9eadcf0e8a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

zip cf7469f8d7e837770a7d7a9e126cd1c718d5c55598b964dddd3be20596d1535a

Adware.Generic

Executable exe 5d5e2231b8a8febafd04afef45760857c1a601b91dfb0c7c81881c9eadcf0e8a

(this sample)

anyrun
any.run
https://app.any.run/tasks/d4884767-b4cd-4597-8d02-4bc4003c557c
  
Dropped by
SHA256 cf7469f8d7e837770a7d7a9e126cd1c718d5c55598b964dddd3be20596d1535a
  
Delivery method
Distributed via web download
  
Dropped by
MD5 4dbfdb286b684d0d1b8065dee6cb6051

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsOLE32.DLL::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.DLL::ShellExecuteA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.DLL::CloseHandle
KERNEL32.DLL::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
KERNEL32.DLL::LoadLibraryExA
KERNEL32.DLL::GetDriveTypeA
KERNEL32.DLL::GetVolumeInformationA
KERNEL32.DLL::GetSystemInfo
KERNEL32.DLL::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.DLL::WinExec
KERNEL32.DLL::SetConsoleCtrlHandler
WIN_BASE_IO_APICan Create FilesKERNEL32.DLL::CopyFileA
KERNEL32.DLL::CreateDirectoryA
KERNEL32.DLL::CreateDirectoryExA
KERNEL32.DLL::CreateFileA
KERNEL32.DLL::DeleteFileA
KERNEL32.DLL::MoveFileA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.DLL::RegCreateKeyExA
ADVAPI32.DLL::RegDeleteKeyA
ADVAPI32.DLL::RegOpenKeyExA
ADVAPI32.DLL::RegQueryInfoKeyA
ADVAPI32.DLL::RegQueryValueExA
ADVAPI32.DLL::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.DLL::ActivateKeyboardLayout
USER32.DLL::AppendMenuA
USER32.DLL::CreateMenu
USER32.DLL::FindWindowA
USER32.DLL::PeekMessageA
USER32.DLL::PeekMessageW

Comments