MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e5dd07f4253809a8e394da9020e2c102e49e5849a42f3387d655d7dbc4e5f84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e5dd07f4253809a8e394da9020e2c102e49e5849a42f3387d655d7dbc4e5f84
SHA3-384 hash: 8dc4855e532a682fd2727fbfd144350b4972096d9cce1e7867b1e116d21c690f173e018e6389623840e10a8e144ba9ea
SHA1 hash: 2c471be193695b36c355599cbd7b8a2f48495be8
MD5 hash: c0a01dae624c3b95161dce28717b8ef5
humanhash: oregon-india-beryllium-bakerloo
File name:SecuriteInfo.com.Program.Unwanted.5510.19662.8210
Download: download sample
File size:59'848 bytes
First seen:2024-05-21 19:33:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:vIJyprNKNkmXJCOSXIKxH1RAO2MxH1RAOcesHxU:vIJyp5Wk6JoXIUH5H+en
TLSH T18F43D062EFA4925EFF6B8F3BFCE2751116B7B74315888E6E54C8600A4E207111743DAA
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0cb2b27171ccfcd0
Reporter SecuriteInfoCom
Tags:exe signed

Code Signing Certificate

Organisation:ROSTPAY LLC
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2023-06-16T06:32:39Z
Valid to:2025-07-21T13:59:39Z
Serial number: 5e8b8578e42183fd1f84cf04
Intelligence: 6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 9c9861a03bdb211c22878641b1a614f4f39eb20b52e31e9354628cb618bb0e98
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
339
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://ddsoft.site/smart/OTV8Nzg
Verdict:
Malicious activity
Analysis date:
2024-05-07 09:20:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e4e092c4-2edd-42a3-97eb-af51dd32c832

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Program.Unwanted.5510.19662.8210.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Score:
50%
Link:
https://cyber-fortress.com/docs/result/index.php?id=664cf7a28e7dbc7fe29b4692win7simulatehigh_evasion
Tags:
Encryption Generic Static Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
DNS request
Connecting to a non-recommended domain
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade overlay packed
Link:
https://www.filescan.io/uploads/664cf72c024a27284d41a700/reports/ab1f01db-151d-4112-bafe-080cab54c99b/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/5e5dd07f4253809a8e394da9020e2c102e49e5849a42f3387d655d7dbc4e5f84
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b91c002b-f79b-4cfc-a590-705cfaa9298c
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad.rans
Score:
51 / 100
Link:
https://www.joesandbox.com/analysis/1445295
Signature
Contains functionality to register a low level keyboard hook
Found direct / indirect Syscall (likely to bypass EDR)
Installs a global event hook (focus changed)
Malicious sample detected (through community Yara rule)
Writes many files with high entropy
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1445295 Sample: SecuriteInfo.com.Program.Un... Startdate: 21/05/2024 Architecture: WINDOWS Score: 51 137 Malicious sample detected (through community Yara rule) 2->137 139 Contains functionality to register a low level keyboard hook 2->139 141 Writes many files with high entropy 2->141 143 Yara detected Generic Downloader 2->143 11 SecuriteInfo.com.Program.Unwanted.5510.19662.8210.exe 15 4 2->11         started        15 launcher.exe 2->15         started        process3 dnsIp4 131 188.130.153.33 ROSTPAY-ASRU Russian Federation 11->131 133 185.26.182.112 NO-OPERANO Norway 11->133 135 44.215.213.2 AMAZON-AESUS United States 11->135 115 C:\Users\user\AppData\...\OperaGXSetup.exe, PE32 11->115 dropped 17 OperaGXSetup.exe 50 11->17         started        117 C:\Users\user\AppData\Local\...\installer.exe, PE32+ 15->117 dropped 22 installer.exe 15->22         started        file5 process6 dnsIp7 119 185.26.182.106 NO-OPERANO Norway 17->119 121 185.26.182.124 NO-OPERANO Norway 17->121 123 5 other IPs or domains 17->123 79 C:\Users\user\AppData\Local\...\opera_package, PE32 17->79 dropped 81 Opera_GX_109.0.509...toupdate_x64[1].exe, PE32 17->81 dropped 83 Opera_installer_2405211954120726196.dll, PE32 17->83 dropped 87 4 other files (none is malicious) 17->87 dropped 147 Writes many files with high entropy 17->147 24 OperaGXSetup.exe 1 182 17->24         started        27 Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe 5 17->27         started        29 OperaGXSetup.exe 5 17->29         started        31 2 other processes 17->31 85 Opera_installer_2405211956557154984.dll, PE32+ 22->85 dropped file8 signatures9 process10 file11 97 C:\Users\user\AppData\Local\...\installer.exe, PE32+ 24->97 dropped 99 C:\Users\user\AppData\...\assistant_package, PE32 24->99 dropped 101 C:\Users\user\...\gx-classic-light.zip, Zip 24->101 dropped 113 25 other files (4 malicious) 24->113 dropped 33 installer.exe 24->33         started        37 OperaGXSetup.exe 4 24->37         started        103 C:\Users\user\AppData\Local\...\mojo_core.dll, PE32 27->103 dropped 105 C:\Users\user\...\browser_assistant.exe, PE32 27->105 dropped 107 C:\Users\user\...\assistant_installer.exe, PE32 27->107 dropped 109 Opera_installer_2405211954123277084.dll, PE32 29->109 dropped 111 Opera_installer_2405211954127831460.dll, PE32 31->111 dropped 39 assistant_installer.exe 2 31->39         started        process12 file13 69 C:\Users\user\AppData\Local\...\opera.exe, PE32+ 33->69 dropped 71 Opera_installer_2405211956477475784.dll, PE32+ 33->71 dropped 73 C:\Users\user\AppData\Local\...\launcher.exe, PE32+ 33->73 dropped 75 C:\...\launcher.exe.1716321408.old (copy), PE32+ 33->75 dropped 145 Installs a global event hook (focus changed) 33->145 41 explorer.exe 33->41 injected 43 ZhXsbmfewfNzkMWbhax.exe 33->43 injected 46 launcher.exe 33->46         started        48 11 other processes 33->48 77 Opera_installer_2405211954136196900.dll, PE32 37->77 dropped signatures14 process15 file16 51 opera.exe 41->51         started        149 Found direct / indirect Syscall (likely to bypass EDR) 43->149 54 opera.exe 46->54         started        67 Opera_installer_2405211956480674396.dll, PE32+ 48->67 dropped signatures17 process18 file19 89 C:\Users\user\...\gx-classic-light.zip, Zip 51->89 dropped 91 C:\Users\user\AppData\...\gx-classic-dark.zip, Zip 51->91 dropped 93 C:\Users\user\...\gx-1-classic-light.zip, Zip 51->93 dropped 95 9 other malicious files 51->95 dropped 56 opera.exe 51->56         started        59 opera_crashreporter.exe 51->59         started        61 opera.exe 51->61         started        65 2 other processes 51->65 63 opera_crashreporter.exe 54->63         started        process20 dnsIp21 125 185.26.182.111 NO-OPERANO Norway 56->125 127 185.26.182.94 NO-OPERANO Norway 56->127 129 6 other IPs or domains 56->129
Score:
28%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/5e5dd07f4253809a8e394da9020e2c102e49e5849a42f3387d655d7dbc4e5f84
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e5dd07f4253809a8e394da9020e2c102e49e5849a42f3387d655d7dbc4e5f84/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lzo5a72ckoajvdrzjwuqedrmcaxetzmetjbpgod5mvox3pcol6ca._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/240521-x94dqsgb47/
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7ae9953b-52a4-445c-b6b2-8eb0aa1a2151
Unpacked files
SH256 hash:
5e5dd07f4253809a8e394da9020e2c102e49e5849a42f3387d655d7dbc4e5f84
MD5 hash:
c0a01dae624c3b95161dce28717b8ef5
SHA1 hash:
2c471be193695b36c355599cbd7b8a2f48495be8
Link:
https://www.unpac.me/results/7bc89d3e-0d63-46cd-9c98-a1982dd88533/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.13
Link:
https://yomi.yoroi.company/submissions/5e5dd07f4253809a8e394da9020e2c102e49e5849a42f3387d655d7dbc4e5f84

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments