MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6292ab88732470d76d2cdac3d1897a5c44bfe6217fa3af9f7ef747687b0b82a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6292ab88732470d76d2cdac3d1897a5c44bfe6217fa3af9f7ef747687b0b82a5
SHA3-384 hash: 074a4a6ab46e339aedad4d98a66fdfc056626f5341ac33681ff03fd5e9c0f365383d77e3d4b5454cfe26a619b5bdd1eb
SHA1 hash: 0c2021615b90a79021eebd27ba80957f8dc3bf11
MD5 hash: 6186768cd728cf75c23694a223c1518e
humanhash: cat-chicken-spaghetti-washington
File name:OSForensics 10.0.1003.exe
Download: download sample
File size:764'360 bytes
First seen:2022-09-23 10:18:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 20dd26497880c05caed9305b3c8b9109 (31 x Adware.Auslogics, 5 x Adware.IObit, 5 x LummaStealer)
ssdeep 12288:uaHc64b888888888888W888888888885xscV7TdjL47zdU5imq2W33rD+zG/oBiu:F86oiW7uvmQVezG/aYFkJR30F6rp8W
Threatray 330 similar samples on MalwareBazaar
TLSH T101F40213B3C30071F5214A348C668004AD677DAD19F450A62EFDEB4E4FBA7C69D7AB62
TrID 30.2% (.EXE) Win32 Executable Delphi generic (14182/79/4)
22.4% (.EXE) Win64 Executable (generic) (10523/12/4)
14.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.6% (.EXE) Win32 Executable (generic) (4505/5/1)
6.3% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter oopsmishap
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6292ab88732470d76d2cdac3d1897a5c44bfe6217fa3af9f7ef747687b0b82a5.zip
Verdict:
Malicious activity
Analysis date:
2022-09-23 10:39:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9a3e8f37-3711-4649-ae55-64f8bf69063a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/312572/
Detection(s):
PUA.Win.Malware.Speedingupmypc-6718419-0
Create hunting rule

Win.Packed.Agentino-9874843-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Sending an HTTP POST request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/38554/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/632d88341bf7950e75b14031/reports/7b097d74-81d0-4932-b423-f7c13b29f000/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d7f08f5e-ff60-49ab-8bd1-579903110448
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1075832
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Uses 7zip to decompress a password protected archive
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 708374 Sample: OSForensics 10.0.1003.exe Startdate: 23/09/2022 Architecture: WINDOWS Score: 100 65 Antivirus detection for URL or domain 2->65 67 Antivirus detection for dropped file 2->67 69 Antivirus / Scanner detection for submitted sample 2->69 71 7 other signatures 2->71 9 OSForensics 10.0.1003.exe 2 2->9         started        13 sitool.exe 15 4 2->13         started        16 explorer.exe 11 10 2->16         started        process3 dnsIp4 55 C:\Users\user\...\OSForensics 10.0.1003.tmp, PE32 9->55 dropped 83 Obfuscated command line found 9->83 18 OSForensics 10.0.1003.tmp 3 22 9->18         started        61 avkit.org 13->61 63 192.168.2.1 unknown unknown 16->63 file5 signatures6 process7 dnsIp8 59 avkit.org 188.114.96.3, 49699, 49701, 80 CLOUDFLARENETUS European Union 18->59 47 C:\Users\user\AppData\Roaming\...\sitool.exe, PE32 18->47 dropped 49 C:\Users\user\AppData\Local\Temp\...\7za.exe, PE32 18->49 dropped 51 C:\Users\user\AppData\...\sitool.exe.config, XML 18->51 dropped 53 4 other files (3 malicious) 18->53 dropped 73 Uses 7zip to decompress a password protected archive 18->73 23 sitool.exe 4 18->23         started        26 7za.exe 2 18->26         started        29 7za.exe 2 18->29         started        31 2 other processes 18->31 file9 signatures10 process11 file12 75 Antivirus detection for dropped file 23->75 77 Multi AV Scanner detection for dropped file 23->77 79 Machine Learning detection for dropped file 23->79 81 Uses schtasks.exe or at.exe to add and modify task schedules 23->81 33 schtasks.exe 1 23->33         started        35 schtasks.exe 1 23->35         started        57 C:\Users\user\AppData\Local\Temp\...\form.exe, PE32 26->57 dropped 37 conhost.exe 26->37         started        39 conhost.exe 29->39         started        41 conhost.exe 31->41         started        signatures13 process14 process15 43 conhost.exe 33->43         started        45 conhost.exe 35->45         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6292ab88732470d76d2cdac3d1897a5c44bfe6217fa3af9f7ef747687b0b82a5/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2022-09-23 10:19:11 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mkjkxcdteryno3jm3lb5dcl2lrcl7zrbp6r27h3665dwq6ylqksq._file
Verdict:
malicious
Similar samples:
066bdbaf5b5526cc3040573bea83da7a384e0c97df13d50a7cc0716b1dd8e6ac
1d75484aa645df348b7832522a8f1f9926549734f92b7398acec5b2c9117d571
1daf191be46f0785f537a84bd80727ee2d8c982ca8647fdfb30bd04459b7ad4c
1f73a9da45f9d484c31eb11b2fc4c2c0c4c8265e1ec511ea855fab7f3a9cbd52
4fa89634eb4cec2d104fb6e4fe4d2a366c2c0439245d31827c8e487bde065a5b
6df77c0f8991ed1bdd9a4a317e54351362037de7ee9d8b3ab978ae0a167c1e36
788f243c7272debc26bf6d13bad89b2ecdf2e62d95c494f14afe89415e7b7435
8b7410e87d3dae734ce56c38b3d8601f5e79549afd5820da9014e93bbb00bc95
8f97580803df8eb3e32d130be5dea795ec8091af2aa41337c606193242bc7e90
f732f4cd538d19a8d4e8e24c244d5b3c9bd378208e3369ba8e24c4cc0300b1f7
+ 320 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220923-mchqnagdh7/
Behaviour
Script User-Agent
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a198f847-d464-4943-aef3-ab12eb051a94
Unpacked files
SH256 hash:
7f42ea98679cf825401a23f352e361a4ba9d534bb4569d9a19ab1e1eb2b00c09
MD5 hash:
caaa5314a159844433c2e3e854ac7a49
SHA1 hash:
3a5e2690f5669ea9113ed23563f7830dc2fe0f9a
Link:
https://www.unpac.me/results/21ef2304-9cdb-47c9-a7ee-d1bc585efd52/
SH256 hash:
813e785178b6ad12c92556d956f5e593274b8476ace11202be7df7b663a2e9b2
MD5 hash:
ae9034cae4f543b5c16569460d99531c
SHA1 hash:
283b7cacf40283c04b44241a42b606b388026f0f
Link:
https://www.unpac.me/results/21ef2304-9cdb-47c9-a7ee-d1bc585efd52/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/21ef2304-9cdb-47c9-a7ee-d1bc585efd52/
SH256 hash:
9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07
MD5 hash:
34acc2bdb45a9c436181426828c4cb49
SHA1 hash:
5adaa1ac822e6128b8d4b59a54d19901880452ae
Link:
https://www.unpac.me/results/21ef2304-9cdb-47c9-a7ee-d1bc585efd52/
SH256 hash:
6292ab88732470d76d2cdac3d1897a5c44bfe6217fa3af9f7ef747687b0b82a5
MD5 hash:
6186768cd728cf75c23694a223c1518e
SHA1 hash:
0c2021615b90a79021eebd27ba80957f8dc3bf11
Link:
https://www.unpac.me/results/21ef2304-9cdb-47c9-a7ee-d1bc585efd52/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6292ab88732470d76d2cdac3d1897a5c44bfe6217fa3af9f7ef747687b0b82a5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/312572/

Comments