MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 689ad5731f3c1e34aa06da8d053d166fafdb65c3f8e06554bbe9e384e0435538. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 689ad5731f3c1e34aa06da8d053d166fafdb65c3f8e06554bbe9e384e0435538
SHA3-384 hash: ca450b81e44f6f61e3afb7f1647a311e2beb6b794f271c7e1768a211c5dbc8865358b271f43004f5f1f686ea6e9f6964
SHA1 hash: 6e5d18a34b981536e4d4086976519e77d4199fb0
MD5 hash: e45cec09941abe32e87b4e02268c5ff0
humanhash: high-robert-xray-xray
File name:SecuriteInfo.com.Trojan.DownLoader11.25482.23074.19444
Download: download sample
File size:3'292'030 bytes
First seen:2023-05-19 03:27:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ccc0e829fe1206cd39d147ca374725d4
ssdeep 98304:ZMFj+zf6O2Iql9FbSYVa9TUSEawBVJ8+Sk1:u+DzkbSNylz8Fk1
TLSH T18CE533153A91CAFFC8100971E9BDE1F1A22DEF663B01A066E7DCFE1B38152C2918755B
TrID 29.9% (.SCR) Windows screen saver (13097/50/3)
24.0% (.EXE) Win64 Executable (generic) (10523/12/4)
15.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win32 Executable (generic) (4505/5/1)
6.8% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon aa8ecc0e88cc8eaa
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
234
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.DownLoader11.25482.23074.19444
Verdict:
Malicious activity
Analysis date:
2023-05-19 03:37:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/52316794-6bad-4137-88ed-61c86b8290d3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.RarSfx-1
Create hunting rule

PUA.Win.Packer.RarSfxModificat-1
Create hunting rule

SecuriteInfo.com.Trojan.DownLoader11.25482.23074.19444.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Setting a new proxy server as a default one
Creating a file
Sending a custom TCP request
Enabling the use of the proxy server
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
datper
Link:
https://www.filescan.io/uploads/6466ecce252ac092ee21861f/reports/3ce83217-4fda-4f33-b0c8-0630874ab345/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/689ad5731f3c1e34aa06da8d053d166fafdb65c3f8e06554bbe9e384e0435538
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d176e921-aa53-40e1-a666-d690a8c474b9
Result
Threat name:
n/a
Detection:
malicious
Classification:
adwa
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1236751
Signature
Enables a proxy for the internet explorer
Multi AV Scanner detection for submitted file
PE file has nameless sections
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 869799 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 19/05/2023 Architecture: WINDOWS Score: 56 58 Multi AV Scanner detection for submitted file 2->58 60 PE file has nameless sections 2->60 7 SecuriteInfo.com.Trojan.DownLoader11.25482.23074.19444.exe 18 2->7         started        10 ProxySwitcher.exe 8 2->10         started        12 ProxySwitcher.exe 9 2->12         started        process3 file4 28 C:\Users\user\AppData\...\ProxySwitcher.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\Local\Temp\...\pcre.dll, PE32 7->30 dropped 32 C:\Users\user\AppData\Local\...\libssl32.dll, PE32 7->32 dropped 42 3 other files (none is malicious) 7->42 dropped 14 ProxySwitcher.exe 23 51 7->14         started        34 C:\Users\user\...\passwords.lz.tmp.4188-3220, MS-DOS 10->34 dropped 36 C:\Users\user\AppData\...\passwords.lz.bak, MS-DOS 10->36 dropped 19 ProxySwitcher.exe 10->19         started        38 C:\Users\user\...\passwords.lz.tmp.6052-5992, MS-DOS 12->38 dropped 40 C:\Users\user\AppData\...\passwords.lz (copy), MS-DOS 12->40 dropped 21 ProxySwitcher.exe 12->21         started        process5 dnsIp6 52 lyra.velns.org 104.131.85.175, 49702, 49703, 49704 DIGITALOCEAN-ASNUS United States 14->52 54 core.proxyswitcher.com 14->54 46 C:\Users\user\...\psw.lz.tmp.5340-5332, MS-DOS 14->46 dropped 48 C:\Users\user\AppData\...\psw.lz (copy), MS-DOS 14->48 dropped 50 C:\Users\user\AppData\Roaming\...\proxynet.lz, MS-DOS 14->50 dropped 56 Enables a proxy for the internet explorer 14->56 23 ProxySwitcher.exe 14->23         started        25 ProxySwitcher.exe 7 19->25         started        file7 signatures8 process9 file10 44 C:\Users\user\...\passwords.lz.tmp.7092-7084, MS-DOS 25->44 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/689ad5731f3c1e34aa06da8d053d166fafdb65c3f8e06554bbe9e384e0435538/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ncnnk4y7hqpdjkqg3kgqkpiwn6x5wzod7dqgkvf35hryjycdku4a._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence upx
Link:
https://tria.ge/reports/230519-d1cd4seh96/
Behaviour
Enumerates system info in registry
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
ACProtect 1.3x - 1.4x DLL software
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Unpacked files
SH256 hash:
279cd359c8a25f516b08a046a95dde55a82778f984857e6d9dab60851ba4557c
MD5 hash:
826c80340090727e9cfdb6fc7f253f67
SHA1 hash:
647e2f7cb5e1c93b50342a4087059168f687c600
Link:
https://www.unpac.me/results/21960b38-3b7c-4095-93d0-123c97bc6258/
SH256 hash:
136341c042f8c4fd7a9454cf97f643713f1ffc52addf109ea3f7aec4dfaaebe0
MD5 hash:
fcebc5268f4b65589030e1ffe5f1eb75
SHA1 hash:
0814708da21065059636fea7cf1b39cef6b80c9d
Link:
https://www.unpac.me/results/21960b38-3b7c-4095-93d0-123c97bc6258/
SH256 hash:
fdcc028151d24760022fbd9552d93f52e27db70f3c3f0c054b0b702040879ac0
MD5 hash:
4d5f415cdc839f82e62917db515ae6db
SHA1 hash:
c262b09c3769c65ccfb9ddc2c61584ec035269b2
Link:
https://www.unpac.me/results/21960b38-3b7c-4095-93d0-123c97bc6258/
SH256 hash:
20c89981aceb9f7c7fbf806f94aa34f719b6e4cea695637e85e6353707d866a9
MD5 hash:
5e4729d460d967bec111617124050ce2
SHA1 hash:
8332a7b5ff9b41bd970becbe00f923dd303993d6
Link:
https://www.unpac.me/results/21960b38-3b7c-4095-93d0-123c97bc6258/
SH256 hash:
e2248c642600f9471de3dd3d067fbbf23c3072f4f4d48e1416dc6caf298cacb6
MD5 hash:
d290a07cf29080c9893b58c53c625b1c
SHA1 hash:
430a7e57b1089a2935f2ef8ff50e798eb8e955cd
Link:
https://www.unpac.me/results/21960b38-3b7c-4095-93d0-123c97bc6258/
SH256 hash:
689ad5731f3c1e34aa06da8d053d166fafdb65c3f8e06554bbe9e384e0435538
MD5 hash:
e45cec09941abe32e87b4e02268c5ff0
SHA1 hash:
6e5d18a34b981536e4d4086976519e77d4199fb0
Link:
https://www.unpac.me/results/21960b38-3b7c-4095-93d0-123c97bc6258/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/689ad5731f3c1e34aa06da8d053d166fafdb65c3f8e06554bbe9e384e0435538

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments