MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68e0a92dc8aa1a2589476eb3b4fda0172ce62f1865f6d317ada69f5209f22228. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68e0a92dc8aa1a2589476eb3b4fda0172ce62f1865f6d317ada69f5209f22228
SHA3-384 hash: 05375c53bd2e774a8216339cd7f64c1965cf9ce9eb241c40a1464269a15b83c476787f372a48a9d97825e1fee1a4154c
SHA1 hash: 22f4483114019781055bbdfcc898418bac3916c6
MD5 hash: 778eebf1b47351760bc0e7008bbc3f29
humanhash: fruit-victor-oxygen-earth
File name:SecuriteInfo.com.Trojan.Moneyinst.744.12664.7077
Download: download sample
File size:3'138'275 bytes
First seen:2024-08-30 00:20:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'454 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 49152:V9R9661pSQqFq0x0gZupwtc6ljlriNbJ9M1nHbCQX4nPmh5GliqL5GIUVUtSNmw:zRM61kxmpwKYxqMR556vGIUVU4Nv
TLSH T1FCE5339227845473C492E471A43B9F1AE8167C6F0FB6702736AFB88CD6B3562C28D7C5
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
File icon (PE):PE icon
dhash icon f86eeae6b696c6cc (6 x AgentTesla, 3 x LummaStealer, 3 x Floxif)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
383
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Moneyinst.744.12664.7077
Verdict:
Suspicious activity
Analysis date:
2024-08-30 00:21:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/20439fee-1270-41dc-a661-673e59c066b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Moneyinst.744.12664.7077.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66d11071f1a57bfb70915a53
Tags:
Encryption Execution Generic Network Stealth Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/68e0a92dc8aa1a2589476eb3b4fda0172ce62f1865f6d317ada69f5209f22228
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MiniUPnP
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/460a0218-f785-4498-8e50-93358e6420c5
Result
Threat name:
n/a
Detection:
clean
Classification:
phis.evad
Score:
19 / 100
Link:
https://www.joesandbox.com/analysis/1501532
Signature
Modifies Internet Explorer zonemap settings
Behaviour
Behavior Graph:
n/a
Score:
37%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/68e0a92dc8aa1a2589476eb3b4fda0172ce62f1865f6d317ada69f5209f22228
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68e0a92dc8aa1a2589476eb3b4fda0172ce62f1865f6d317ada69f5209f22228/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ndqksloivinclckhn2z3j7nac4womlyymx3ngf5nu2pvecpseiua._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/240830-anb12azenl/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/707d1033-08cc-4212-a140-d3f22be679b5
Unpacked files
SH256 hash:
64e613a218e186ff32397528970806ddd69accef7c1acc913f8f996a55551344
MD5 hash:
52622aa982af0f279a84f91ffb723af5
SHA1 hash:
e491e8c0c538ee5492d2c691b3ee95f869a460f6
Link:
https://www.unpac.me/results/dfaaabc3-2c64-480c-8db7-2acce35e4ab7/
SH256 hash:
ea7c0190aebf11ca56ee193b69e91d663639c2ba472dee753d2454e52738c12e
MD5 hash:
304564d9bbda04fea04dce400f71ae46
SHA1 hash:
d15a9f6efcbc0bff12c8fae8605c9144e5d25e7e
Detections:
allow_rdp_session_without_password
Create hunting rule
Link:
https://www.unpac.me/results/dfaaabc3-2c64-480c-8db7-2acce35e4ab7/
SH256 hash:
3fc5965f5165285a9e06d76f304cfdb904bb72f06ff362363a7bfd6e8cca4ac8
MD5 hash:
65475a309724c4c72a73929f9dd121bd
SHA1 hash:
a7531ef690dc11832988b043986d7e1141870c23
Link:
https://www.unpac.me/results/dfaaabc3-2c64-480c-8db7-2acce35e4ab7/
SH256 hash:
792ab6b54ffaa11f297407ddda4e255f4aa1bf1981b11120d9eaf59e03565d78
MD5 hash:
8a96513d861877198b0dd0c738b3a159
SHA1 hash:
8b331b8bca8d5189c5a1b42208e8efab948a1b5a
Link:
https://www.unpac.me/results/dfaaabc3-2c64-480c-8db7-2acce35e4ab7/
SH256 hash:
1cf94c71d582b9cee09aff31b040d5c684dd2209b65f77a64c95e0804dd4bee4
MD5 hash:
b68f1944c93471861376c2b80c0164b8
SHA1 hash:
8202fb669f9668ae34e968166e74dc0a0598edd0
Link:
https://www.unpac.me/results/dfaaabc3-2c64-480c-8db7-2acce35e4ab7/
SH256 hash:
3b7bd2ab3b258ecd0fa7461eab5fa79544b885982c2e8e07735b0c09af3f6358
MD5 hash:
e9e1ef92dbb4cf627abc4594463c196f
SHA1 hash:
0cd484b69b24a7f7574f3b95ad2f92a6ee56380f
Link:
https://www.unpac.me/results/dfaaabc3-2c64-480c-8db7-2acce35e4ab7/
SH256 hash:
1a67d2e624b981a25249643a7f107b35440214fd91a9e2eb708f82982b105b8a
MD5 hash:
1aecc6c9c3af21da341b7c256f55375f
SHA1 hash:
011e53b9f22fa2fafa781a59e666b65d8a84398d
Link:
https://www.unpac.me/results/dfaaabc3-2c64-480c-8db7-2acce35e4ab7/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/dfaaabc3-2c64-480c-8db7-2acce35e4ab7/
SH256 hash:
b20a8d88c550981137ed831f2015f5f11517aeb649c29642d9d61dea5ebc37d1
MD5 hash:
526426126ae5d326d0a24706c77d8c5c
SHA1 hash:
68baec323767c122f74a269d3aa6d49eb26903db
Link:
https://www.unpac.me/results/dfaaabc3-2c64-480c-8db7-2acce35e4ab7/
SH256 hash:
351d3333221de21ac4c66b8f898af4dc751d2ce84b4ab74fa29042dfc0ff6685
MD5 hash:
06da780f19d2bd613094de26695f73d8
SHA1 hash:
dc8755cca2f6ef4c02072befc029d4242254f426
Link:
https://www.unpac.me/results/dfaaabc3-2c64-480c-8db7-2acce35e4ab7/
SH256 hash:
68e0a92dc8aa1a2589476eb3b4fda0172ce62f1865f6d317ada69f5209f22228
MD5 hash:
778eebf1b47351760bc0e7008bbc3f29
SHA1 hash:
22f4483114019781055bbdfcc898418bac3916c6
Link:
https://www.unpac.me/results/dfaaabc3-2c64-480c-8db7-2acce35e4ab7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68e0a92dc8aa1a2589476eb3b4fda0172ce62f1865f6d317ada69f5209f22228

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetFileAttributesA
kernel32.dll::RemoveDirectoryA
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments