MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6966f92616bae9252b96f666136667076c6368f00778670c530708648631443b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6966f92616bae9252b96f666136667076c6368f00778670c530708648631443b
SHA3-384 hash: d57642ba50ac85ab48732f0b4890bf36bb04fb6d722403826dd3e9f8773f80fc13950bf790521ba7b3782083962b0c59
SHA1 hash: 1045c084017277b8991e41d29ee101cf962f620a
MD5 hash: 17e36437bd558374106622b7327a2aca
humanhash: pizza-east-march-virginia
File name:file
Download: download sample
File size:433'216 bytes
First seen:2023-04-20 15:07:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e160ef8e55bb9d162da4e266afd9eef3 (140 x GuLoader, 33 x RemcosRAT, 17 x AgentTesla)
ssdeep 6144:Q8dNXSEmZt3bs5f7krvBM/0XuS+6JJ+dYiaxRt7b6UGQXifRAB10GTgjyBk:zmvrsyrvNeiyYiaJfZzxB1qyO
Threatray 826 similar samples on MalwareBazaar
TLSH T1729423A183D2E89FE18029B02437FAB4DF795E8D54815A5743D9CEFB3E326930F191A4
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter andretavare5
Tags:85-217-144-143 exe signed

Code Signing Certificate

Organisation:Lucky Joe
Issuer:KoraySec Root CA
Algorithm:sha256WithRSAEncryption
Valid from:2023-03-01T08:35:18Z
Valid to:2024-02-29T08:35:18Z
Serial number: 01040503
Intelligence: 7 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: f5ca113a05f5dad39049f8417857f9418294c6597f91aafe43357e1cb690a062
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://supportpmr.com/Lyla131.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-04-20 15:08:31 UTC
Tags:
installer
Link:
https://app.any.run/tasks/1cfd4ed0-228b-47a7-a30a-d610027b3283

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383792/
Detection(s):
SecuriteInfo.com.Dropped.Generic.Malware.Ydr.E9FB9B9B.6233.7632.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a window
Launching a process
Searching for the browser window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Changing settings of the browser security zones
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/64415553269467327370122b/reports/8b02fa54-a89c-4577-802a-523a31b100d8/overview
Verdict:
Malicious
Labled as:
Dropper.Generic.Malware.Ydr
Link:
https://www.hybrid-analysis.com/sample/6966f92616bae9252b96f666136667076c6368f00778670c530708648631443b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3db4a801-150f-4220-909e-26f65cbb18bb
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1218138
Signature
Creates multiple autostart registry keys
Disables UAC (registry)
Machine Learning detection for dropped file
PE file has a writeable .text section
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 851081 Sample: file.exe Startdate: 20/04/2023 Architecture: WINDOWS Score: 56 37 www.google.com 2->37 65 Machine Learning detection for dropped file 2->65 67 PE file has a writeable .text section 2->67 8 file.exe 7 43 2->8         started        12 LuckyWheel.exe 2->12         started        15 LuckyWheel.exe 2->15         started        17 6 other processes 2->17 signatures3 process4 dnsIp5 29 C:\Users\user\AppData\Local\...\UserInfo.dll, PE32 8->29 dropped 31 C:\Users\user\AppData\Local\...\System.dll, PE32 8->31 dropped 33 C:\Users\user\AppData\Local\Temp\...\Math.dll, PE32 8->33 dropped 35 5 other files (4 malicious) 8->35 dropped 69 Creates multiple autostart registry keys 8->69 71 Disables UAC (registry) 8->71 19 chrome.exe 17 1 8->19         started        22 LuckyWheel.exe 15 33 8->22         started        24 WindowsServices.exe 2 8->24         started        53 www.google.com 12->53 55 luckywheels-v2.onrender.com 12->55 57 www.google.com 15->57 59 luckywheels-v2.onrender.com 15->59 61 www.google.com 17->61 63 luckywheels-v2.onrender.com 17->63 file6 signatures7 process8 dnsIp9 39 192.168.2.1 unknown unknown 19->39 41 239.255.255.250 unknown Reserved 19->41 26 chrome.exe 19->26         started        43 www.google.com 22->43 45 luckywheels-v2.onrender.com 22->45 process10 dnsIp11 47 ams.creativecdn.com 185.184.8.90, 443, 49795, 49806 RTB-HOUSE-AMSNL Poland 26->47 49 global.px.quantserve.com 91.228.74.159, 443, 49784 QUANTCASTUS United Kingdom 26->49 51 26 other IPs or domains 26->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6966f92616bae9252b96f666136667076c6368f00778670c530708648631443b/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2023-04-20 15:08:07 UTC
File Type:
PE (Exe)
Extracted files:
33
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nftpsjqwxluskk4w6ztbgztha5wgg2hqa54godcta4egjbrriq5q._file
Verdict:
malicious
Similar samples:
244982d45d69eff9af5620eed85c3ec725f7446b50ba3ac64ec2ca883c5f4444
4c20d1f5a4c17f9ee708ccc4a568defc69e9b8fecf5d3b0cc3712ebd64fc2f5f
90f43bc5d73e312d03e295e766747937ffd2d12a76463f0cb56a43d3f1a1faed
9d09fa44302e2f5c4905636bf76a6fbda566787bc587eb105a412828b491c73a
a0460d3bedbdd6aa525aa62d9161739f70f35b82b7878ae8923c60e701cb691f
c42840af07ce02effd645b993cbee380d20e097ed2bd1e68468624766b0601b2
c9fe71715c02aadcef31d9df6ad876f7d9ac9e747c0ec541139a2d22045a1b67
f0e46ef693007a475e636765ae1fbfa43c330b77398927545ad86cb1de02bad0
f1296c58d318f766077a9c3b3d36d60dc4dd27012e728af8be0a41432daf19bd
+ 816 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/230420-shv6tsce8y/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Program Files directory
Adds Run key to start application
Checks whether UAC is enabled
Executes dropped EXE
Loads dropped DLL
UAC bypass
Unpacked files
SH256 hash:
84ec724aee61d5e856d2d025d1a8a66591ac8d4c5dee37112ba5d41149401bf6
MD5 hash:
c7d7b57328bc8ec7f6f984de567c2fa7
SHA1 hash:
3a397ea070336a46dd7bc25688c3e0edd0722f8d
Link:
https://www.unpac.me/results/121ba30a-44fa-4828-a553-40c8585e5587/
SH256 hash:
6966f92616bae9252b96f666136667076c6368f00778670c530708648631443b
MD5 hash:
17e36437bd558374106622b7327a2aca
SHA1 hash:
1045c084017277b8991e41d29ee101cf962f620a
Link:
https://www.unpac.me/results/121ba30a-44fa-4828-a553-40c8585e5587/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6966f92616ba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6966f92616bae9252b96f666136667076c6368f00778670c530708648631443b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/383792/
  
URLhaus
https://urlhaus.abuse.ch/url/2614698/

Comments