MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b0b51571bf31bb33557c350bd8ece2512ecc9b8110d9f06ebeefab24cf079cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b0b51571bf31bb33557c350bd8ece2512ecc9b8110d9f06ebeefab24cf079cf
SHA3-384 hash: 62ea59e0f0454d4f0273884e8203bf541b223382a74577829e72f29822a87bb494d97450ebfb1f5528448d5106aa42b8
SHA1 hash: c4219bc5142e09955b650e9eae921eacf7f24719
MD5 hash: b0e1eb53c550def25f9954cc9023bc69
humanhash: chicken-cold-artist-five
File name:SecuriteInfo.com.Trojan-Dropper.Delf.16490.18119
Download: download sample
File size:4'417'164 bytes
First seen:2024-07-15 16:24:49 UTC
Last seen:2024-07-24 15:26:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'511 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 98304:fAsjDw0PBB9ADFIBynF5KMIQOUeGUHekZV4nAdcrby7/Bgd7HctH:Isf5pDADFIBynCiOrHe0V4nrrO7/Od7i
TLSH T10616334FB298547AE700C0BBCEBD7910D337DF1836B75606D63CAE88AF326259865784
TrID 69.7% (.EXE) Inno Setup installer (107240/4/30)
9.2% (.EXE) Win32 Executable Delphi generic (14182/79/4)
8.5% (.SCR) Windows screen saver (13097/50/3)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.9% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon f4f4f49b6e94c1d0
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
404
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6b0b51571bf31bb33557c350bd8ece2512ecc9b8110d9f06ebeefab24cf079cf.exe
Verdict:
Malicious activity
Analysis date:
2024-07-15 16:30:40 UTC
Tags:
vmprotect
Link:
https://app.any.run/tasks/3c300bb4-7c30-44ec-9a4a-fa3968ceab69

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan-Dropper.Delf.16490.18119.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66954d6184e955866872b88bwin7simulatehigh_evasion
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
borland_delphi fingerprint installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/66954d630067ed9f771d0e86/reports/361c6278-7f91-45e6-a6b1-ad465a65bf4c/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/6b0b51571bf31bb33557c350bd8ece2512ecc9b8110d9f06ebeefab24cf079cf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Splashtop
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/108cc505-d583-4b81-89e8-6950989ac613
Result
Threat name:
n/a
Detection:
suspicious
Classification:
n/a
Score:
24 / 100
Link:
https://www.joesandbox.com/analysis/1473699
Signature
Detected VMProtect packer
Machine Learning detection for dropped file
Behaviour
Behavior Graph:
Download SVG
Score:
14%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/6b0b51571bf31bb33557c350bd8ece2512ecc9b8110d9f06ebeefab24cf079cf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b0b51571bf31bb33557c350bd8ece2512ecc9b8110d9f06ebeefab24cf079cf/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nmfvcvy36mn3gnkxynil3dwoeujozsnycegz6bxl535lethqphhq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240715-twydsasbnb/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b5a56949-76f7-4aea-869f-892c2afdbdce
Unpacked files
SH256 hash:
f62b46bfe5e5d1469a546d78b488a58689927b60eb98875a9ba9e6f6e70ce79b
MD5 hash:
79f040e2ef0f567aed5b5c39afb7bf9c
SHA1 hash:
e62dbe78ce990ea477fc6e3a4b7ab698f1d0fa19
Link:
https://www.unpac.me/results/7496e9d4-f5f7-4934-9290-4231d5224fc3/
SH256 hash:
85b87cc5b3cccc8bcec86e19724ca1cae585fcae039ba04cda986c5640a12d26
MD5 hash:
9909b1306a8ab2456be754372fd715ef
SHA1 hash:
9a35693efa0ca2ff4ceeb02d6538ba9718736982
Link:
https://www.unpac.me/results/7496e9d4-f5f7-4934-9290-4231d5224fc3/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/7496e9d4-f5f7-4934-9290-4231d5224fc3/
SH256 hash:
8d82d424d910c640c3fc0708bc55564a02dbf3ae5eb81ad3e2970222c8296905
MD5 hash:
72020bc133fe1a66f42b953bea1cdc23
SHA1 hash:
42d1bf104a75b3d847d018ff462924f02f4b9484
Link:
https://www.unpac.me/results/7496e9d4-f5f7-4934-9290-4231d5224fc3/
SH256 hash:
59545c7746f273ac2f36c73b9cd019f4f59a3f90a4f542c5824caef251210035
MD5 hash:
37cf8a03872d895aac04ad82e6c6b2f7
SHA1 hash:
58b76257f794f928e7daf733b705e5a832d55141
Link:
https://www.unpac.me/results/7496e9d4-f5f7-4934-9290-4231d5224fc3/
SH256 hash:
6b0b51571bf31bb33557c350bd8ece2512ecc9b8110d9f06ebeefab24cf079cf
MD5 hash:
b0e1eb53c550def25f9954cc9023bc69
SHA1 hash:
c4219bc5142e09955b650e9eae921eacf7f24719
Link:
https://www.unpac.me/results/7496e9d4-f5f7-4934-9290-4231d5224fc3/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetFileAttributesA
kernel32.dll::RemoveDirectoryA
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments