MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bc44ffdf5fb9a208f27e836635852620368c30c5320163f3fcde1f9931091e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bc44ffdf5fb9a208f27e836635852620368c30c5320163f3fcde1f9931091e7
SHA3-384 hash: bd8ca8c4137f567464a970ad873d70198ba6d6bb8a3fcfd161bc7ca4c9da0c72b772a62e2a08d0a11a09b6d59910e178
SHA1 hash: 7362395aebc3022cef3596a4c88f0c7d47bbf695
MD5 hash: 470dcc74ac1b8c4f0eebd2fcc04902ee
humanhash: oven-louisiana-zebra-carbon
File name:SecuriteInfo.com.Program.RemoteAdmin.952.15847.745
Download: download sample
File size:9'464'776 bytes
First seen:2024-01-01 20:15:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'507 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 196608:DOEVrv9Et+hnI91fZFf4L5GHWIpsUYXVdQUiUV8cRwS8OMIys3albOQiGQNhXJ2v:DOEpGt+VQ1RBoT2OV29UV8cRw5xIys3A
TLSH T1E49633938D7A44F1F2DDC3F259A4D40A12ACFD9C4838D3A1339910C7DB9A14BBA9679C
TrID 69.7% (.EXE) Inno Setup installer (107240/4/30)
9.2% (.EXE) Win32 Executable Delphi generic (14182/79/4)
8.5% (.SCR) Windows screen saver (13097/50/3)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b473c9dcdcf03235
Reporter SecuriteInfoCom
Tags:exe signed

Code Signing Certificate

Organisation:Hammer Software
Issuer:COMODO RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2017-08-04T00:00:00Z
Valid to:2020-08-03T23:59:59Z
Serial number: da3c9e8207e16363c5695bc3b900aedf
Thumbprint Algorithm:SHA256
Thumbprint: 9c85f2e45fc6e68c47ceb93e2925c3dcd178df3f7809dc9a2a7ad01090915b65
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
340
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Program.RemoteAdmin.952.15847.745.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/65931d53f4b6e5e16363e1e5/reports/b2f7fa2b-7425-43ef-80aa-a14a908258e3/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/6bc44ffdf5fb9a208f27e836635852620368c30c5320163f3fcde1f9931091e7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IEInspector Software
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0b955e1b-a32e-4692-a459-7debfb3e8d69
Result
Threat name:
n/a
Detection:
suspicious
Classification:
spyw.evad.troj
Score:
28 / 100
Link:
https://www.joesandbox.com/analysis/1368585
Signature
Contains VNC / remote desktop functionality (version string found)
Opens network shares
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Behaviour
Behavior Graph:
Download SVG
Score:
25%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/6bc44ffdf5fb9a208f27e836635852620368c30c5320163f3fcde1f9931091e7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6bc44ffdf5fb9a208f27e836635852620368c30c5320163f3fcde1f9931091e7/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=npce77pv7oncbdzh5a3ggwcsmibwrqymkmqbmpz7zxq7teyqshtq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240101-y1lyrshdbl/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
3e76c2538a390437746d203c87452b7364b7ab0151381af892da6a76cf4d3d18
MD5 hash:
9b6354a5294b15c75b4bfb1a3f38b275
SHA1 hash:
19fa6ac06f2a7f0db62b8d568013286bb8b3aa5a
Link:
https://www.unpac.me/results/d1612ee2-bb8a-49f4-9a16-2d77df05204e/
SH256 hash:
6bc44ffdf5fb9a208f27e836635852620368c30c5320163f3fcde1f9931091e7
MD5 hash:
470dcc74ac1b8c4f0eebd2fcc04902ee
SHA1 hash:
7362395aebc3022cef3596a4c88f0c7d47bbf695
Link:
https://www.unpac.me/results/d1612ee2-bb8a-49f4-9a16-2d77df05204e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6bc44ffdf5fb9a208f27e836635852620368c30c5320163f3fcde1f9931091e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments