MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ce52f1764a1ea1e39d4484e39e3d4f494c6b29faf8f676b684f7428cf9fa33a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ce52f1764a1ea1e39d4484e39e3d4f494c6b29faf8f676b684f7428cf9fa33a
SHA3-384 hash: 40bf48a4c08fe21cf25445af104df8f1571ce1eb9f7e51e1f55bbae52557fcc597489009853eef93fbe9c4b15e6fb963
SHA1 hash: b1d9e400262d2e36e00fa5b29fa6874664c7d0c1
MD5 hash: 4dff7e34dcd2f430bf816ec4b25a9dbc
humanhash: magnesium-bakerloo-georgia-potato
File name:SecuriteInfo.com.Win64.MalwareX-gen.19968.21519
Download: download sample
File size:10'589'696 bytes
First seen:2024-08-24 08:32:47 UTC
Last seen:2024-12-18 10:41:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 566b19b5ac294f4a1afe5e76da03206c
ssdeep 98304:ok8Moeo9VZ4odf8an8U/J1vD3NSPUv3KWQSy+Bk:d8Moeo9VZLf80vRlfKkhBk
Threatray 15 similar samples on MalwareBazaar
TLSH T108B67CBBB3E08268C16EC53AC0A78F05D933B1760B37C2E7129006599F669E55D3EE35
TrID 68.4% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.8% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
2.3% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
File icon (PE):PE icon
dhash icon e0c0cac0a5898cc8
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
407
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-08-23 21:28:58 UTC
Tags:
amadey botnet stealer loader payload pastebin zharkbot redline metastealer stealc opendir cryptbot xor-url generic smokeloader lumma themida evasion github exela xworm remote python lefthook dyndns
Link:
https://app.any.run/tasks/88c43755-0255-47d1-98db-c408a07551b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.19968.21519.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c99ad2e7ff3f5a063bd695
Tags:
Stealth
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
embarcadero_delphi explorer fingerprint keylogger lolbin packed
Link:
https://www.filescan.io/uploads/66c99ac67cae46ead5e74263/reports/9cc903a3-b618-4cc7-b7b6-2ff84ce3a8fc/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/6ce52f1764a1ea1e39d4484e39e3d4f494c6b29faf8f676b684f7428cf9fa33a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/77255e23-6821-40a5-8b9d-9532b206d6a8
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1498377
Signature
AI detected suspicious sample
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
35%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/6ce52f1764a1ea1e39d4484e39e3d4f494c6b29faf8f676b684f7428cf9fa33a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ce52f1764a1ea1e39d4484e39e3d4f494c6b29faf8f676b684f7428cf9fa33a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-08-23 17:22:57 UTC
File Type:
PE+ (Exe)
Extracted files:
206
AV detection:
10 of 24 (41.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ntss6f3euhvb4ooujbhdty6u6skmnmu7v6hwo23ij52crt47um5a._file
Verdict:
malicious
Similar samples:
0fa8d2dce87fd3e27c2543c9dcf2931fdafd856ca4e14ee21531fb942dc3b36e
17f256015c257cd0b73d14d0d908ccbc317b7e1d8f5ceab2f855c277d7f97e6d
41657910cd010c7e5ebbbfc11a2636fa1868a9bffe78d98b8faa7bd0e9c5c3b8
6ce52f1764a1ea1e39d4484e39e3d4f494c6b29faf8f676b684f7428cf9fa33a
b5ab21ddb7cb5bfbedee68296a3d98f687e9acd8ebcc4539f7fd234197de2227
d9db8cdef549e4ad0e33754d589a4c299e7082c3a0b5efdee1a0218a0a1bf1ee
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240824-kfwqkstcql/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0702d03f-ae5b-4bcc-881e-ad59484bc88a
Unpacked files
SH256 hash:
6ce52f1764a1ea1e39d4484e39e3d4f494c6b29faf8f676b684f7428cf9fa33a
MD5 hash:
4dff7e34dcd2f430bf816ec4b25a9dbc
SHA1 hash:
b1d9e400262d2e36e00fa5b29fa6874664c7d0c1
Link:
https://www.unpac.me/results/f664da33-5fe7-4dd7-8047-cf082e4cf256/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ce52f1764a1ea1e39d4484e39e3d4f494c6b29faf8f676b684f7428cf9fa33a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 6ce52f1764a1ea1e39d4484e39e3d4f494c6b29faf8f676b684f7428cf9fa33a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3125605/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3126661/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
MULTIMEDIA_APICan Play Multimediagdi32.dll::StretchDIBits
winmm.dll::timeGetTime
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CopyFileW
kernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileMappingW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetSystemDirectoryW
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameW
kernel32.dll::QueryDosDeviceW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegConnectRegistryW
advapi32.dll::RegCreateKeyExW
advapi32.dll::RegDeleteKeyW
advapi32.dll::RegLoadKeyW
advapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryInfoKeyW
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::EmptyClipboard
user32.dll::FindWindowExW
user32.dll::FindWindowW
user32.dll::OpenClipboard

Comments