MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6eafa7c61e42d196916baffa8392658241fe214d13edefeeffde6aa0619e3507. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Adware.Generic

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	6eafa7c61e42d196916baffa8392658241fe214d13edefeeffde6aa0619e3507
SHA3-384 hash:	9b074d4a19867de33dc62dc5a60dbda9ff230ef63082a63260c2cbc928d66e17ac7e1fb47e0d4996588d008d391b6c36
SHA1 hash:	50b83e0dcc2205b8e153ba5898498ef5ee01b943
MD5 hash:	1f916117907696b1166fd3b79e9905f9
humanhash:	robin-happy-connecticut-chicken
File name:	Star-Wars-Battlefron_330757428.exe
Download:	download sample
Signature	Adware.Generic Create hunting rule
File size:	7'752'713 bytes
First seen:	2021-07-25 18:09:45 UTC
Last seen:	2021-07-25 18:46:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	eb5bc6ff6263b364dfbfb78bdb48ed59 (55 x Adware.Generic, 18 x RaccoonStealer, 8 x Adware.ExtenBro)
ssdeep	98304:d1QTVMkk000H08P800/k0GhneHn3AY3fWMEYg7tpZ6e8OGGc80I+qCXZdEqsao98:ryg3A8OxfV6HGvHQlsD9akkrWFhpkaET
Threatray	69 similar samples on MalwareBazaar
TLSH	T1547612677564D06AE8B91F306A63A86064F67E7CEC552D0A77F0F58CCB762800C3E7A4
dhash icon	71c4a2b2a38acc61 (1 x Adware.Generic)
Reporter	Anonymous
Tags:	Adware.Generic exe

Intelligence

File Origin

# of uploads :

# of downloads :

184

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Star-Wars-Battlefron_330757428.exe

Verdict:

Malicious activity

Analysis date:

2021-07-25 18:10:56 UTC

Tags:

installer

Link:

https://app.any.run/tasks/bdee5754-4916-4a95-b432-c21b92e16fc3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/174032/

Detection(s):

PUA.Win.Packer.Exe-6

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Searching for the window

Creating a file in the Program Files subdirectories

Moving a file to the Program Files subdirectory

Creating a file

DNS request

Connection attempt

Sending an HTTP POST request

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/35fb3317-fe8a-4cee-b0cf-a0ac1031e754

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/821550

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Adware.Generic

Status:

Suspicious

First seen:

2021-07-25 17:37:22 UTC

AV detection:

8 of 27 (29.63%)

Threat level:

1/5

Verdict:

unknown

Adware.Generic

5e8bdea8e7d50a3d4f35d4242b02abe2a3aa8141f276a7df5be3141bd594a101

Adware.Generic

745041bc84862926049f7fbf927f0926a9075747cf961be51f347d3e76e43c97

Adware.Generic

7c9eeac634ce6e1fb9079de077d07df63062a38626c59243f5b24f1d8924d60a

Adware.Generic

8e7116f27e8c84422d2d5612765b45166a1a1144774a52e5107d74a7884e758f

Adware.Generic

8f4fa407cd9d7becde2ae84a7d82286ae8e78bcdb8fc4e81ffdd97fc657f5fe3

Adware.Generic

a4f95464eccef0c4da2d48481ef8b1006a6ed0918fb421db63c793e1001bbeda

Adware.Generic

b56c9109fdb9e8d8853fa536f3cdea9528a8a53493d3f3dc9f49243e30ed6be5

Adware.Generic

bf4e9dc317fceacf1ee5ad716a4d17ade356679ea2d0b337456fa6dff39975f3

Adware.Generic

+ 59 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery

Link:

https://tria.ge/reports/210725-m5zdsbkjn2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Checks installed software on the system

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

780de484bdff3c7ce1a23c464d6d9e149c3327b1495a99c434bb4806d58811d7

MD5 hash:

c7532437237c65979b1eafeb0c16383b

SHA1 hash:

2e3237c729f938dd74017dc6fae230065579f669

Link:

https://www.unpac.me/results/9ec7d6e6-12cf-4934-ae2a-ce19465a0255/

SH256 hash:

44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0

MD5 hash:

9c8886759e736d3f27674e0fff63d40a

SHA1 hash:

ceff6a7b106c3262d9e8496d2ab319821b100541

Link:

https://www.unpac.me/results/9ec7d6e6-12cf-4934-ae2a-ce19465a0255/

SH256 hash:

b7767fd4addb557368ff1e605d358e0e36d39e526dc72bdd3eb28ff78a302ef9

MD5 hash:

1af5a1ed59fcb0e2f61839fae950a2f8

SHA1 hash:

917429dd437ff355c3061f25c4d1068a95420d2c

Link:

https://www.unpac.me/results/9ec7d6e6-12cf-4934-ae2a-ce19465a0255/

SH256 hash:

a2d0e5e412bed119bcdfc50992735c26c0e9eff0f1190bbb282faa0746070e85

MD5 hash:

1f7de9a02dbd7f6b0b873bb9dbc56f9d

SHA1 hash:

2abcd02db93e6b5fe766b45ddfa960e6300b7241

Link:

https://www.unpac.me/results/9ec7d6e6-12cf-4934-ae2a-ce19465a0255/

SH256 hash:

6eafa7c61e42d196916baffa8392658241fe214d13edefeeffde6aa0619e3507

MD5 hash:

1f916117907696b1166fd3b79e9905f9

SHA1 hash:

50b83e0dcc2205b8e153ba5898498ef5ee01b943

Link:

https://www.unpac.me/results/9ec7d6e6-12cf-4934-ae2a-ce19465a0255/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6eafa7c61e42d196916baffa8392658241fe214d13edefeeffde6aa0619e3507

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	APT_DustSquad_PE_Nov19_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detection Rule for APT DustSquad campaign Nov19
Reference:	https://twitter.com/Rmy_Reserve/status/1197448735422238721

Rule name:	APT_DustSquad_PE_Nov19_2 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detection Rule for APT DustSquad campaign Nov19
Reference:	https://twitter.com/Rmy_Reserve/status/1197448735422238721

Rule name:	SR_APT_DustSquad_PE_Nov19 Create hunting rule
Author:	Arkbird_SOLG
Description:	Super Rule for APT DustSquad campaign Nov19
Reference:	https://twitter.com/Rmy_Reserve/status/1197448735422238721

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/174032/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample