MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 706fbfd759241d1c28a263710be57d297ae3ec0ba217c6fa5ddbfefeb6d7e1ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 706fbfd759241d1c28a263710be57d297ae3ec0ba217c6fa5ddbfefeb6d7e1ff
SHA3-384 hash: 29dbbba26766108af08e48a046e8622ef0f6fa6dcfc78f83345109e253a50545ec73a0944f5a66a0cd132f4477e14701
SHA1 hash: caa0b6943f9fb6da186868409b6f8edf0dedbe33
MD5 hash: f0aebea3947c5c617815497437e843d7
humanhash: asparagus-carpet-winter-wolfram
File name:Lightshot.dll
Download: download sample
File size:5'949'440 bytes
First seen:2023-11-10 09:41:54 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 0ff5ce1e3968b3a48ad4ad3c600f4f91
ssdeep 98304:r0LCR7keQUTC/b3tlT7DctrMreMlhB7iBf:oLukpUWDt5OwreK6B
Threatray 4 similar samples on MalwareBazaar
TLSH T1DF566D13F284603ED0669A3A4D3FDE5659BF766029278C0B6BF4096C4F35B403D2A6B7
TrID 62.9% (.EXE) Inno Setup installer (109740/4/30)
23.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
6.0% (.EXE) Win64 Executable (generic) (10523/12/4)
2.5% (.EXE) Win32 Executable (generic) (4505/5/1)
1.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter ventress
Tags:dll

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
ES ES
Vendor Threat Intelligence
Detection(s):
Win.Downloader.Barys-10012116-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
apt control grandoreiro greyware keylogger lolbin replace
Link:
https://www.filescan.io/uploads/654dfaf3993fbf888b6de59b/reports/1251dbc6-459b-412f-8c39-776614c07a04/overview
Verdict:
Malicious
Labled as:
Ursu.Generic
Link:
https://www.hybrid-analysis.com/sample/706fbfd759241d1c28a263710be57d297ae3ec0ba217c6fa5ddbfefeb6d7e1ff
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e5d69a8e-8d37-46b0-9275-38e19d2c2a35
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1340486
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1340486 Sample: Lightshot.dll Startdate: 10/11/2023 Architecture: WINDOWS Score: 48 19 Multi AV Scanner detection for submitted file 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 3 other processes 7->15 process5 17 rundll32.exe 9->17         started       
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/706fbfd759241d1c28a263710be57d297ae3ec0ba217c6fa5ddbfefeb6d7e1ff
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/706fbfd759241d1c28a263710be57d297ae3ec0ba217c6fa5ddbfefeb6d7e1ff/
Threat name:
Win32.Trojan.Ursu
Create hunting rule
Status:
Malicious
First seen:
2023-11-09 15:29:08 UTC
File Type:
PE (Dll)
Extracted files:
21
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=obx37v2zeqorykfcmnyqxzl5ff5oh3aluil4n6s53p7p5nwx4h7q._file
Verdict:
malicious
Similar samples:
35df13da60ec391a9b0ae34884f066ed8fa48c90315b37ee271a092025e527c0
706fbfd759241d1c28a263710be57d297ae3ec0ba217c6fa5ddbfefeb6d7e1ff
84eab515e95a0eb2eb1ab29c7213960983c103f8179d7e3125ea5cab29dfa59c
9c00f54f0257273f5e193214f7ac89c328196b7d08fee25ce4f8560a2af8dbab
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/231110-lpb8zaed6v/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
066d2dde693a17ed23f6d0a06ef55d2fb32837e168f3764b0962c2b6f782725b
MD5 hash:
e3514f3a9b7e46158ab8db9c04820e15
SHA1 hash:
06172e04fcb321adc5b1e5226dcfc33843681fc4
Link:
https://www.unpac.me/results/07585e5c-19be-4222-b732-f72dc7e34ad7/
SH256 hash:
706fbfd759241d1c28a263710be57d297ae3ec0ba217c6fa5ddbfefeb6d7e1ff
MD5 hash:
f0aebea3947c5c617815497437e843d7
SHA1 hash:
caa0b6943f9fb6da186868409b6f8edf0dedbe33
Link:
https://www.unpac.me/results/07585e5c-19be-4222-b732-f72dc7e34ad7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/706fbfd759241d1c28a263710be57d297ae3ec0ba217c6fa5ddbfefeb6d7e1ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_DustSquad_PE_Nov19_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:APT_DustSquad_PE_Nov19_2
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SR_APT_DustSquad_PE_Nov19
Create hunting rule
Author:Arkbird_SOLG
Description:Super Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments