MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71017896cac84e64fca6174bbfccf10399f23d33fc425bd92dfa32bf9383454d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	71017896cac84e64fca6174bbfccf10399f23d33fc425bd92dfa32bf9383454d
SHA3-384 hash:	5c54fc59c5c641748e07c9674f783040afad1230f6ab9f31aa61c955185e9519e568747c80e1930981f88f1fbd68bc06
SHA1 hash:	f94df5344f685aa6172cad266a354b3a4e65f195
MD5 hash:	236397104eafa8ab7b9ba89741eca5f7
humanhash:	queen-may-happy-fanta
File name:	71017896cac84e64fca6174bbfccf10399f23d33fc425bd92dfa32bf9383454d
Download:	download sample
File size:	211'968 bytes
First seen:	2025-01-14 12:10:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ff2372eeeddbce4778030529933c7f58
ssdeep	3072:sJU8QRXH6i1cSEnsvReGsWyxLizXFCecbd1Tt+ignb:WU8QRKi1cOwtZxLizXUecbdQn
TLSH	T17A24F5036A5061B6C276A27EA1925512E6717C0443F397EB33ABF93A0F37FD06B39611
TrID	70.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 12.9% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 2.5% (.ICL) Windows Icons Library (generic) (2059/9) 2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
File icon (PE):
dhash icon	34e4d4d4d1c9d4dc (3 x njrat, 1 x PureLogsStealer)
Reporter	JAMESWT_WT
Tags:	bot7711615259 exe

Intelligence

File Origin

# of uploads :

# of downloads :

394

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

71017896cac84e64fca6174bbfccf10399f23d33fc425bd92dfa32bf9383454d

Verdict:

No threats detected

Analysis date:

2025-01-14 12:46:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c7e49c8e-8049-4e04-94ea-2cff0b43b367

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=678654724487910100dedddc

Tags:

virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

crypto hacktool masquerade microsoft_visual_cc obfuscated packed packer_detected

Link:

https://www.filescan.io/uploads/67865468f6ef415507db1f77/reports/e1aa2778-1c1c-49de-9875-f58617202062/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/71017896cac84e64fca6174bbfccf10399f23d33fc425bd92dfa32bf9383454d

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/35e563eb-e6bc-4d19-ad24-d9a72b39da06

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1590660

Signature

AI detected suspicious sample

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Behaviour

Behavior Graph:

Download SVG

Score:

94%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/71017896cac84e64fca6174bbfccf10399f23d33fc425bd92dfa32bf9383454d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/71017896cac84e64fca6174bbfccf10399f23d33fc425bd92dfa32bf9383454d/

Threat name:

Win32.Ransomware.Generic

Status:

Malicious

First seen:

2025-01-14 12:09:45 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

7 of 24 (29.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oeaxrfwkzbhgj7fgc5f37thraom7epjt7rbfxwjn7izl7e4divgq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250114-pcltesxqbs/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/45804db1-f326-45e3-b744-ab9d2c1989bb

Unpacked files

SH256 hash:

ffac5d25a6d7b658fdad91f29b58a5a859252807e4edb63761fa8093aacbdb1e

MD5 hash:

288844907cec32c92431e9a571a59958

SHA1 hash:

dc01b80dba8fc7442900a04cb0d9158bcd9a5993

Link:

https://www.unpac.me/results/7473c138-348a-4244-9653-15168effa3b0/

SH256 hash:

71017896cac84e64fca6174bbfccf10399f23d33fc425bd92dfa32bf9383454d

MD5 hash:

236397104eafa8ab7b9ba89741eca5f7

SHA1 hash:

f94df5344f685aa6172cad266a354b3a4e65f195

Link:

https://www.unpac.me/results/7473c138-348a-4244-9653-15168effa3b0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/71017896cac84e64fca6174bbfccf10399f23d33fc425bd92dfa32bf9383454d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_Debugger Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__RemoteAPI Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (FORCE_INTEGRITY)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle WINHTTP.dll::WinHttpCloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW
WIN_BCRYPT_API	Can Encrypt Files	bcrypt.dll::BCryptDecrypt bcrypt.dll::BCryptDestroyKey bcrypt.dll::BCryptGenerateSymmetricKey bcrypt.dll::BCryptGetProperty bcrypt.dll::BCryptOpenAlgorithmProvider bcrypt.dll::BCryptSetProperty
WIN_HTTP_API	Uses HTTP services	WINHTTP.dll::WinHttpConnect WINHTTP.dll::WinHttpCrackUrl WINHTTP.dll::WinHttpOpen WINHTTP.dll::WinHttpOpenRequest WINHTTP.dll::WinHttpQueryDataAvailable WINHTTP.dll::WinHttpReadData

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample