MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94
SHA3-384 hash: 94d084d7688780fc39fc6cff1957a30abfc08761e9d4ed75cb4945d975e6ea068526df0a86a41ba3a925b839689cc555
SHA1 hash: 053d0d7f4cb6e3952e849f02bbfbdb4d39021146
MD5 hash: 66a5a529386533e25316942993772042
humanhash: apart-delaware-hydrogen-cardinal
File name:66a5a529386533e25316942993772042
Download: download sample
File size:6'200'810 bytes
First seen:2024-05-31 19:39:03 UTC
Last seen:2024-06-03 13:59:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 98304:6QqmVoQ/tUAh8ggYJCHtEFy3X1mDyV/w4qp/tkC9+yZ+KZ8dSHLNejiRuO+4GiW:6QqmVo481z1mYbWSCeKhxqr7h
Threatray 282 similar samples on MalwareBazaar
TLSH T1C9563352675B457BE9D31C323727C30344F4F58426996E8ABA1117E2D8806EE2F2CA7F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
491
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
New Text Document.bin
Verdict:
Malicious activity
Analysis date:
2024-05-31 13:14:49 UTC
Tags:
loader hausbomber dcrat stealer azorult opendir gcleaner amadey botnet agenttesla lumma redline risepro stealc adware neoreklami meta metastealer vidar evasion exfiltration telegram xworm
Link:
https://app.any.run/tasks/2a9f2044-97f3-4c1c-b975-1fe9287d3e52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.Powershell.Downloader-3.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=665a3af420ad30d28767962fwin10vpnfull_triage
Tags:
Encryption Execution Generic Network Static Stealth Malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Modifying a system file
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
Launching a process
Creating a process from a recently created file
Reading critical registry keys
Searching for the browser window
DNS request
Sending a custom TCP request
Downloading the file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/665a27944d56d7d162894e62/reports/09756283-c710-42ff-8778-7f900af54d69/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f0b449c3-6e7d-4cbe-b043-50dc35cee8e6
Result
Threat name:
n/a
Detection:
malicious
Classification:
phis.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1450378
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1450378 Sample: 3qWvYGcbza.exe Startdate: 01/06/2024 Architecture: WINDOWS Score: 88 58 Multi AV Scanner detection for domain / URL 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 3 other signatures 2->64 8 3qWvYGcbza.exe 10 22 2->8         started        11 svchost.exe 1 2 2->11         started        process3 dnsIp4 34 C:\Users\user\AppData\...\Smartscreen.bat, DOS 8->34 dropped 36 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\uninst.exe, PE32 8->40 dropped 14 cmd.exe 13 8->14         started        50 127.0.0.1 unknown unknown 11->50 file5 process6 signatures7 66 Suspicious powershell command line found 14->66 68 Tries to download and execute files (via powershell) 14->68 17 powershell.exe 15 16 14->17         started        21 chrome.exe 1 14->21         started        23 tar.exe 3 14->23         started        25 2 other processes 14->25 process8 dnsIp9 42 94.103.188.126, 49732, 80 RATELE-ASRU Russian Federation 17->42 30 C:\Users\user\AppData\Local\Temp\putty.zip, Zip 17->30 dropped 44 192.168.2.13 unknown unknown 21->44 46 192.168.2.14 unknown unknown 21->46 48 3 other IPs or domains 21->48 27 chrome.exe 21->27         started        32 C:\Users\user\AppData\Local\...\putty.exe, PE32+ 23->32 dropped file10 process11 dnsIp12 52 142.250.184.228, 443, 49780 GOOGLEUS United States 27->52 54 www.google.com 142.250.185.196, 443, 49751, 49777 GOOGLEUS United States 27->54 56 4 other IPs or domains 27->56
Score:
74%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-05-31 14:24:36 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
10 of 24 (41.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oe5es7envf6cbatvr7jrcr2tt5aiu4vweba4nspno4bxailcd2ka._file
Verdict:
unknown
Similar samples:
0cc079cb6d771feb5394759239a5f44a66a066f76d75d77f70925091839298b2
1ef744cce1aa8504c6e57067f6d2eb92c1e89707eb1964b7e338fb19684d5617
5ed99560a586a1f8b6ee3daaeb1bad3eab23a6f98f70bac004f470082d6c1e32
72c22d9c2150b022f3f15e30bfd2d76435d4091b99a0e443c96dcb4c48aa5539
820194153174a679179e3649a4ebac8f39b4fefd2836d19ae1241e4e520fae26
bd60511c7b930911ed7edb22ca6bae15995f00b2ecdfd009322a04f5c82a851d
c2213cc74b11ff7931d042044d696bc98f047883032280ac1a6d7d7ec80f9389
d3467bceb27c8533c1a904b34437aa2fd03963be8085f668a961b113feb75c5c
e37fa468aafa1e603529ee77a6e4b31134f429a81fe9222ef85fcf458e290d70
f02d594d22f31926b6aec336e4b49925a04c14661053fd7fa04726f1ae5334a2
+ 272 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution
Link:
https://tria.ge/reports/240531-ycz6gsag9v/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://94.103.188.126/jerry/putty.zip
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/42f32a9b-9f41-460a-9dbf-533f585b8da4
Unpacked files
SH256 hash:
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
MD5 hash:
132e6153717a7f9710dcea4536f364cd
SHA1 hash:
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
Link:
https://www.unpac.me/results/68677757-cb6b-4f55-9df6-dbe30bf05680/
SH256 hash:
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
MD5 hash:
bf712f32249029466fa86756f5546950
SHA1 hash:
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
Link:
https://www.unpac.me/results/68677757-cb6b-4f55-9df6-dbe30bf05680/
SH256 hash:
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
MD5 hash:
c7ce0e47c83525983fd2c4c9566b4aad
SHA1 hash:
38b7ad7bb32ffae35540fce373b8a671878dc54e
Link:
https://www.unpac.me/results/68677757-cb6b-4f55-9df6-dbe30bf05680/
SH256 hash:
416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
MD5 hash:
4ccc4a742d4423f2f0ed744fd9c81f63
SHA1 hash:
704f00a1acc327fd879cf75fc90d0b8f927c36bc
Link:
https://www.unpac.me/results/68677757-cb6b-4f55-9df6-dbe30bf05680/
SH256 hash:
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
MD5 hash:
adb29e6b186daa765dc750128649b63d
SHA1 hash:
160cbdc4cb0ac2c142d361df138c537aa7e708c9
Detections:
INDICATOR_TOOL_UAC_NSISUAC
Create hunting rule
Link:
https://www.unpac.me/results/68677757-cb6b-4f55-9df6-dbe30bf05680/
Parent samples :
f5f3e5658f8ec6c1e7ffa7e7d6df06d04af1f3a5941206ce23b8be979c60ccb1
6e22c0f2732195063cb4984c6520c3b85e1236e967f8bb05b3c1b35139d2917b
713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94
dbde8a4bd71bb1fbc0511cdb657dfeffdaedc513aa425f856043532a7cba6fce
ac142a8087949b5ad4e3a503ca37609845112c4f7e0cd1376669c9d5c8f5cdf2
15d4dbafb6fb1770507db7769b2df6f3857da0ad3203a71c5f82a99688dac2b3
b96862087581adb9ecfb9615a46eedb29d13c606e708b7b532ce6ed3217925a4
4f2e6dc8e4d8e0dfcc44a28d34c10653bd833abb8832e47e609d255f246c67f0
df61dc2d24f2e475e0a8971c5d21c1c48e9505be67714aafb4afd670aad297e3
60b1aa37a4ac40d5c5adf2de28782976934731408b6c2e89511e1bc5947d5bbd
f7ae58f22cbdeb69318f6cb3ff3757a9888e8731febd66e85ee9938f874705c9
fbfe2108631e3ccaa8db2f5c4439009c7a5a53136481b422236eefe2e48b690f
340b93c76e6f489982a23d2e04df0ad05a03c3d744ecb5badc3c041eca945af2
34a5c9c0106b37687fbdd51a60a026d06e7301ec40b1f7fb49384d8fe748e9e6
503c9fae00b047a77059de8e9ff6dddb6d2584f18ccf6480d69d395c65492ad4
SH256 hash:
427a1150962518c43f2fcd3e39142a438973b3fb082a5892ec3019cc8f7d4d82
MD5 hash:
ce720b915d12ed8831109aaa7846e416
SHA1 hash:
d6687a1ab530baa8c51cda487c8aab4791096482
Link:
https://www.unpac.me/results/68677757-cb6b-4f55-9df6-dbe30bf05680/
SH256 hash:
713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94
MD5 hash:
66a5a529386533e25316942993772042
SHA1 hash:
053d0d7f4cb6e3952e849f02bbfbdb4d39021146
Link:
https://www.unpac.me/results/68677757-cb6b-4f55-9df6-dbe30bf05680/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NSIS_April_2024
Create hunting rule
Author:NDA0N
Description:Detects NSIS installers
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2870424/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments


Avatar
zbet commented on 2024-05-31 19:39:05 UTC

url : hxxp://147.45.47.70/lend/smartsoftsignew.exe