MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7315002d20a661dfb3c4ddec0e5443879fcfd45f84e5bed8df0dcb730c5a3b4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7315002d20a661dfb3c4ddec0e5443879fcfd45f84e5bed8df0dcb730c5a3b4c
SHA3-384 hash: e785b9b9a5f295460ac4ae90c0e028cff852c8b5e63dad46fc3f3ba8fa369bf2a622cc00d985e12c96cb24a49e92a349
SHA1 hash: f1144ef6678fce3819c2509b444b6eacca87f5e6
MD5 hash: 75465dfa1bd451b0719deff60f0657ca
humanhash: kitten-table-tennis-football
File name:SecuriteInfo.com.Trojan.MulDrop26.28978.28531.17998
Download: download sample
File size:2'964'848 bytes
First seen:2024-03-04 14:18:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ae9e38912ff6bd742a1b9e5c003576a (10 x DCRat, 7 x RedLineStealer, 4 x AsyncRAT)
ssdeep 49152:WILLTy7FeJO04yDNmlBUKNXjyXcXs0ZFnsZdBzMIT7esEt1YfHb1pKg4BObY:WyOyObyOB7XjA0TnSrzMXtkHb7l4BmY
TLSH T177D53301BBC45172C92219375B766F22AA3D7D605B388ECBA394285DCE272C0D7367F6
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter SecuriteInfoCom
Tags:exe signed

Code Signing Certificate

Organisation:Bitsum LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-07T00:00:00Z
Valid to:2025-03-08T23:59:59Z
Serial number: 0b494d7df02097107b9065025133fe92
Intelligence: 27 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: b309179e6516e33d374264683b0751db5f23b09e625ff0b6a4163df28051d08c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
372
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.MulDrop26.28978.28531.17998.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint installer keylogger lolbin overlay packed packed setupapi sfx shdocvw shell32
Link:
https://www.filescan.io/uploads/65e5d85ed86c827370cf4bd8/reports/f355f818-b2c6-4f4e-aaf4-2600b40e80f1/overview
Verdict:
Malicious
Labled as:
Malware.Dropper
Link:
https://www.hybrid-analysis.com/sample/7315002d20a661dfb3c4ddec0e5443879fcfd45f84e5bed8df0dcb730c5a3b4c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d8e5fbab-7caf-429c-bc91-4fa68c3eb9af
Result
Threat name:
n/a
Detection:
suspicious
Classification:
evad
Score:
24 / 100
Link:
https://www.joesandbox.com/analysis/1402695
Signature
Found API chain indicative of sandbox detection
Found evasive API chain (may execute only at specific dates)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 1402695 Sample: SecuriteInfo.com.Trojan.Mul... Startdate: 04/03/2024 Architecture: WINDOWS Score: 24 8 SecuriteInfo.com.Trojan.MulDrop26.28978.28531.17998.exe 37 2->8         started        11 bitsumsessionagent.exe 2->11         started        13 bitsumsessionagent.exe 2->13         started        15 bitsumsessionagent.exe 2->15         started        file3 33 C:\Users\user\Desktop\ProcessGovernor.exe, PE32+ 8->33 dropped 35 C:\Users\user\Desktop\vistammsc.exe, PE32+ 8->35 dropped 37 C:\Users\user\Desktop\testlasso.exe, PE32+ 8->37 dropped 39 27 other files (none is malicious) 8->39 dropped 17 PostUpdate.exe 21 53 8->17         started        process4 file5 31 C:\Users\user\Desktop\QuickUpgrade.exe, PE32+ 17->31 dropped 20 ProcessLasso.exe 6 109 17->20         started        process6 process7 22 ProcessGovernor.exe 1 49 20->22         started        25 chrome.exe 1 20->25         started        dnsIp8 51 Found evasive API chain (may execute only at specific dates) 22->51 53 Found API chain indicative of sandbox detection 22->53 41 192.168.2.7, 123, 138, 443 unknown unknown 25->41 43 239.255.255.250 unknown Reserved 25->43 28 chrome.exe 25->28         started        signatures9 process10 dnsIp11 45 www.google.com 142.251.40.100, 443, 49765, 49803 GOOGLEUS United States 28->45 47 stats.g.doubleclick.net 172.253.63.155, 443, 49734 GOOGLEUS United States 28->47 49 16 other IPs or domains 28->49
Score:
11%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/7315002d20a661dfb3c4ddec0e5443879fcfd45f84e5bed8df0dcb730c5a3b4c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7315002d20a661dfb3c4ddec0e5443879fcfd45f84e5bed8df0dcb730c5a3b4c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=omkqaljauzq57m6e3xwa4vcdq6p47vc7qts35wg7bxfxgdc2hnga._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240304-rmvkesdc87/
Behaviour
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unpacked files
SH256 hash:
f64800a7b1c65cbb5b3623e1b2c591cc4e57f38dc9664949c7524b8dde0a55d9
MD5 hash:
041ca78bb0670e8816fb2ccde71bcf7c
SHA1 hash:
50cc4b6a410e744777275b74990a05abfee091f5
Link:
https://www.unpac.me/results/2e5adeaf-41a7-46bf-bb7d-ba8e1d6767ac/
SH256 hash:
ed0f64939c7094f3ccdce49a109c6d474e50a3372a36d82099084285416c649a
MD5 hash:
a459e1a74e92c59ecace637f93df2f6d
SHA1 hash:
8b8edf5aedfa3e0dd20e33204e3e9493c2200469
Link:
https://www.unpac.me/results/2e5adeaf-41a7-46bf-bb7d-ba8e1d6767ac/
SH256 hash:
df599ddc5732bf85429169adac59c2ca4d4bf736476faed86e03e71b8bfec0d5
MD5 hash:
864d56fd58f6ae59e846d766b9d687dc
SHA1 hash:
3f56cde8933adc0b670f7abaa21a46a7980117bc
Link:
https://www.unpac.me/results/2e5adeaf-41a7-46bf-bb7d-ba8e1d6767ac/
SH256 hash:
d9bb152fb57ec4f6684dd194b405415dc0e6c438f96ac3be0cd62eb2ab524640
MD5 hash:
9651fb6c693ffc18680d93db372a0814
SHA1 hash:
1a9c1521f838a021e4b8090a7672f565e10b0dfe
Link:
https://www.unpac.me/results/2e5adeaf-41a7-46bf-bb7d-ba8e1d6767ac/
SH256 hash:
ac577530ad5b69afa73563029e48f6fb30fbe7a113991c79e0ddd977bc070d10
MD5 hash:
2afb60955d00338d8e439627d8a46754
SHA1 hash:
a77870daa6f2dd313079f499e8111fa7d403046b
Link:
https://www.unpac.me/results/2e5adeaf-41a7-46bf-bb7d-ba8e1d6767ac/
SH256 hash:
a9c76af102b358c7ef77ce8dfba470415de348e3b8625d3a95e4649112c41bbc
MD5 hash:
b2efbdf2f5c087927b2cedcc90db7c06
SHA1 hash:
1a769e81f028f39c149efb706f6f6f9a92268f2b
Link:
https://www.unpac.me/results/2e5adeaf-41a7-46bf-bb7d-ba8e1d6767ac/
SH256 hash:
9c5d72c4dad340dc64c42eaf75d3a292417dbe5d3375bb0ff814833bb1edb753
MD5 hash:
145b762278f23337c08a20cf45e57d61
SHA1 hash:
09285e758dc918f665bf90ee25269b1b858d8ff6
Link:
https://www.unpac.me/results/2e5adeaf-41a7-46bf-bb7d-ba8e1d6767ac/
SH256 hash:
9b740e767aa304edbeeef73e96d9e975e3dfc9c0603c4aef285af8ad261da651
MD5 hash:
254cdf435590489657e1795a0bdc3f9a
SHA1 hash:
4b393cbf36298581655f04349bb1d0f204fd9117
Link:
https://www.unpac.me/results/2e5adeaf-41a7-46bf-bb7d-ba8e1d6767ac/
SH256 hash:
85847e4b9b88aca32823e7410b6ee76b3bfcac4e23ca90947672a6d49cbb52b3
MD5 hash:
d75c2dc36766d126d39c15f825bd00f6
SHA1 hash:
05b04a7fa45747197bd6b468fe3759870fc53b71
Link:
https://www.unpac.me/results/2e5adeaf-41a7-46bf-bb7d-ba8e1d6767ac/
SH256 hash:
7f8d47fddf56077a7697cb7cc17302f1b6a83cb08dcd95f2699db370dfd61a71
MD5 hash:
0bb2ec3ff968b4a6ef9950f9664bcf43
SHA1 hash:
e3e201cd6c6f2e800f34d9cefdc4337ecffadec2
Link:
https://www.unpac.me/results/2e5adeaf-41a7-46bf-bb7d-ba8e1d6767ac/
SH256 hash:
7e0b905ebd913f91688b544656d1ac2b1b0cf9a95f67802146293078cb987fad
MD5 hash:
08301ac83f93212a9022ee0e54ade3e6
SHA1 hash:
cb008ef5116222f6bb1e15c9bdbb244a61c1b5e9
Link:
https://www.unpac.me/results/2e5adeaf-41a7-46bf-bb7d-ba8e1d6767ac/
SH256 hash:
6b9a98db5a83e75bff6637193b6c2bd71d062522aa083da34e49fafb7e286620
MD5 hash:
febbcfed09becdee2e2dc130861a8431
SHA1 hash:
5874b00b81104b150b40aeba815b239d6a59aac0
Link:
https://www.unpac.me/results/2e5adeaf-41a7-46bf-bb7d-ba8e1d6767ac/
SH256 hash:
43ee46d40b8df05f8e5ba0a82b4d3fd83274877ba4297bf8974348fd1b7f7695
MD5 hash:
84866fb05aa07f62fdc03cd7539e0806
SHA1 hash:
899cbe426e80f7ac784499d4b0485e98cdf365e4
Link:
https://www.unpac.me/results/2e5adeaf-41a7-46bf-bb7d-ba8e1d6767ac/
SH256 hash:
2707d7a49c5d8749975caa251ee602392b796b3e1984e47f011338239f3e1e2d
MD5 hash:
aa769b547867ea1711bd334d222af52f
SHA1 hash:
c57a883ad8720cf37650eae1b9cbdc91e02a60dc
Link:
https://www.unpac.me/results/2e5adeaf-41a7-46bf-bb7d-ba8e1d6767ac/
SH256 hash:
26873808b0a834b89f062179d803defe36f2f3483bab6efbb42b4ef61f6101c8
MD5 hash:
9c0ece4822588d5999fb28787ac64e57
SHA1 hash:
1303718cad76172d33139f2f0b03ac9902bb494e
Link:
https://www.unpac.me/results/2e5adeaf-41a7-46bf-bb7d-ba8e1d6767ac/
SH256 hash:
0d8dda6c4ee3304bc0e811c37438ad1b51ec673d6201efde1770dd1e5016abe7
MD5 hash:
49f52797c8c1a8d55b8d35132133a2f6
SHA1 hash:
65b15c2f5cec19f40d648cfe27a41552bb6cf5ee
Link:
https://www.unpac.me/results/2e5adeaf-41a7-46bf-bb7d-ba8e1d6767ac/
SH256 hash:
7315002d20a661dfb3c4ddec0e5443879fcfd45f84e5bed8df0dcb730c5a3b4c
MD5 hash:
75465dfa1bd451b0719deff60f0657ca
SHA1 hash:
f1144ef6678fce3819c2509b444b6eacca87f5e6
Link:
https://www.unpac.me/results/2e5adeaf-41a7-46bf-bb7d-ba8e1d6767ac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7315002d20a661dfb3c4ddec0e5443879fcfd45f84e5bed8df0dcb730c5a3b4c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments