MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74f30466c1edb8daf729df5531e6047e69cfbcd0625fbb3df02bb655ec90c480. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74f30466c1edb8daf729df5531e6047e69cfbcd0625fbb3df02bb655ec90c480
SHA3-384 hash: 69c71699b84118d3112d95c6495ff6900ff28ee46113bf827eba7abaecf8133923f199ea5258cef5854e880add0c9405
SHA1 hash: 4c36e84c86b78d29c518916a9592e737d0242c97
MD5 hash: 7256919115171d1f99287212e120586d
humanhash: papa-wolfram-kilo-ack
File name:file
Download: download sample
File size:396'288 bytes
First seen:2024-09-24 16:49:58 UTC
Last seen:2024-09-25 04:06:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f191e24764ac2972e2c40e13c71b6d0d (4 x GCleaner, 2 x Stealc, 1 x Smoke Loader)
ssdeep 6144:HLL3upjMAZUlZfNB3vuWXW+3cqgE9fjFYc5scYW:H33NdNB3vxXW+vBfFYW
Threatray 3 similar samples on MalwareBazaar
TLSH T1CC845BB26AE06815EE664B369F29B2EC276FBC625E74525D3144FE0F19333F2C512312
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 12716d4cf4c4c4d4
Reporter Bitsight
Tags:exe


Avatar
Bitsight
url: https://rainhamabattoir.co.zw/wp-content/build.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
476
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-24 16:50:38 UTC
Tags:
xor-url generic crypto-regex qrcode
Link:
https://app.any.run/tasks/69b79eeb-4bd7-482b-8147-c129611de0ec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.18320.11885.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f2edbd5346c7b922adb8b2
Tags:
Execution Infostealer Network Stealth Trojan Xtreme Madi Tori Sage
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/66f2edbc32f56cd5348495e6/reports/d7eecc06-5478-4a56-88bb-f39ea3e2158e/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/74f30466c1edb8daf729df5531e6047e69cfbcd0625fbb3df02bb655ec90c480
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Spectre
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ad02552-26f6-4c3d-85d6-e5d4401ac1bb
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1517102
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Copy itself to suspicious location via type command
Suricata IDS alerts for network traffic
Writes or reads registry keys via WMI
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1517102 Sample: file.exe Startdate: 24/09/2024 Architecture: WINDOWS Score: 100 62 18.31.95.13.in-addr.arpa 2->62 66 Suricata IDS alerts for network traffic 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus / Scanner detection for submitted sample 2->70 72 4 other signatures 2->72 8 file.exe 19 2->8         started        signatures3 process4 dnsIp5 64 94.156.65.70, 49706, 49711, 55948 TERASYST-ASBG Bulgaria 8->64 38 C:\Users\user\AppData\Roaming\...\wsau.exe, PE32 8->38 dropped 40 v10_stlr_x86_panam...024-09-24_18-38.exe, PE32 8->40 dropped 78 Detected unpacking (changes PE section rights) 8->78 80 Detected unpacking (overwrites its own PE header) 8->80 13 cmd.exe 8->13         started        15 WerFault.exe 16 8->15         started        18 WerFault.exe 16 8->18         started        20 16 other processes 8->20 file6 signatures7 process8 file9 22 systeminfo.exe 13->22         started        25 conhost.exe 13->25         started        27 findstr.exe 13->27         started        50 C:\ProgramData\Microsoft\...\Report.wer, Unicode 15->50 dropped 52 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->52 dropped 54 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->54 dropped 56 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->56 dropped 58 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->58 dropped 60 10 other malicious files 20->60 dropped 29 wsau.exe 20->29         started        32 conhost.exe 20->32         started        34 WMIC.exe 20->34         started        36 2 other processes 20->36 process10 file11 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->74 76 Writes or reads registry keys via WMI 22->76 42 C:\Users\user\AppData\Roaming\...\zip.exe, PE32 29->42 dropped 44 C:\Users\user\AppData\Roaming\...\nircmdc.exe, PE32 29->44 dropped 46 C:\Users\user\AppData\...\PsInfo64.exe, PE32+ 29->46 dropped 48 4 other files (none is malicious) 29->48 dropped signatures12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/74f30466c1edb8daf729df5531e6047e69cfbcd0625fbb3df02bb655ec90c480
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74f30466c1edb8daf729df5531e6047e69cfbcd0625fbb3df02bb655ec90c480/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2024-09-24 16:50:05 UTC
File Type:
PE (Exe)
Extracted files:
69
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=otzqizwb5w4nv5zj35ktdzqepzu47pgqmjp3wppqfo3fl3eqysaa._file
Verdict:
malicious
Label(s):
shellcode_loader_002
Create hunting rule
spectrerat
Create hunting rule
Similar samples:
08dc5b0fb0c2646f546f0af389c3c9934995f1cf6819a05c171db3eca242554d
efec912465df5c55b4764e0277aa4c4c549e612b4f3c5abf77aaec647729f78a
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/240924-vb858axdjb/
Behaviour
Gathers system information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b53ea149-1743-494a-9fc7-4a6e63a7c4dd
Unpacked files
SH256 hash:
734a22c413872a8b5f6fc5342261b9ff2c256c1891bb258747ff000df960ce4f
MD5 hash:
7010117bbc07ee883ea881cdc6b6dbbf
SHA1 hash:
6953d3a0fefcbf7c80c966681def208b7bca185d
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/d322e718-4dd5-4132-bdda-931b2e402ae4/
SH256 hash:
74f30466c1edb8daf729df5531e6047e69cfbcd0625fbb3df02bb655ec90c480
MD5 hash:
7256919115171d1f99287212e120586d
SHA1 hash:
4c36e84c86b78d29c518916a9592e737d0242c97
Link:
https://www.unpac.me/results/d322e718-4dd5-4132-bdda-931b2e402ae4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/74f30466c1ed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/74f30466c1edb8daf729df5531e6047e69cfbcd0625fbb3df02bb655ec90c480

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 74f30466c1edb8daf729df5531e6047e69cfbcd0625fbb3df02bb655ec90c480

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3189386/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ObjectPrivilegeAuditAlarmA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::FillConsoleOutputCharacterA
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleOutputA
KERNEL32.dll::SetConsoleMode
KERNEL32.dll::SetConsoleTitleA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExA
KERNEL32.dll::CreateFileA
KERNEL32.dll::MoveFileA
KERNEL32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
KERNEL32.dll::QueryDosDeviceA
WIN_TIME_APICan Modify TimeKERNEL32.dll::SetSystemTimeAdjustment

Comments