MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76ce1cdcd5ba25463a1bef3e9d6088f92128f67f33fe78fb735219d335bf5f4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76ce1cdcd5ba25463a1bef3e9d6088f92128f67f33fe78fb735219d335bf5f4a
SHA3-384 hash: e89a552cb72865f383c33db7c0af31c81a1dcfddc541cded3ca8614ac1cd2752600408b7b16346124649a8ed32ca5912
SHA1 hash: d8e9b0ac420522b0eff9578ab803fec77666d48f
MD5 hash: 5179350cf4c9cf223b70cfa375f168f6
humanhash: lactose-london-solar-lactose
File name:SecuriteInfo.com.Trojan.Siggen15.47840.31274.30999
Download: download sample
File size:29'672'952 bytes
First seen:2021-11-28 23:32:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eb5bc6ff6263b364dfbfb78bdb48ed59 (54 x Adware.Generic, 18 x RaccoonStealer, 8 x Adware.ExtenBro)
ssdeep 786432:KPLBBBAarluFO0YWDmohNE1owDk7iluASy1tGkGg:8XAjAvWC7eF7i4Nyn7N
Threatray 5 similar samples on MalwareBazaar
TLSH T126573317B590AA7EC49E36364373B110597B7E41E412AD12BBF8E04CDF7A1C01E3AE66
dhash icon 8e173371c9c871b2
Reporter SecuriteInfoCom
Tags:exe signed

Code Signing Certificate

Organisation:HONGKONG LINGYUN NETWORK MDT INFOTECH LIMITED
Issuer:DigiCert EV Code Signing CA
Algorithm:sha1WithRSAEncryption
Valid from:2020-09-09T00:00:00Z
Valid to:2023-09-14T12:00:00Z
Serial number: 094eb707a6350745a41a853eeaf33c57
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: cb8b3c8657687d02a5ed6aca4a74cd0d897a1bf5e6a4fb10f8ac082cd1d2e181
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2021-11-23 03:41:24 UTC
Tags:
evasion trojan loader opendir rat redline stealer vidar
Link:
https://app.any.run/tasks/c7383038-524f-47bd-8db8-544ecfd8198a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/61a411bdbbfd2af97cb877c1/reports/5b9c3833-bec9-4f1e-97c2-83cc4ae1e2e1/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
troj.evad
Score:
26 / 100
Link:
https://www.joesandbox.com/analysis/897564
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
May check the online IP address of the machine
Obfuscated command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 530042 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 29/11/2021 Architecture: WINDOWS Score: 26 36 tom.myip.top 2->36 38 na.lb.willmam.com 2->38 40 3 other IPs or domains 2->40 44 May check the online IP address of the machine 2->44 8 SecuriteInfo.com.Trojan.Siggen15.47840.31274.exe 2 2->8         started        12 svchost.exe 2->12         started        14 svchost.exe 9 1 2->14         started        17 8 other processes 2->17 signatures3 process4 dnsIp5 34 SecuriteInfo.com.T...n15.47840.31274.tmp, PE32 8->34 dropped 46 Obfuscated command line found 8->46 19 SecuriteInfo.com.Trojan.Siggen15.47840.31274.tmp 5 258 8->19         started        48 Changes security center settings (notifications, updates, antivirus, firewall) 12->48 22 MpCmdRun.exe 1 12->22         started        42 127.0.0.1 unknown unknown 14->42 file6 signatures7 process8 file9 26 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->26 dropped 28 C:\...\vcruntime140.dll (copy), PE32 19->28 dropped 30 C:\Program Files (x86)\...\update.exe (copy), PE32 19->30 dropped 32 254 other files (none is malicious) 19->32 dropped 24 conhost.exe 22->24         started        process10
Gathering data
Verdict:
malicious
Similar samples:
0a765858b1eef141ad5fff4a66cafe5ecba3d4e4e0f6547a705d3813b6f25ae0
12344b1913ac3ae118e0924428330f30f3987737a6582094686c286c0de3faa7
1ced01c2c4455606d8ed1eda83bd1507785d4c97fc8c7967bda90cd91ba82e32
b08e7b20a96d4bf0d2795d783b2b066abff7c0d82ccb15e616df533835193f5d
bf86597d2d10ad8d82f0af8b53cf72757094322e79e92180092aa60341b90034
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211128-3jvxkaagfm/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76ce1cdcd5ba25463a1bef3e9d6088f92128f67f33fe78fb735219d335bf5f4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 76ce1cdcd5ba25463a1bef3e9d6088f92128f67f33fe78fb735219d335bf5f4a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1829843/
  
Delivery method
Distributed via web download

Comments