MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 770ecdc1bbda3d9400d992448dcb03597ecb46a1c596dc9b6018a9cd0df681bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 770ecdc1bbda3d9400d992448dcb03597ecb46a1c596dc9b6018a9cd0df681bf
SHA3-384 hash: aee707d28dfd0da73f0de3c5ff43b8c186f35b92fbbd0768a5a8a8fb5e03e271a8736fae8f369501fb6fdf9be1860a03
SHA1 hash: 8dc847b3f4e190b0719d37abb0f8f31e8108b0c9
MD5 hash: 5fcf749ca95a51c345d4fafe1d542cfc
humanhash: rugby-beer-fish-tango
File name:5fcf749ca95a51c345d4fafe1d542cfc.exe
Download: download sample
File size:1'794'588 bytes
First seen:2023-06-19 09:49:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (259 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/q1lOR1dcMKic6QL3E2vVsjECUAQT45deRV9Ra:sBuZrEUoq1dcMKIy029s4C1eH9U
Threatray 13 similar samples on MalwareBazaar
TLSH T19E85CF3FF268A13EC56A1B3245B38310997BBA51B81A8C1E47FC384DCF765601E3B656
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5fcf749ca95a51c345d4fafe1d542cfc.exe
Verdict:
No threats detected
Analysis date:
2023-06-19 09:51:33 UTC
Tags:
installer
Link:
https://app.any.run/tasks/3208fcb7-244b-448b-8628-9904ae4209c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/400362/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.30446.8616.13746.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91528/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer lolbin overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/649024ce10461c2d676a64dd/reports/ac12cc08-a10f-4464-a49a-ce265367da50/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/770ecdc1bbda3d9400d992448dcb03597ecb46a1c596dc9b6018a9cd0df681bf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ecd538b7-26c3-4ca6-b4fa-bd53269e0884
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad.rans.phis
Score:
62 / 100
Link:
https://www.joesandbox.com/analysis/1257261
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Modifies Internet Explorer zone settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Uses netsh to modify the Windows network and firewall settings
Writes a notice file (html or txt) to demand a ransom
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 890276 Sample: a1rzxoicOg.exe Startdate: 19/06/2023 Architecture: WINDOWS Score: 62 150 wsgeoip.lulusoft.com 2->150 152 wsgeoip.lavasoft.com 2->152 154 7 other IPs or domains 2->154 184 Snort IDS alert for network traffic 2->184 186 Antivirus detection for URL or domain 2->186 188 Antivirus detection for dropped file 2->188 190 4 other signatures 2->190 12 a1rzxoicOg.exe 2 2->12         started        15 msiexec.exe 97 56 2->15         started        17 Windows Updater.exe 18 2->17         started        20 DCIService.exe 2->20         started        signatures3 process4 dnsIp5 136 C:\Users\user\AppData\...\a1rzxoicOg.tmp, PE32 12->136 dropped 22 a1rzxoicOg.tmp 3 23 12->22         started        138 C:\Windows\Installer\MSIAD68.tmp, PE32 15->138 dropped 140 C:\Windows\Installer\MSIAD29.tmp, PE32 15->140 dropped 142 C:\Windows\Installer\MSIA8E1.tmp, PE32 15->142 dropped 146 14 other malicious files 15->146 dropped 27 msiexec.exe 4 59 15->27         started        29 msiexec.exe 3 15->29         started        31 msiexec.exe 15->31         started        33 msiexec.exe 2 15->33         started        148 allroadslimit.com 188.114.96.7, 443, 49717 CLOUDFLARENETUS European Union 17->148 144 C:\Windows\Temp\...\Windows Updater.exe, PE32 17->144 dropped 35 Windows Updater.exe 17->35         started        file6 process7 dnsIp8 156 webcompanion.com 104.18.211.25, 49760, 80 CLOUDFLARENETUS United States 22->156 158 act.reactionharbor.xyz 188.114.97.7, 49759, 80 CLOUDFLARENETUS European Union 22->158 160 londontownlink.com 164.92.247.217, 49709, 80 ASN-DPSDUS United States 22->160 114 C:\Users\user\AppData\Local\Temp\...\s1.exe, PE32 22->114 dropped 128 4 other files (3 malicious) 22->128 dropped 192 Performs DNS queries to domains with low reputation 22->192 37 s1.exe 22->37         started        40 s0.exe 67 22->40         started        162 pstbbk.com 157.230.96.32, 49712, 80 DIGITALOCEAN-ASNUS United States 27->162 164 collect.installeranalytics.com 52.73.64.126, 443, 49713, 49714 AMAZON-AESUS United States 27->164 116 C:\Users\user\AppData\Local\...\shiA0D4.tmp, PE32 27->116 dropped 118 C:\Users\user\AppData\Local\...\shiA008.tmp, PE32 27->118 dropped 194 Query firmware table information (likely to detect VMs) 27->194 43 taskkill.exe 1 27->43         started        120 C:\Users\user\AppData\Local\...\shi94AF.tmp, PE32 29->120 dropped 122 C:\Users\user\AppData\Local\...\shi93E3.tmp, PE32 29->122 dropped 124 C:\Windows\Temp\shiF6C4.tmp, PE32 31->124 dropped 126 C:\Windows\Temp\shiF608.tmp, PE32 31->126 dropped 166 dl.likeasurfer.com 172.67.150.192, 443, 49728, 49734 CLOUDFLARENETUS United States 35->166 130 4 other malicious files 35->130 dropped 45 v113.exe 35->45         started        file9 signatures10 process11 dnsIp12 108 13 other malicious files 37->108 dropped 47 WebCompanionInstaller.exe 37->47         started        168 collect.installeranalytics.com 40->168 96 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 40->96 dropped 98 C:\Users\user\AppData\...\Windows Updater.exe, PE32 40->98 dropped 100 C:\Users\user\AppData\Local\...\shi91E0.tmp, PE32+ 40->100 dropped 110 3 other malicious files 40->110 dropped 52 msiexec.exe 40->52         started        54 conhost.exe 43->54         started        102 C:\Windows\Temp\shiF2DC.tmp, PE32+ 45->102 dropped 104 C:\Windows\Temp\MSIF56E.tmp, PE32 45->104 dropped 106 C:\Windows\Temp\MSIF445.tmp, PE32 45->106 dropped 112 2 other malicious files 45->112 dropped 56 msiexec.exe 45->56         started        file13 process14 dnsIp15 170 wc-update-service.lavasoft.com 64.18.87.81, 49762, 80 MTOCA Canada 47->170 172 wcdownloadercdn.lavasoft.com 104.17.8.52, 49763, 80 CLOUDFLARENETUS United States 47->172 174 4 other IPs or domains 47->174 88 C:\Program Files (x86)\...\DCIService.exe, PE32+ 47->88 dropped 90 C:\Program Files (x86)\...\DCIService.exe, PE32 47->90 dropped 92 C:\...\WebCompanion.resources.dll, PE32 47->92 dropped 94 203 other files (70 malicious) 47->94 dropped 176 Writes a notice file (html or txt) to demand a ransom 47->176 178 Modifies Internet Explorer zone settings 47->178 180 Sample is not signed and drops a device driver 47->180 182 Tries to delay execution (extensive OutputDebugStringW loop) 47->182 58 rundll32.exe 47->58         started        62 cmd.exe 47->62         started        64 net.exe 47->64         started        66 7 other processes 47->66 file16 signatures17 process18 file19 132 C:\Windows\system32\...\bddci.sys (copy), PE32+ 58->132 dropped 134 C:\Windows\System32\drivers\SET9541.tmp, PE32+ 58->134 dropped 196 Creates an autostart registry key pointing to binary in C:\Windows 58->196 68 runonce.exe 58->68         started        198 Uses netsh to modify the Windows network and firewall settings 62->198 70 conhost.exe 62->70         started        72 sc.exe 62->72         started        74 conhost.exe 64->74         started        76 net1.exe 64->76         started        78 conhost.exe 66->78         started        80 conhost.exe 66->80         started        82 conhost.exe 66->82         started        84 4 other processes 66->84 signatures20 process21 process22 86 grpconv.exe 68->86         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/770ecdc1bbda3d9400d992448dcb03597ecb46a1c596dc9b6018a9cd0df681bf/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-06-18 12:59:33 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o4hm3qn33i6ziagzsjci3sydlf7mwrvbywlnzg3adcu42dpwqg7q._file
Verdict:
unknown
Similar samples:
0555c8c1ad0e7f87671050f86a2895a8843fec5412a898a429e6010d3d0b5f15
10cb4b192833f0670c4ec6fa05898ac776862e22d7370787d6ddb915b7777bdb
4f6cb888a4dfade727490683feaee96679d7044f0181799c18a8c7060cb8dab3
c4db7d1e957d2225520705672e86d4ee9d14cb8df62248c26d5442fd414d48a2
fe1b82d8fada96c0ebe4429000c600ff88c19a55340a9f6a68d93bd15419b224
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230619-ltzvtsec3y/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
d6bbfe0904046dff48d6c72f4cc504b91f9639f02e40193d8ccb2dadcf1e6cd6
MD5 hash:
82d50585e99ff5aa2ec221eeb1ff8037
SHA1 hash:
085b53ff906ce978fedf375257991ac404f56ca0
Link:
https://www.unpac.me/results/d10bd0a5-dd85-4fe4-9dc6-ca4ee87ea685/
SH256 hash:
6971d3cacc48e10e551f9ee1333c44d0f69422ee1fb220f8933a6daac81e2f8b
MD5 hash:
ce7a559994af1ab808911a2190ba52ba
SHA1 hash:
ea5cd61125fbf8bbeeac13709cb60665f5324893
Link:
https://www.unpac.me/results/d10bd0a5-dd85-4fe4-9dc6-ca4ee87ea685/
SH256 hash:
92ee7e5a068c426f4659b8a9a8715fe6898ade5e5ef64e22b7ece5972aabeaea
MD5 hash:
0ba94d74ed0c254d2a5cdff61142b5e7
SHA1 hash:
d230a815e3988d0ccfc5d97cb4cad99f2f4301c6
Link:
https://www.unpac.me/results/d10bd0a5-dd85-4fe4-9dc6-ca4ee87ea685/
SH256 hash:
770ecdc1bbda3d9400d992448dcb03597ecb46a1c596dc9b6018a9cd0df681bf
MD5 hash:
5fcf749ca95a51c345d4fafe1d542cfc
SHA1 hash:
8dc847b3f4e190b0719d37abb0f8f31e8108b0c9
Link:
https://www.unpac.me/results/d10bd0a5-dd85-4fe4-9dc6-ca4ee87ea685/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/770ecdc1bbda/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/770ecdc1bbda3d9400d992448dcb03597ecb46a1c596dc9b6018a9cd0df681bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/400362/

Comments