MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7822fa6c35cbd1cfb95c780970deef14d8b53c62ade3a4bcf63c494c3f2e5bbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7822fa6c35cbd1cfb95c780970deef14d8b53c62ade3a4bcf63c494c3f2e5bbd
SHA3-384 hash: e4d4d4ed2a512e858c519517667b91127651480f9d3915e93202353e9611b27bbb29f714fadd04d3ae780140a7505509
SHA1 hash: 30ebac4eb84aa036bed8f8931b6493348b87108a
MD5 hash: b2bb695b656dfb91e01967de3a8beee3
humanhash: connecticut-september-ink-east
File name:IDM 6.xx Activator or Resetter v3.3.exe
Download: download sample
File size:534'967 bytes
First seen:2024-04-01 08:05:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (23 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 12288:Mk5L2FqPzzhB4kLSQ4ybubjWlj+o2sjdg:M2yQPvnlS7ybubjKj+NsRg
TLSH T1C7B4F12276E191F9D2E046714A4DE2BCA6A9DF370DE4890F17CCCE4B7AA1581F7063C6
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10523/12/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 50dc06939bc2ec70 (1 x CoinMiner)
Reporter likeastar20
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IDM 6.xx Activator or Resetter v3.3.exe
Verdict:
Malicious activity
Analysis date:
2024-03-31 22:00:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/87234c6f-97ce-4d34-a3b8-985bf4b18f87

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Launching cmd.exe command interpreter
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint installer lolbin masquerade overlay packed phishing shell32
Link:
https://www.filescan.io/uploads/660a6aebbb285b5db0539e31/reports/ea94095b-9cf7-4035-ada2-394123175871/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7822fa6c35cbd1cfb95c780970deef14d8b53c62ade3a4bcf63c494c3f2e5bbd
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/34cbd8a1-d333-47f1-96a3-2696efa7e3e3
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1418081
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Passes commands via pipe to a shell (likely to bypass AV or HIPS)
Performs DNS queries to domains with low reputation
Queries sensitive system registry key value via command line tool
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1418081 Sample: IDM 6.xx Activator or Reset... Startdate: 01/04/2024 Architecture: WINDOWS Score: 100 91 server.custompool.xyz 2->91 93 www.crackingcity.com 2->93 105 Multi AV Scanner detection for domain / URL 2->105 107 Antivirus detection for URL or domain 2->107 109 Multi AV Scanner detection for dropped file 2->109 113 5 other signatures 2->113 13 IDM 6.xx Activator or Resetter v3.3.exe 6 2->13         started        signatures3 111 Performs DNS queries to domains with low reputation 91->111 process4 file5 81 C:\Users\user\AppData\Local\Temp\...\7za.exe, PE32 13->81 dropped 16 cmd.exe 1 13->16         started        18 cmd.exe 1 13->18         started        21 cmd.exe 3 13->21         started        process6 signatures7 23 cmd.exe 1 16->23         started        26 conhost.exe 16->26         started        97 Suspicious powershell command line found 18->97 99 Uses cmd line tools excessively to alter registry or file data 18->99 101 Adds a directory exclusion to Windows Defender 18->101 28 conhost.exe 18->28         started        30 7za.exe 2 18->30         started        33 7za.exe 2 18->33         started        40 4 other processes 18->40 103 Queries sensitive system registry key value via command line tool 21->103 35 powershell.exe 21->35         started        38 powershell.exe 22 21->38         started        42 9 other processes 21->42 process8 dnsIp9 115 Uses cmd line tools excessively to alter registry or file data 23->115 117 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 23->117 44 conhost.exe 23->44         started        47 powershell.exe 23->47         started        49 cmd.exe 1 23->49         started        51 9 other processes 23->51 119 Suspicious powershell command line found 28->119 83 C:\Users\user\AppData\Local\...83Sudo86x.exe, PE32 30->83 dropped 85 C:\Users\user\AppData\Local\Temp\...\IDM0.bat, DOS 33->85 dropped 95 www.crackingcity.com 104.21.7.65, 443, 49730 CLOUDFLARENETUS United States 35->95 87 C:\Users\user\AppData\Roaming\...\dlIhost.7z, 7-zip 35->87 dropped 89 C:\Users\user\AppData\Local\Temp\...\IDM.bat, DOS 40->89 dropped file10 signatures11 process12 signatures13 125 Suspicious powershell command line found 44->125 53 powershell.exe 44->53         started        127 Found suspicious powershell code related to unpacking or dynamic code loading 47->127 55 cmd.exe 1 49->55         started        57 cmd.exe 1 49->57         started        process14 process15 59 cmd.exe 53->59         started        signatures16 121 Uses cmd line tools excessively to alter registry or file data 59->121 123 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 59->123 62 cmd.exe 59->62         started        65 cmd.exe 59->65         started        67 cmd.exe 59->67         started        69 22 other processes 59->69 process17 signatures18 129 Uses cmd line tools excessively to alter registry or file data 62->129 71 reg.exe 62->71         started        73 reg.exe 65->73         started        75 cmd.exe 67->75         started        77 cmd.exe 67->77         started        79 powershell.exe 69->79         started        process19
Score:
59%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/7822fa6c35cbd1cfb95c780970deef14d8b53c62ade3a4bcf63c494c3f2e5bbd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7822fa6c35cbd1cfb95c780970deef14d8b53c62ade3a4bcf63c494c3f2e5bbd/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-03-30 07:06:00 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=parpu3bvzpi47ok4paexbxxpctmlkpdcvxr2jphwhreuypzolo6q._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion
Link:
https://tria.ge/reports/240401-jzd47she77/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Launches sc.exe
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Sets file to hidden
Malware Config
Dropper Extraction:
https://www.crackingcity.com/VScan/dlIhost.7z
Unpacked files
SH256 hash:
d07f954a35c55a2c7a683409cb04d2b1fd1a0e66370bf669dbe7904ee199bbaf
MD5 hash:
915b3c55fd8bda70d21d7969e1f21c6c
SHA1 hash:
d2a300c33dc6abe46044d68eb9f9f367751ba3e8
Detections:
NSudo
Create hunting rule
NanaRun
Create hunting rule
INDICATOR_TOOL_NSudo
Create hunting rule
Link:
https://www.unpac.me/results/abf48c60-229e-416b-8819-4934a59c152d/
SH256 hash:
e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa
MD5 hash:
e3c061fa0450056e30285fd44a74cd2a
SHA1 hash:
8c7659e6ee9fe5ead17cae2969d3148730be509b
Link:
https://www.unpac.me/results/abf48c60-229e-416b-8819-4934a59c152d/
SH256 hash:
64b11c86bbdd852639b95f4f4edfe664f09f935ac1d068147ca78c58fa877120
MD5 hash:
15b8fdcf721a12b34fe51c1ba46408ca
SHA1 hash:
72009021f768beaacda4485650834e8223dc57f1
Link:
https://www.unpac.me/results/abf48c60-229e-416b-8819-4934a59c152d/
SH256 hash:
7822fa6c35cbd1cfb95c780970deef14d8b53c62ade3a4bcf63c494c3f2e5bbd
MD5 hash:
b2bb695b656dfb91e01967de3a8beee3
SHA1 hash:
30ebac4eb84aa036bed8f8931b6493348b87108a
Link:
https://www.unpac.me/results/abf48c60-229e-416b-8819-4934a59c152d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7822fa6c35cb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7822fa6c35cbd1cfb95c780970deef14d8b53c62ade3a4bcf63c494c3f2e5bbd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments