MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79e715893ab09905956babde38423d0a5bf8473fad5857ba8a2729039d82689a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79e715893ab09905956babde38423d0a5bf8473fad5857ba8a2729039d82689a
SHA3-384 hash: 5047eb31678c678ae4e0e2f8b70c87f65fd3391d9ad841e12116b4f936a8811dc860e3344a0513555786f389228cd9f6
SHA1 hash: b5e007b777bc4bd52b2fcdde87c54adc884ca0fe
MD5 hash: 84b8c0a322b8a6126e41090dbfec1ec5
humanhash: berlin-single-seventeen-jig
File name:SecuriteInfo.com.Program.Unwanted.1364.20073.10572
Download: download sample
File size:44'514'552 bytes
First seen:2024-01-20 05:32:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4e96b11dc774bb826232ae325fb1370a
ssdeep 786432:jgNsw3znhr1JaOo2FsVPPt8aEWJbxteXi0DwMdubhPTStV:jisyznhrc2Fslt8aXdQS0sP7Sr
Threatray 4 similar samples on MalwareBazaar
TLSH T15FA7230B66F5412EE1B2C671ACBFCE6159657C6F5A35818BB280EE081DF0781B923737
TrID 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon d0cc197171190c40
Reporter SecuriteInfoCom
Tags:exe signed

Code Signing Certificate

Organisation:AVANQUEST SOFTWARE
Issuer:Symantec Class 3 SHA256 Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2015-02-13T00:00:00Z
Valid to:2017-03-06T23:59:59Z
Serial number: 6720eb953fb3b3dd5351ff987a4d7cd7
Thumbprint Algorithm:SHA256
Thumbprint: 83e8932d2f2352cefb37358a81074476260ffc85d037664bd395fd66ac161e80
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
432
Origin country :
FR FR
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Sending an HTTP POST request
Creating a window
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Moving a file to the %temp% subdirectory
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
CAB disk evasive explorer fingerprint hook installer keylogger lolbin lolbin overlay packed rat setupapi shell32
Link:
https://www.filescan.io/uploads/65ab5b10499f5240353e6902/reports/52d8e1a8-e5c8-4bd0-a14c-ed6e7f5b83eb/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/79e715893ab09905956babde38423d0a5bf8473fad5857ba8a2729039d82689a
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
suspicious
Classification:
rans.evad
Score:
32 / 100
Link:
https://www.joesandbox.com/analysis/1377901
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
PE file has a writeable .text section
Writes many files with high entropy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1377901 Sample: SecuriteInfo.com.Program.Un... Startdate: 20/01/2024 Architecture: WINDOWS Score: 32 130 webinstaller.avanquest.com 2->130 132 tools.avanquest.com 2->132 134 3 other IPs or domains 2->134 142 PE file has a writeable .text section 2->142 144 Writes many files with high entropy 2->144 10 SecuriteInfo.com.Program.Unwanted.1364.20073.10572.exe 5 128 2->10         started        14 msiexec.exe 2->14         started        16 svchost.exe 1 1 2->16         started        19 6 other processes 2->19 signatures3 process4 dnsIp5 112 C:\Users\user\AppData\Local\...\setup.exe, PE32 10->112 dropped 114 C:\Users\user\AppData\Local\...\ISAdmin.exe, PE32 10->114 dropped 116 C:\Users\user\AppData\Local\...116ewUI.dll, PE32 10->116 dropped 124 20 other files (19 malicious) 10->124 dropped 154 Writes many files with high entropy 10->154 156 Contains functionality to compare user and computer (likely to detect sandboxes) 10->156 158 Contains functionality to detect sleep reduction / modifications 10->158 21 ISAdmin.exe 102 520 10->21         started        118 C:\Users\user\...\InstallAX_11_9_900_117.exe, PE32 14->118 dropped 120 C:\Windows\SysWOW64\vcomp110.dll, PE32 14->120 dropped 122 C:\Windows\SysWOW64\vccorlib110.dll, PE32 14->122 dropped 126 4 other files (none is malicious) 14->126 dropped 26 InstallAX_11_9_900_117.exe 14->26         started        28 msiexec.exe 14->28         started        128 127.0.0.1 unknown unknown 16->128 30 conhost.exe 19->30         started        32 vcredist_x86.exe 19->32         started        file6 signatures7 process8 dnsIp9 136 tools.avanquest.com 37.59.71.204, 49746, 80 OVHFR France 21->136 138 ftp6.avanquest.com 51.79.103.210, 49747, 49750, 80 OVHFR Canada 21->138 96 C:\Users\user\AppData\...\shfolder.dll (copy), PE32 21->96 dropped 98 C:\Users\user\AppData\Local\...\shf2DF0.tmp, PE32 21->98 dropped 100 C:\Users\user\AppData\...\isrt.dll (copy), PE32 21->100 dropped 108 453 other files (441 malicious) 21->108 dropped 146 Writes many files with high entropy 21->146 34 Avanquest_Message_2.exe 21->34         started        37 vcredist_x86.exe 21->37         started        39 ISBEW64.exe 21->39         started        48 8 other processes 21->48 102 C:\...\FlashUtil32_11_9_900_117_ActiveX.exe, PE32 26->102 dropped 104 C:\...\FlashUtil32_11_9_900_117_ActiveX.dll, PE32 26->104 dropped 106 C:\Windows\...\FlashPlayerUpdateService.exe, PE32 26->106 dropped 110 4 other malicious files 26->110 dropped 148 Creates an undocumented autostart registry key 26->148 150 Drops executables to the windows directory (C:\Windows) and starts them 26->150 41 InstallFlashPlayer.exe 26->41         started        44 FlashPlayerUpdateService.exe 26->44         started        46 cmd.exe 26->46         started        file10 signatures11 process12 file13 66 C:\Users\user\AppData\Local\...\Setup.exe, PE32 34->66 dropped 68 C:\Users\user\AppData\Local\...\French.lng, PE32 34->68 dropped 70 C:\Users\user\AppData\Local\...\FCWC9CA.001, Microsoft 34->70 dropped 72 C:\Users\user\AppData\Local\Temp\...\Data.cab, Microsoft 34->72 dropped 50 Setup.exe 34->50         started        74 C:\ProgramData\...\vcredist_x86.exe, PE32 37->74 dropped 53 vcredist_x86.exe 37->53         started        76 C:\...\FlashUtil64_11_9_900_117_ActiveX.exe, PE32+ 41->76 dropped 78 C:\...\FlashUtil64_11_9_900_117_ActiveX.dll, PE32+ 41->78 dropped 80 C:\Windows\...\Flash64_11_9_900_117.ocx, PE32+ 41->80 dropped 82 2 other malicious files 41->82 dropped 152 Creates an undocumented autostart registry key 41->152 55 cmd.exe 41->55         started        57 conhost.exe 44->57         started        59 conhost.exe 46->59         started        signatures14 process15 file16 84 C:\Users\user\AppData\Roaming\...\Setup.exe, PE32 50->84 dropped 86 C:\Users\user\AppData\Roaming\...\Setup.exe, PE32 50->86 dropped 88 C:\Users\user\AppData\Local\...\IAMCu.dll, PE32 50->88 dropped 90 C:\Users\user\AppData\Local\...\AQNotif.exe, PE32 50->90 dropped 61 AQNotif.exe 50->61         started        92 C:\Users\user\AppData\...\vcredist_x86.exe, PE32 53->92 dropped 94 C:\Users\user\AppData\Local\...\wixstdba.dll, PE32 53->94 dropped 64 conhost.exe 55->64         started        process17 dnsIp18 140 dhcppd6c99x6i.cloudfront.net 99.84.191.107, 49751, 49752, 49753 AMAZON-02US United States 61->140
Score:
1%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/79e715893ab09905956babde38423d0a5bf8473fad5857ba8a2729039d82689a
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=phtrlcj2wcmqlfllvppdqqr5bjn7qrz7vvmfpouke4uqhhmcncna._file
Verdict:
unknown
Similar samples:
2bdbda22178207fe5dc4ad303e4dfbc5d01a0d52781a67933fce2c1a50dfccc1
79e715893ab09905956babde38423d0a5bf8473fad5857ba8a2729039d82689a
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/240120-f8vxjache5/
Behaviour
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
Checks computer location settings
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/79e715893ab09905956babde38423d0a5bf8473fad5857ba8a2729039d82689a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments