MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a6654d5323dd811636075a6ac479d07592237bae5f43657068752fa4502f651. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a6654d5323dd811636075a6ac479d07592237bae5f43657068752fa4502f651
SHA3-384 hash: c61caa0fcf53a3f919c9291760e70867ee11816fd2c65e4e22e05fe3795ea89da1dd0c1b14505e2d0e2ecb50a08a04f5
SHA1 hash: d4a5beb1297638cd971a846565e1ed162524d6fe
MD5 hash: cb8817ae67285260cb9ef07ec664721e
humanhash: hawaii-october-massachusetts-sixteen
File name:cb8817ae67285260cb9ef07ec664721e.exe
Download: download sample
File size:3'748'016 bytes
First seen:2024-09-17 14:01:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:87I42zAzSKNlNWdPlkC9p054uDmVYcxFz+gp+6aH:UIp0z3NLk9p64uDmVYcxFz34
TLSH T184063393EFC494B6CA6C1BB949F8E613043DBF965F7940C71A85C17B38B0A52A235339
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe signed

Code Signing Certificate

Organisation:Poll Soft Corp
Issuer:Poll Soft Corp
Algorithm:sha256WithRSAEncryption
Valid from:2024-09-13T13:08:35Z
Valid to:2034-09-11T13:08:35Z
Serial number: 6acfb3f6b56a1682cfae9ab761df241ee9b752de
Thumbprint Algorithm:SHA256
Thumbprint: b18c9aa3564a9c6093454eabc3664c6b9aeb92499a5a1b204f5b3d8fd05b5d19
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
396
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cb8817ae67285260cb9ef07ec664721e.exe
Verdict:
Suspicious activity
Analysis date:
2024-09-17 14:04:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7e7ce046-e8db-4493-99cb-e6c7e3cb79b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.29170.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Heur.7237.15680.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e98bddf72de0d131be937b
Tags:
Discovery Encryption Execution Generic Network Other Static Stealth Trojan Dropper
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
advpack anti-vm CAB cmd epmicrosoft_visual_cc evasive expand explorer installer lolbin lolbin microsoft_visual_cc overlay packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/66e98bdd5e9303a2942257c2/reports/b20c052b-3c2b-4ca3-9c05-5532f6ddbe20/overview
Verdict:
Malicious
Labled as:
Trojan_Win32_Sabsik_TE_B_ml
Link:
https://www.hybrid-analysis.com/sample/7a6654d5323dd811636075a6ac479d07592237bae5f43657068752fa4502f651
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/85995927-07a4-49c2-88f9-40cb2601b9a1
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1512539
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1512539 Sample: Jv8fOnU0dO.exe Startdate: 17/09/2024 Architecture: WINDOWS Score: 48 23 Multi AV Scanner detection for submitted file 2->23 7 Jv8fOnU0dO.exe 1 9 2->7         started        10 rundll32.exe 2->10         started        process3 file4 19 C:\Users\user\AppData\Local\...\gaaauaaq.pmjb, PE32+ 7->19 dropped 12 cmd.exe 2 7->12         started        process5 file6 21 C:\Users\user\AppData\...\fcdnkqrvdh.exe, PE32 12->21 dropped 15 fcdnkqrvdh.exe 1 12->15         started        17 conhost.exe 12->17         started        process7
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7a6654d5323dd811636075a6ac479d07592237bae5f43657068752fa4502f651
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a6654d5323dd811636075a6ac479d07592237bae5f43657068752fa4502f651/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2024-09-13 20:27:00 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjtfjvjshxmbcy3aowtkyr45a5msen524x2dmvygq5jpuric6ziq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/240917-rb4zqaxaqp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Adds Run key to start application
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d37d0389-7bed-433b-b1f3-325b18389102
Unpacked files
SH256 hash:
3e4ac737116b4494b5ba31b16a1b4d5b234ca3b05bce1db403688ce98001bfad
MD5 hash:
396499ab1ab4666e4202aebbf8aaca74
SHA1 hash:
e5982c3b7eb496a4d52371471fd0cf17f477634f
Link:
https://www.unpac.me/results/12247b8e-67c0-46f3-9108-ea5b0ddb913d/
SH256 hash:
b7e5e177b5c651bb70a87a4510d18c5bf6f007c28d8c7a5c4ba930d7c7dcea2e
MD5 hash:
ffc39c0112160d318146462a7b2e1c00
SHA1 hash:
d5ac357e98d1de6381649f62ebbbaf829e0bc2f6
Link:
https://www.unpac.me/results/12247b8e-67c0-46f3-9108-ea5b0ddb913d/
SH256 hash:
7a6654d5323dd811636075a6ac479d07592237bae5f43657068752fa4502f651
MD5 hash:
cb8817ae67285260cb9ef07ec664721e
SHA1 hash:
d4a5beb1297638cd971a846565e1ed162524d6fe
Link:
https://www.unpac.me/results/12247b8e-67c0-46f3-9108-ea5b0ddb913d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a6654d5323dd811636075a6ac479d07592237bae5f43657068752fa4502f651

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_APT29_WINELOADER_Backdoor
Create hunting rule
Author:daniyyell
Description:Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends
Reference:https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments