MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.DigitalPulse


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7
SHA3-384 hash: 74d92b29d054c850a6c846e2531216906b05a3320b9feee3a82231c63940a62dce8f91b85e89566627bc60bde593415a
SHA1 hash: 779ca44c760089b597ae1abf2000bd89a0a53b17
MD5 hash: 90591e9f284040700b9cca160df5cb64
humanhash: floor-apart-massachusetts-king
File name:MassTube Plus 1700502 Portable.exe
Download: download sample
Signature Adware.DigitalPulse
Create hunting rule
File size:3'261'669 bytes
First seen:2023-09-02 09:55:59 UTC
Last seen:2023-09-02 10:34:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (262 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 98304:ykLmoYWh8JAV/VH97F3tlQ+gt29s4C1eH9D:dDQJAZVdVQ+gt5o9D
TLSH T1E1E5F13FF268A13ED5AA1B3245738320997B7A51A81A8C0F47FC384CCF765601E3B656
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter smica83
Tags:Adware.DigitalPulse exe HUN NetSupport

Intelligence

File Origin
# of uploads :
2
# of downloads :
409
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MassTube Plus 1700502 Portable.exe
Verdict:
No threats detected
Analysis date:
2023-09-02 09:57:53 UTC
Tags:
installer
Link:
https://app.any.run/tasks/e1ac4a20-f40d-4d07-872a-574f579b478e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/445731/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.5473.23947.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Sending a custom TCP request
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control fingerprint installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/64f306b32a262962b7913524/reports/8c0c7f40-9417-4770-8f06-ef9509d0e9e4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9752735d-9a9d-4e18-9074-0f44e74def15
Result
Threat name:
NetSupport RAT, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
78 / 100
Link:
https://www.joesandbox.com/analysis/1302088
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to modify clipboard data
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1302088 Sample: MassTube_Plus_1700502_Porta... Startdate: 02/09/2023 Architecture: WINDOWS Score: 78 207 Antivirus detection for URL or domain 2->207 209 Antivirus / Scanner detection for submitted sample 2->209 211 Multi AV Scanner detection for dropped file 2->211 213 4 other signatures 2->213 13 MassTube_Plus_1700502_Portable.exe 2 2->13         started        process3 file4 163 C:\...\MassTube_Plus_1700502_Portable.tmp, PE32 13->163 dropped 16 MassTube_Plus_1700502_Portable.tmp 23 19 13->16         started        process5 dnsIp6 165 8.8.8.8 GOOGLEUS United States 16->165 167 104.21.19.86 CLOUDFLARENETUS United States 16->167 169 104.21.36.65 CLOUDFLARENETUS United States 16->169 105 C:\Users\user\AppData\Local\...\is-REF5P.tmp, PE32 16->105 dropped 107 C:\Users\user\AppData\Local\...\is-IORKC.tmp, PE32 16->107 dropped 109 C:\Users\user\AppData\Local\...\b.exe (copy), PE32 16->109 dropped 111 4 other files (1 malicious) 16->111 dropped 20 b.exe 2 16->20         started        file7 process8 file9 113 C:\Users\user\AppData\Local\Temp\...\b.tmp, PE32 20->113 dropped 23 b.tmp 5 33 20->23         started        process10 dnsIp11 177 185.26.182.111 NO-OPERANO Norway 23->177 179 77.246.100.5 MEDIAL-ASRU Russian Federation 23->179 181 8 other IPs or domains 23->181 133 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 23->133 dropped 135 C:\Users\user\AppData\Local\Temp\...\i5.exe, PE32 23->135 dropped 137 C:\Users\user\AppData\Local\Temp\...\i4.exe, PE32 23->137 dropped 139 5 other files (4 malicious) 23->139 dropped 27 i0.exe 2 23->27         started        30 i1.exe 23->30         started        34 OperaGXSetup.exe 23->34         started        file12 process13 dnsIp14 149 C:\Users\user\AppData\Local\Temp\...\i0.tmp, PE32 27->149 dropped 36 i0.tmp 26 23 27->36         started        199 148.251.234.93 HETZNER-ASDE Germany 30->199 151 C:\Users\user\AppData\Local\...\filintea.exe, PE32 30->151 dropped 153 C:\Users\user\AppData\Local\...\file[1].exe, PE32 30->153 dropped 231 Multi AV Scanner detection for dropped file 30->231 233 Binary is likely a compiled AutoIt script file 30->233 40 filintea.exe 30->40         started        42 cmd.exe 30->42         started        201 107.167.125.189 OPERASOFTWAREUS United States 34->201 203 185.26.182.112 NO-OPERANO Norway 34->203 205 3 other IPs or domains 34->205 155 Opera_installer_2309020958281715764.dll, PE32 34->155 dropped 157 C:\Users\user\AppData\Local\...\opera_package, PE32 34->157 dropped 159 Opera_GX_assistant....exe_sfx.exe (copy), PE32 34->159 dropped 161 4 other malicious files 34->161 dropped 44 OperaGXSetup.exe 34->44         started        46 Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe 34->46         started        48 OperaGXSetup.exe 34->48         started        50 2 other processes 34->50 file15 signatures16 process17 file18 115 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 36->115 dropped 117 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 36->117 dropped 131 12 other files (none is malicious) 36->131 dropped 219 Obfuscated command line found 36->219 52 cmd.exe 1 36->52         started        55 cmd.exe 1 36->55         started        57 wmiprvse.exe 17 36->57         started        60 cmd.exe 13 36->60         started        221 Multi AV Scanner detection for dropped file 40->221 223 Detected unpacking (changes PE section rights) 40->223 225 Tries to detect sandboxes and other dynamic analysis tools (window names) 40->225 227 8 other signatures 40->227 62 cmd.exe 40->62         started        71 2 other processes 42->71 119 Opera_installer_2309020958324813992.dll, PE32 44->119 dropped 64 installer.exe 44->64         started        67 OperaGXSetup.exe 44->67         started        121 C:\Users\user\AppData\Local\...\mojo_core.dll, PE32 46->121 dropped 123 C:\Users\user\...\browser_assistant.exe, PE32 46->123 dropped 125 C:\Users\user\...\assistant_installer.exe, PE32 46->125 dropped 127 Opera_installer_2309020958289616188.dll, PE32 48->127 dropped 129 Opera_installer_2309020958303435296.dll, PE32 50->129 dropped 69 assistant_installer.exe 50->69         started        signatures19 process20 dnsIp21 215 Uses ping.exe to check the status of other devices and networks 52->215 73 expand.exe 25 52->73         started        76 conhost.exe 52->76         started        78 reg.exe 1 1 55->78         started        81 conhost.exe 55->81         started        183 45.15.158.253 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 57->183 185 51.142.119.24 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 57->185 217 Contains functionality to modify clipboard data 57->217 83 chrome.exe 60->83         started        86 conhost.exe 60->86         started        88 conhost.exe 62->88         started        90 timeout.exe 62->90         started        97 Opera_installer_2309020959355625328.dll, PE32+ 64->97 dropped 99 C:\Users\user\AppData\Local\...\opera.exe, PE32+ 64->99 dropped 101 C:\Users\user\AppData\Local\...\launcher.exe, PE32+ 64->101 dropped 103 Opera_installer_2309020958347415992.dll, PE32 67->103 dropped file22 signatures23 process24 dnsIp25 141 C:\ProgramData\...\wmiprvse.exe (copy), PE32 73->141 dropped 143 C:\ProgramData\...\remcmdstub.exe (copy), PE32 73->143 dropped 145 C:\ProgramData\...\pcicapi.dll (copy), PE32 73->145 dropped 147 15 other files (11 malicious) 73->147 dropped 229 Creates an undocumented autostart registry key 78->229 171 192.168.2.1 unknown unknown 83->171 173 192.168.2.3 unknown unknown 83->173 175 239.255.255.250 unknown Reserved 83->175 92 chrome.exe 83->92         started        95 chrome.exe 83->95         started        file26 signatures27 process28 dnsIp29 187 13.107.21.200 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 92->187 189 13.107.246.60 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 92->189 195 13 other IPs or domains 92->195 191 172.217.16.163 GOOGLEUS United States 95->191 193 23.0.174.106 AKAMAI-ASN1EU United States 95->193 197 5 other IPs or domains 95->197
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-09-02 08:27:39 UTC
File Type:
PE (Exe)
Extracted files:
404
AV detection:
8 of 24 (33.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pl5pzp7axhwd63zsubsxv3ytdc7plw4ongg2jwa5w5gqem3zfl3q._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230902-lycabsca94/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
64ff97eb9eca31b5a01ceee1b2c52cdd65667b2b203399c37ddb5f0f0f920016
MD5 hash:
eb687fe3e9ad431ee16788a0205adbcb
SHA1 hash:
d4f50a54357cc3abfeeace20528c3f057b604309
Link:
https://www.unpac.me/results/3d3b190a-534a-4241-aa5e-a28f03c9ce22/
SH256 hash:
7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7
MD5 hash:
90591e9f284040700b9cca160df5cb64
SHA1 hash:
779ca44c760089b597ae1abf2000bd89a0a53b17
Link:
https://www.unpac.me/results/3d3b190a-534a-4241-aa5e-a28f03c9ce22/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7afafcbfe0b9ec3f6f32a0657aef1318bef5db8e698da4d81db74d0233792af7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/445731/

Comments