MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7eb0014fac4365b6b61002f165673956d5e5efaba16efafebe9575396f58c09e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7eb0014fac4365b6b61002f165673956d5e5efaba16efafebe9575396f58c09e
SHA3-384 hash: 7bfdece271ce75274d2f88d0bda2b03d3d902a0750fc97720c8a6994bcadd38a7de5a5e1752ca4d014c7f5ff74c097b2
SHA1 hash: 5e77bc598c4d6db2236b2dcfd6f1b4c68472873c
MD5 hash: efc2f6683db49c074ed2e5e389763884
humanhash: romeo-east-salami-autumn
File name:ChromeSetup
Download: download sample
File size:153'121 bytes
First seen:2024-03-07 19:19:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ba072a972fe6c47c8cf7a0347bb0af7a (3 x Rhadamanthys, 1 x GuLoader, 1 x RemcosRAT)
ssdeep 768:p+/unhi1zOzZ+/unhi1zOzAkw+/unhi1zOzxM+/unhi1zOz:pti5OzZti5Oz2ti5Ozati5Oz
TLSH T194E3CC47AE267F91D80441BB2E1193D417183FAE750B8E77704BB067F9B0EAD2C967A0
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon e9d5f0d5ddd5dde9 (3 x ParallaxRAT, 3 x Rhadamanthys, 1 x CoinMiner)
Reporter rmceoin
Tags:exe


Avatar
rmceoin
91.92.250.150/Downloads/ChromeSetup.exe.lnk
lastmodified: Thu, 07 Mar 2024 12:42:48 GMT
LNK -> mshta http://89.23.98.210/ChromeSetup -> https://arf.berkeley.edu/update/ChromeSetup.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
388
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d740d3c26404ee20b5d4b9863c9fb4d402518c2a5c752e5a6c79ff060981b3f3.lnk
Verdict:
Malicious activity
Analysis date:
2024-03-07 19:21:33 UTC
Tags:
loader
Link:
https://app.any.run/tasks/1bceb41c-e98e-46ec-bd4a-19269b089411

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a window
Сreating synchronization primitives
Launching a service
Searching for synchronization primitives
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm lolbin overlay shell32
Link:
https://www.filescan.io/uploads/65ea13681d6034c3c02993a0/reports/e540d91c-982b-44e6-b66e-6ae3b8ddbe36/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7eb0014fac4365b6b61002f165673956d5e5efaba16efafebe9575396f58c09e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/54b24b13-d539-4abf-9f3f-f55a24f9a902
Result
Threat name:
n/a
Detection:
clean
Classification:
n/a
Score:
4 / 100
Link:
https://www.joesandbox.com/analysis/1405043
Behaviour
Behavior Graph:
n/a
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7eb0014fac4365b6b61002f165673956d5e5efaba16efafebe9575396f58c09e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7eb0014fac4365b6b61002f165673956d5e5efaba16efafebe9575396f58c09e/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p2yact5mins3nnqqalywkzzzk3k6l35lufxpv7v6sv2ts32yycpa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240307-x13e3scf4w/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
7eb0014fac4365b6b61002f165673956d5e5efaba16efafebe9575396f58c09e
MD5 hash:
efc2f6683db49c074ed2e5e389763884
SHA1 hash:
5e77bc598c4d6db2236b2dcfd6f1b4c68472873c
Link:
https://www.unpac.me/results/cfd562a1-7164-4184-8ef9-35626e622b89/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7eb0014fac4365b6b61002f165673956d5e5efaba16efafebe9575396f58c09e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

e5c44b0338c36ae76e5d99f19bef5495e736a1f628898a5606e2092272b73d07

Rhadamanthys

Shortcut (lnk) lnk d740d3c26404ee20b5d4b9863c9fb4d402518c2a5c752e5a6c79ff060981b3f3

Executable exe 7eb0014fac4365b6b61002f165673956d5e5efaba16efafebe9575396f58c09e

(this sample)

unknown f3e6d8f973c6c8e1ab02c684e0a40bdd77e73ec7fd360f322da01f268582c655

  
Dropped by
SHA256 d740d3c26404ee20b5d4b9863c9fb4d402518c2a5c752e5a6c79ff060981b3f3
  
Dropping
SHA256 f3e6d8f973c6c8e1ab02c684e0a40bdd77e73ec7fd360f322da01f268582c655
  
Dropping
MD5 246c5ec56ada0c11e39bd12720e37e9d
  
Dropped by
MD5 25dcb3a32c4d9c4c7876ff0c8581f7c2

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
api-ms-win-core-processthreads-l1-1-0.dll::GetStartupInfoW

Comments