MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fcbf3fb2673cd4581e32782af7010e04f99561bc725dcfe47d7c54d480b00e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	7fcbf3fb2673cd4581e32782af7010e04f99561bc725dcfe47d7c54d480b00e3
SHA3-384 hash:	d4e49ea763d8cc8699aa47fba811b10034b9fe7e872afee378aee2b185a6008d204b981ba180dc2eb7237eb109f7e50a
SHA1 hash:	02938cdcf998663d004e616ead5612860d838646
MD5 hash:	60b816bc3d086fea9cbce17f0ac226f5
humanhash:	idaho-uranus-hawaii-red
File name:	SecuriteInfo.com.FileRepMalware.1725.9814
Download:	download sample
File size:	2'566'397 bytes
First seen:	2024-03-30 12:34:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	75e9596d74d063246ba6f3ac7c5369a0 (8 x DCRat, 5 x PythonStealer, 4 x CoinMiner)
ssdeep	49152:dAL/qLDJvoAp+uV8JwcAx85FJuLNSeXb8/6/fO5lW6sOt9dIVazfAmW:d1LDJwAdcA2QSC3w7PdaOImW
TLSH	T194C523027AD284B2D47316325EB59B318A7B7C501F348ADF535C592FDB331C29A36BA2
TrID	91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.6% (.EXE) Win64 Executable (generic) (10523/12/4) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4504/4/1) 0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter	SecuriteInfoCom
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

426

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7fcbf3fb2673cd4581e32782af7010e04f99561bc725dcfe47d7c54d480b00e3.exe

Verdict:

Malicious activity

Analysis date:

2024-03-30 12:37:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1385ae15-86cc-4e97-b69c-c7e2dd0ecef7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Launching a process

Moving a file to the Program Files subdirectory

Replacing files

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm babar fingerprint lolbin masquerade overlay packed setupapi shdocvw shell32

Link:

https://www.filescan.io/uploads/660806f7d463a7b047740bee/reports/870c1635-bb1b-4349-8766-674518e218d5/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/7fcbf3fb2673cd4581e32782af7010e04f99561bc725dcfe47d7c54d480b00e3

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/0ff4ea0b-5d51-4436-8532-24ae55b1c6fc

Result

Threat name:

n/a

Detection:

suspicious

Classification:

n/a

Score:

39 / 100

Link:

https://www.joesandbox.com/analysis/1417790

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7fcbf3fb2673cd4581e32782af7010e04f99561bc725dcfe47d7c54d480b00e3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7fcbf3fb2673cd4581e32782af7010e04f99561bc725dcfe47d7c54d480b00e3/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2024-02-14 04:59:55 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 38 (44.74%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p7f7h6zgopgulapde6bk64aq4bhzsvq3y4s5z7sh27cu2saladrq._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/240330-psb9xseh51/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Unpacked files

SH256 hash:

e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

MD5 hash:

195ffb7167db3219b217c4fd439eedd6

SHA1 hash:

1e76e6099570ede620b76ed47cf8d03a936d49f8

Link:

https://www.unpac.me/results/6beb2b36-3492-4c87-ac6d-92737e434d61/

SH256 hash:

e05a4de6d2820d1a9ff04eab4e4803ce8356b4d4cf0156c5305aa766d23cddfd

MD5 hash:

65f9a6d326bd8585cdb866bc7a60324b

SHA1 hash:

5feb96c3255e7639c8fb0595a0e173ce84b11c4c

Link:

https://www.unpac.me/results/6beb2b36-3492-4c87-ac6d-92737e434d61/

SH256 hash:

3f075552e29e58736ff96e00c828a9a4cb28c16337744b69c5114196ad78d59e

MD5 hash:

301d762a76b269e1fdf391d662acc86d

SHA1 hash:

9ddf5bfa4ddd4bb23e02d49f9966338472d21667

Link:

https://www.unpac.me/results/6beb2b36-3492-4c87-ac6d-92737e434d61/

SH256 hash:

7fcbf3fb2673cd4581e32782af7010e04f99561bc725dcfe47d7c54d480b00e3

MD5 hash:

60b816bc3d086fea9cbce17f0ac226f5

SHA1 hash:

02938cdcf998663d004e616ead5612860d838646

Link:

https://www.unpac.me/results/6beb2b36-3492-4c87-ac6d-92737e434d61/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7fcbf3fb2673cd4581e32782af7010e04f99561bc725dcfe47d7c54d480b00e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
GDI_PLUS_API	Interfaces with Graphics	gdiplus.dll::GdiplusStartup gdiplus.dll::GdiplusShutdown gdiplus.dll::GdipAlloc
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::AllocConsole KERNEL32.dll::AttachConsole KERNEL32.dll::WriteConsoleW KERNEL32.dll::FreeConsole KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileMappingW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW KERNEL32.dll::MoveFileExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample