MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fe4c2297ab763a43c7ea377eae860ea0bbe4533538dd918d97421d574c9550e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fe4c2297ab763a43c7ea377eae860ea0bbe4533538dd918d97421d574c9550e
SHA3-384 hash: b77142d61e6d75821493dd031b6ded2ed5b370f509079ab93fe84e20da68c93397e91cf0a37fa288d924b021b8a19ea4
SHA1 hash: f3ed1aa767c5e8d87d55cd9d59426ca189fc1fae
MD5 hash: f2c9d6a0265ea6c4f868fb0a53828343
humanhash: lion-california-tennis-salami
File name:f2c9d6a0265ea6c4f868fb0a53828343.exe
Download: download sample
File size:294'912 bytes
First seen:2025-01-18 09:10:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:zs4q+Pl5QiTvT0EBDtvIcLiniCcEYZBA:4wPl2iTvPzIc+cEYk
Threatray 34 similar samples on MalwareBazaar
TLSH T17054D9CCCC61A113C7D646F16AEA9C85AB39BE4C0C157C922A0E96C35553B88B437DFB
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
File icon (PE):PE icon
dhash icon d4b269969669b2d4 (4 x ArkeiStealer, 1 x NetSupport)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
454
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f2c9d6a0265ea6c4f868fb0a53828343.exe
Verdict:
Malicious activity
Analysis date:
2025-01-18 09:26:47 UTC
Tags:
loader stealer
Link:
https://app.any.run/tasks/8ee315cc-88a2-4695-a3ab-54f91e66ec2f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.3516.18352.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=678b711f4487910100e02e8e
Tags:
micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request to an infection source
Creating a file in the Windows subdirectories
Creating a process from a recently created file
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Launching cmd.exe command interpreter
Connection attempt to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated redcap
Link:
https://www.filescan.io/uploads/678b7032a364b83b70a78be3/reports/ec50df53-37db-42ec-8f5e-4246f03c5678/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7fe4c2297ab763a43c7ea377eae860ea0bbe4533538dd918d97421d574c9550e
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d90c7076-e86a-4ef5-8f2e-19db09629052
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1594194
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Drops executable to a common third party application directory
Drops large PE files
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive system registry key value via command line tool
Switches to a custom stack to bypass stack traces
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1594194 Sample: ssez9kSCPc.exe Startdate: 18/01/2025 Architecture: WINDOWS Score: 100 133 Malicious sample detected (through community Yara rule) 2->133 135 Antivirus detection for URL or domain 2->135 137 Multi AV Scanner detection for dropped file 2->137 139 4 other signatures 2->139 11 ssez9kSCPc.exe 15 6 2->11         started        16 Binance.exe 2->16         started        18 thunderbird.exe 1 2->18         started        20 thunderbird.exe 1 2->20         started        process3 dnsIp4 125 147.45.44.131 FREE-NET-ASFREEnetEU Russian Federation 11->125 127 3.160.150.40 AMAZON-02US United States 11->127 101 C:\Windows\Temp\binance-setup.exe, PE32 11->101 dropped 103 C:\Windows\Temp\AppsLo.exe, PE32 11->103 dropped 105 C:\Users\user\AppData\...\ssez9kSCPc.exe.log, CSV 11->105 dropped 169 Drops large PE files 11->169 22 AppsLo.exe 3 11->22         started        26 binance-setup.exe 11->26         started        107 simple-storage.json.tmp-71917266771d0595, JSON 16->107 dropped 109 C:\Users\user\AppData\Roaming\...\main.log, ASCII 16->109 dropped 111 C:\...\app-store.json.tmp-71917229959f2400, JSON 16->111 dropped 171 Tries to steal Crypto Currency Wallets 16->171 28 cmd.exe 16->28         started        30 cmd.exe 16->30         started        32 cmd.exe 16->32         started        38 11 other processes 16->38 173 Maps a DLL or memory area into another process 18->173 175 Found direct / indirect Syscall (likely to bypass EDR) 18->175 34 cmd.exe 2 18->34         started        36 cmd.exe 1 20->36         started        file5 signatures6 process7 dnsIp8 81 C:\Windows\Temp\...\AppsLo.exe, PE32 22->81 dropped 149 Multi AV Scanner detection for dropped file 22->149 41 AppsLo.exe 22 22->41         started        83 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 26->83 dropped 85 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 26->85 dropped 87 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 26->87 dropped 91 3 other files (none is malicious) 26->91 dropped 151 Uses cmd line tools excessively to alter registry or file data 28->151 153 Queries sensitive system registry key value via command line tool 28->153 45 conhost.exe 28->45         started        47 chcp.com 28->47         started        55 2 other processes 30->55 57 2 other processes 32->57 89 C:\Users\user\AppData\...\dsecxpflxcmmmp, PE32+ 34->89 dropped 155 Writes to foreign memory regions 34->155 157 Maps a DLL or memory area into another process 34->157 49 Qjsync.exe 34->49         started        51 conhost.exe 34->51         started        53 conhost.exe 36->53         started        121 1.1.1.1 CLOUDFLARENETUS Australia 38->121 123 172.64.41.3 CLOUDFLARENETUS United States 38->123 159 Loading BitLocker PowerShell Module 38->159 59 9 other processes 38->59 file9 signatures10 process11 file12 93 C:\Windows\Temp\...\xpcom_core.dll, PE32 41->93 dropped 95 C:\Windows\Temp\...\xpcom_compat.dll, PE32 41->95 dropped 97 C:\Windows\Temp\...\thunderbird.exe, PE32 41->97 dropped 99 11 other malicious files 41->99 dropped 163 Multi AV Scanner detection for dropped file 41->163 165 Drops executable to a common third party application directory 41->165 61 thunderbird.exe 16 41->61         started        167 Found direct / indirect Syscall (likely to bypass EDR) 49->167 signatures13 process14 file15 113 C:\Users\user\AppData\...\xpcom_core.dll, PE32 61->113 dropped 115 C:\Users\user\AppData\...\xpcom_compat.dll, PE32 61->115 dropped 117 C:\Users\user\AppData\...\thunderbird.exe, PE32 61->117 dropped 119 10 other malicious files 61->119 dropped 177 Switches to a custom stack to bypass stack traces 61->177 179 Found direct / indirect Syscall (likely to bypass EDR) 61->179 65 thunderbird.exe 1 61->65         started        signatures16 process17 signatures18 129 Maps a DLL or memory area into another process 65->129 131 Switches to a custom stack to bypass stack traces 65->131 68 cmd.exe 5 65->68         started        process19 file20 77 C:\Users\user\AppData\Local\Temp\gsuyltrl, PE32+ 68->77 dropped 79 C:\Users\user\AppData\Local\Temp\Qjsync.exe, PE32+ 68->79 dropped 141 Writes to foreign memory regions 68->141 143 Found hidden mapped module (file has been removed from disk) 68->143 145 Maps a DLL or memory area into another process 68->145 147 Switches to a custom stack to bypass stack traces 68->147 72 Qjsync.exe 68->72         started        75 conhost.exe 68->75         started        signatures21 process22 signatures23 161 Found direct / indirect Syscall (likely to bypass EDR) 72->161
Score:
30%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/7fe4c2297ab763a43c7ea377eae860ea0bbe4533538dd918d97421d574c9550e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7fe4c2297ab763a43c7ea377eae860ea0bbe4533538dd918d97421d574c9550e/
Threat name:
Win32.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2024-11-30 13:06:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
7 of 38 (18.42%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p7smekl2w5r2ipd6un36v2da5if34rjtkog5sggzoqq5k5gjkuha._file
Verdict:
malicious
Label(s):
hacktool_uac_dll
Create hunting rule
Similar samples:
0a5d8601aff94ec2960ba5487d120e4f2952bf8b8cf9cd36873bf941721d67c4
36567ff084c6b61f3c428300ff760b89bc7b54cca449b5d182bede9f6733590a
4666136af195e1a16495d119c585bfca0c72aa5fbbb01cc147ed6f903f0ce27b
4915139f1b3cb601ac2c3642daf6dc2c0ef560501f04fd1836f699d926d73cbd
8305434b29b81ac25ca20fb395ba48228a76730c157d18dedfb2c1fbf647639f
84e833237d4f79de14677632567858c73c68fcdafa16df9685f485c6408d19c3
b591c598018c7460e5d968e525acca75b348513c82efb99087baad773bfdff81
ece53681bcd97cff2e8c288f1a660a2eeb7cea6a238760d50e29ef3e2640ca57
error
fd666a1b146ce9fcbf06035ba68eeda23c76e81fd6c532b9dd84c7132fca776d
+ 24 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250118-k5la5szlhj/
Behaviour
Checks processor information in registry
Gathers network information
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9f19de38-2284-4476-8620-b87683638769
Unpacked files
SH256 hash:
7fe4c2297ab763a43c7ea377eae860ea0bbe4533538dd918d97421d574c9550e
MD5 hash:
f2c9d6a0265ea6c4f868fb0a53828343
SHA1 hash:
f3ed1aa767c5e8d87d55cd9d59426ca189fc1fae
Link:
https://www.unpac.me/results/95c7c1e7-0387-472c-ac6e-b09fc926c589/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7fe4c2297ab763a43c7ea377eae860ea0bbe4533538dd918d97421d574c9550e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments