MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8305434b29b81ac25ca20fb395ba48228a76730c157d18dedfb2c1fbf647639f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NovaSentinel


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 2
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8305434b29b81ac25ca20fb395ba48228a76730c157d18dedfb2c1fbf647639f
SHA3-384 hash: f60b49e00c9bfbc66996cd66e0456a4456b74e2b2aaa71b2e2d3615c984bce70208775816f9915b899487dabfb31eb6e
SHA1 hash: e5989a26aac3ae2b8333c6e15dfc5d78a924416f
MD5 hash: cb8cbeab02df3d109ca05e03a93dc0dd
humanhash: sink-april-crazy-bravo
File name:Mauqes.exe
Download: download sample
Signature NovaSentinel
Create hunting rule
File size:85'434'784 bytes
First seen:2024-03-27 20:57:32 UTC
Last seen:2024-03-27 22:25:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:G/WHHr9jAl+T4TqNUk4Qz3iQZ3C8NDbjmoh8HzzmDD7:G/8L9NT4GKk4S37ZzDeohizzAD7
TLSH T1A9183347F03CA4BAF96F63BA4E515725BF746E848B618136B1C63EA35E7917F0480382
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter e24111111111111
Tags:exe Hawkish Grabber Malicord Nova Stealer NovaSentinel

Intelligence

File Origin
# of uploads :
2
# of downloads :
500
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8305434b29b81ac25ca20fb395ba48228a76730c157d18dedfb2c1fbf647639f.exe
Verdict:
Malicious activity
Analysis date:
2024-03-28 02:15:22 UTC
Tags:
waspstealer stealer evasion generic
Link:
https://app.any.run/tasks/c0fb0a42-7ea2-41b9-b495-89370ceb7ed2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Searching for synchronization primitives
Unauthorized injection to a recently created process
Launching a process
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Launching many processes
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6604885ff1c80c2d4d5a5776/reports/4c1c96ae-f2a8-4a44-a04b-f45ef2833789/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/8305434b29b81ac25ca20fb395ba48228a76730c157d18dedfb2c1fbf647639f
Result
Verdict:
MALICIOUS
Result
Threat name:
NovaSentinel
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1416754
Signature
Drops large PE files
Multi AV Scanner detection for dropped file
Yara detected NovaSentinel
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1416754 Sample: Mauqes.exe Startdate: 27/03/2024 Architecture: WINDOWS Score: 60 58 www.google.com 2->58 60 www.facebook.com 2->60 62 7 other IPs or domains 2->62 70 Multi AV Scanner detection for dropped file 2->70 72 Yara detected NovaSentinel 2->72 10 Mauqes.exe 179 2->10         started        signatures3 process4 file5 46 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 10->46 dropped 48 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 10->48 dropped 50 C:\Users\user\AppData\Local\Temp\...\name.exe, PE32+ 10->50 dropped 52 12 other files (4 malicious) 10->52 dropped 74 Drops large PE files 10->74 14 name.exe 5 10->14         started        signatures6 process7 dnsIp8 64 api.gofile.io 51.38.43.18, 443, 49720 OVHFR France 14->64 66 transfer.sh 144.76.136.153, 443, 49722 HETZNER-ASDE Germany 14->66 68 5 other IPs or domains 14->68 54 a7df0b6a-ab69-4a67...91842ddaf8.tmp.node, PE32+ 14->54 dropped 56 a6d4fee9-960b-4604...4fde503015.tmp.node, PE32+ 14->56 dropped 18 cmd.exe 1 14->18         started        20 cmd.exe 1 14->20         started        22 cmd.exe 14->22         started        24 93 other processes 14->24 file9 process10 process11 26 tasklist.exe 1 18->26         started        28 conhost.exe 18->28         started        30 Conhost.exe 18->30         started        32 WMIC.exe 1 20->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 tasklist.exe 22->38         started        40 conhost.exe 24->40         started        42 107 other processes 24->42 process12 44 Conhost.exe 40->44         started       
Score:
28%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/8305434b29b81ac25ca20fb395ba48228a76730c157d18dedfb2c1fbf647639f
Gathering data
Threat name:
Win32.Malware.Malicord
Create hunting rule
Status:
Malicious
First seen:
2024-03-27 17:10:35 UTC
File Type:
PE (Exe)
Extracted files:
216
AV detection:
3 of 37 (8.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qmcugszjxanmexfcb6zzlosiekfhm4ymcv6rrxw7wla7x5shmopq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/240327-zr7dsabg97/
Behaviour
Checks processor information in registry
Detects videocard installed
Enumerates processes with tasklist
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NovaSentinel

rar d9674f4ece2b65ed5f0c305e2d208d69381cbf56c47251a1af279c5d8e73c388

NovaSentinel

Executable exe 8305434b29b81ac25ca20fb395ba48228a76730c157d18dedfb2c1fbf647639f

(this sample)

  
Dropped by
SHA256 d9674f4ece2b65ed5f0c305e2d208d69381cbf56c47251a1af279c5d8e73c388
  
Dropped by
MD5 35aa93ea645d612e4555909d4d7f7131

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments


Avatar
commented on 2024-03-27 21:06:43 UTC

https://malpedia.caad.fkie.fraunhofer.de/details/win.nova

Avatar
commented on 2024-03-27 20:59:55 UTC

Hawkish Grabber C2: hawkish.fr