MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84eab515e95a0eb2eb1ab29c7213960983c103f8179d7e3125ea5cab29dfa59c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84eab515e95a0eb2eb1ab29c7213960983c103f8179d7e3125ea5cab29dfa59c
SHA3-384 hash: f9cce76b5dd1a1b6ca6789c99c7647501a130f47d65651e56c831bd45e836067a9131930cceca590ee45326cb40a64c3
SHA1 hash: 83a94ba8432ff1dc9be0b04f9ff399cdadbe88e2
MD5 hash: 94bb4aa70f270aeeb3f53dfd9b7c9a3e
humanhash: september-carolina-london-winter
File name:Lightshot.dll
Download: download sample
File size:6'093'312 bytes
First seen:2023-08-10 06:36:01 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 1055d989b28e356fde1fd793b5dff7fc
ssdeep 98304:t8Yv5RIpRQCwysg7YvJR+izOfNDQSTjogjDHDJb6zU:K1RQhg7YxRdzgNksDIzU
TLSH T129565C13B288603ED0AB1B3A4D7BF654683B7A603A26CC5B6BF4094C4F356427D3A757
TrID 62.9% (.EXE) Inno Setup installer (109740/4/30)
23.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
6.0% (.EXE) Win64 Executable (generic) (10523/12/4)
2.5% (.EXE) Win32 Executable (generic) (4505/5/1)
1.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter ventress
Tags:dll

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/441906/
Detection(s):
SecuriteInfo.com.Win32.SpywareX-gen.29785.19283.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
82%
Tags:
apt control grandoreiro greyware keylogger lolbin replace
Link:
https://www.filescan.io/uploads/64d48554e1d5367a534bf773/reports/33334a38-0b0f-42d5-9c23-94f200b2abfd/overview
Verdict:
Malicious
Labled as:
Bulz.Generic
Link:
https://www.hybrid-analysis.com/sample/84eab515e95a0eb2eb1ab29c7213960983c103f8179d7e3125ea5cab29dfa59c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5388a807-d710-4ca6-a61b-27b2aa8a17ff
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1289222
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1289222 Sample: Lightshot.dll Startdate: 10/08/2023 Architecture: WINDOWS Score: 48 19 Multi AV Scanner detection for submitted file 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 3 other processes 7->15 process5 17 rundll32.exe 9->17         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84eab515e95a0eb2eb1ab29c7213960983c103f8179d7e3125ea5cab29dfa59c/
Threat name:
Win32.Trojan.Grandoreiro
Create hunting rule
Status:
Malicious
First seen:
2023-08-10 06:37:06 UTC
File Type:
PE (Dll)
Extracted files:
60
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qtvlkfpjlihlf2y2wkohee4wbgb4ca7yc6ox4mjf5jokwko7uwoa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230810-hcxglaaf28/
Behaviour
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
56a5a5c2594e15a008e6f5a097c13c6c1b7447a5d45281204c865a6da90b8d0c
MD5 hash:
705937300c762ed2840f761a0d29d848
SHA1 hash:
9e993ee0a68f79b072b2be1710c0883a8b1a9123
Link:
https://www.unpac.me/results/de3bb143-8849-4a09-a7a1-33f62ea33a39/
SH256 hash:
84eab515e95a0eb2eb1ab29c7213960983c103f8179d7e3125ea5cab29dfa59c
MD5 hash:
94bb4aa70f270aeeb3f53dfd9b7c9a3e
SHA1 hash:
83a94ba8432ff1dc9be0b04f9ff399cdadbe88e2
Link:
https://www.unpac.me/results/de3bb143-8849-4a09-a7a1-33f62ea33a39/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84eab515e95a0eb2eb1ab29c7213960983c103f8179d7e3125ea5cab29dfa59c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_DustSquad_PE_Nov19_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:APT_DustSquad_PE_Nov19_2
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SR_APT_DustSquad_PE_Nov19
Create hunting rule
Author:Arkbird_SOLG
Description:Super Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/441906/

Comments


Avatar
commented on 2023-08-10 06:38:20 UTC

IOC: hxxp://23.254.202.114:3395/
opendir HFS.