MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88c3f5d525e59b58282f390f9a3e0c0ade70c175a34e3cb3aa1238908914f425. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88c3f5d525e59b58282f390f9a3e0c0ade70c175a34e3cb3aa1238908914f425
SHA3-384 hash: 82d2ad6075c74cc555612a8f43edd51fd8c346914da44a9ffd5226d84fe8fb9e666ee0e7e6d64dd2db30a1699212f3d7
SHA1 hash: ec8ba4ef25a02ce266c72ed4bbbb19291d06d9b7
MD5 hash: 1850bc2fb081c6b01ccd9876dcf6d20c
humanhash: item-moon-leopard-helium
File name:SecuriteInfo.com.BackDoor.HVNC.15.3330.21592
Download: download sample
File size:2'315'776 bytes
First seen:2024-05-31 02:33:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep 49152:AshdUhp+xxoOJMRRPB71X3jnG23J6R7BFZ0m0nrYUISLdB0t:+p+n3JMRRJZ3jpolZsn8ZGB0t
TLSH T1B1B533F4B1FB8327E09A0AF89401A9252E055FD029285F85DB36BEE2FFF5D068D01D95
TrID 35.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
35.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.9% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon f4f4f4f4f4b4d480
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
393
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
88c3f5d525e59b58282f390f9a3e0c0ade70c175a34e3cb3aa1238908914f425.exe
Verdict:
Malicious activity
Analysis date:
2024-05-31 02:37:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2f2411f1-2285-4948-b920-a7d871c54a9e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.HVNC.15.3330.21592.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6659377520ad30d287677564win7simulatehigh_evasion
Tags:
Static Malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
AutoIt crypto exploit fingerprint hook keylogger lolbin microsoft_visual_cc packed packed packed shell32 upx
Link:
https://www.filescan.io/uploads/6659371f4d56d7d162893789/reports/88031182-39b2-4012-a8f0-8e96967a011e/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/88c3f5d525e59b58282f390f9a3e0c0ade70c175a34e3cb3aa1238908914f425
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/afaa48c3-21fe-46f5-a3d2-3dd58c20d3f5
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
44 / 100
Link:
https://www.joesandbox.com/analysis/1449930
Signature
Antivirus / Scanner detection for submitted sample
Binary is likely a compiled AutoIt script file
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to infect the boot sector
Creates an undocumented autostart registry key
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Explorer NOUACCHECK Flag
Uses regedit.exe to modify the Windows registry
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1449930 Sample: SecuriteInfo.com.BackDoor.H... Startdate: 31/05/2024 Architecture: WINDOWS Score: 44 71 api.msn.com 2->71 83 Antivirus / Scanner detection for submitted sample 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 Contains functionality to automate explorer (e.g. start an application) 2->87 89 3 other signatures 2->89 9 SecuriteInfo.com.BackDoor.HVNC.15.3330.21592.exe 1 33 2->9         started        13 explorer.exe 64 177 2->13         started        15 StartScreen.exe 2->15         started        signatures3 process4 file5 63 C:\Windows\Temp\...\StartIsBackCfg.exe, PE32 9->63 dropped 65 C:\Windows\Temp\StartIsBack 2.9.19\temp.reg, Windows 9->65 dropped 67 C:\Windows\Temp\...\startscreen.exe, PE32 9->67 dropped 69 8 other files (none is malicious) 9->69 dropped 91 Binary is likely a compiled AutoIt script file 9->91 17 StartIsBackCfg.exe 97 19 9->17         started        21 explorer.exe 9->21         started        23 cmd.exe 1 9->23         started        93 Query firmware table information (likely to detect VMs) 13->93 25 StartIsBackCfg.exe 13->25         started        27 StartScreen.exe 13->27         started        signatures6 process7 file8 55 C:\Program Files (x86)\...\StartScreen.exe, PE32 17->55 dropped 57 C:\Program Files (x86)\...\StartIsBackCfg.exe, PE32 17->57 dropped 59 C:\Users\user\AppData\Local\...\sibtask.xml, XML 17->59 dropped 61 8 other files (none is malicious) 17->61 dropped 73 Creates an undocumented autostart registry key 17->73 29 taskkill.exe 1 17->29         started        31 taskkill.exe 1 17->31         started        33 taskkill.exe 1 17->33         started        39 6 other processes 17->39 75 Contains functionality to automate explorer (e.g. start an application) 21->75 77 Contains functionality to infect the boot sector 21->77 79 Uses regedit.exe to modify the Windows registry 23->79 35 regedit.exe 26 23->35         started        37 conhost.exe 23->37         started        81 Query firmware table information (likely to detect VMs) 25->81 signatures9 process10 process11 41 conhost.exe 29->41         started        43 conhost.exe 31->43         started        45 conhost.exe 33->45         started        47 conhost.exe 39->47         started        49 conhost.exe 39->49         started        51 conhost.exe 39->51         started        53 2 other processes 39->53
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/88c3f5d525e59b58282f390f9a3e0c0ade70c175a34e3cb3aa1238908914f425
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88c3f5d525e59b58282f390f9a3e0c0ade70c175a34e3cb3aa1238908914f425/
Threat name:
Win32.Trojan.Nymeria
Create hunting rule
Status:
Malicious
First seen:
2023-03-22 09:58:01 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rdb7lvjf4wnvqkbphehzupqmblphbqlvunhdzm5kci4jbciu6qsq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence upx
Link:
https://tria.ge/reports/240531-c2gvjscb5x/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Program Files directory
AutoIT Executable
Checks installed software on the system
Drops desktop.ini file(s)
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
UPX packed file
Modifies Installed Components in the registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f46984df-7b98-4bab-8c02-fe5132813255
Unpacked files
SH256 hash:
786d8115b4107cf7add551f11cfbdfbec121017c6dda0dc3cd59328e774063c3
MD5 hash:
2996991b90669520b8284d878023c20e
SHA1 hash:
10c5edb68182a9202de029c9c10fb73d1773f1b9
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/b9e216e0-1245-4419-9675-55433a422234/
SH256 hash:
88c3f5d525e59b58282f390f9a3e0c0ade70c175a34e3cb3aa1238908914f425
MD5 hash:
1850bc2fb081c6b01ccd9876dcf6d20c
SHA1 hash:
ec8ba4ef25a02ce266c72ed4bbbb19291d06d9b7
Detections:
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/b9e216e0-1245-4419-9675-55433a422234/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/88c3f5d525e59b58282f390f9a3e0c0ade70c175a34e3cb3aa1238908914f425

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetAce
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetUseConnectionW

Comments