MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88fcfb4aa99e99cb38660d6346ce989abf4569019cfd58cc762b6314a7c1f7e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88fcfb4aa99e99cb38660d6346ce989abf4569019cfd58cc762b6314a7c1f7e9
SHA3-384 hash: 8c80138d1c2760fda30f919a7846a6ff6246c5ed0e7126c9537c9f8d5ee7c191a7a952deff26dfc7641a8df4a5c7c674
SHA1 hash: 7aff4a592edc79af89c088d8de76b86abf741e18
MD5 hash: 250b75722e9fa525abfd686e2a9d97c9
humanhash: nuts-robert-island-gee
File name:SecuriteInfo.com.W32.ABDeceptor.UWIJ-5466.17598.7735
Download: download sample
File size:31'458'744 bytes
First seen:2024-02-02 10:30:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 786432:6xIN9h44ibT+oork0pUI1qbc2Mgfg3LoSFJgxwd5QLT:6yV4hT+C2RTjJgOun
Threatray 2 similar samples on MalwareBazaar
TLSH T18A673398F33CD731E63B06BC2F6CE21922266C2917FC9D2E62487E1872761AC5ED4547
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon d4c8b44dcc69b2d4 (1 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
FR FR
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/65bcc46f0b80a407288dd753/reports/82a0386b-9ac2-46f4-b1c8-5f8680a065e3/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/88fcfb4aa99e99cb38660d6346ce989abf4569019cfd58cc762b6314a7c1f7e9
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
suspicious
Classification:
evad
Score:
30 / 100
Link:
https://www.joesandbox.com/analysis/1385514
Signature
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1385514 Sample: SecuriteInfo.com.W32.ABDece... Startdate: 02/02/2024 Architecture: WINDOWS Score: 30 28 playinfo.gomlab.com 2->28 30 log.gomlab.com 2->30 32 4 other IPs or domains 2->32 40 Multi AV Scanner detection for submitted file 2->40 42 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 2->42 44 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 2->44 7 SecuriteInfo.com.W32.ABDeceptor.UWIJ-5466.17598.7735.exe 120 528 2->7         started        signatures3 process4 dnsIp5 34 d1ymuusydhd2tm.cloudfront.net 18.165.116.72, 49706, 80 MIT-GATEWAYSUS United States 7->34 36 cdn2.gomlab.com.cdnga.net 138.113.183.168, 443, 49707, 49715 FR-INRIA-SOPHIAINRIASophia-AntipolisEU United States 7->36 38 gomlab-log-17054681.us-east-1.elb.amazonaws.com 52.86.89.95, 49717, 80 AMAZON-AESUS United States 7->38 20 C:\Program Files (x86)behaviorgraphOM\...behaviorgraphOM.exe, PE32 7->20 dropped 22 C:\Users\user\AppData\Local\...\nsJSON.dll, PE32 7->22 dropped 24 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 7->24 dropped 26 46 other files (none is malicious) 7->26 dropped 11 GOM.exe 502 1 7->11         started        14 GOM.exe 19 10 7->14         started        16 GOM.exe 7->16         started        18 3 other processes 7->18 file6 process7 signatures8 46 Hides threads from debuggers 11->46
Score:
69%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/88fcfb4aa99e99cb38660d6346ce989abf4569019cfd58cc762b6314a7c1f7e9
Gathering data
Threat name:
Win32.PUA.Superfluss
Create hunting rule
Status:
Malicious
First seen:
2024-01-23 18:45:05 UTC
AV detection:
9 of 24 (37.50%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rd6pwsvjt2m4wodgbvruntuytk7uk2ibtt6vrtdwfnrrjj6b67uq._file
Verdict:
unknown
Similar samples:
6655102fce642a400cbe14ffcdbaaf96329e25b50a4e1a223bad55db6ce1b2d3
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240202-mkdrnsdhfk/
Behaviour
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: GetForegroundWindowSpam
Enumerates physical storage devices
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88fcfb4aa99e99cb38660d6346ce989abf4569019cfd58cc762b6314a7c1f7e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments