MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8dfd137c0592cd48eb2d9bebef145253d46616122ed281c3ae1a1fe34ae5ba8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Adware.Generic

Vendor detections: 14

Intelligence 14 IOCs YARA 18 File information Comments

SHA256 hash:	8dfd137c0592cd48eb2d9bebef145253d46616122ed281c3ae1a1fe34ae5ba8c
SHA3-384 hash:	58d6da121f75ea7133387164659a573fae71d249e6bfbda6a8a0c0f45a5e19d28d2b903f4e95d7e44a65f2e49456f86e
SHA1 hash:	adcf2e474c30fb2b8064ed4c7347c610762c1985
MD5 hash:	79c8e340bb4dd823c4bff464aa996054
humanhash:	august-four-arizona-speaker
File name:	file
Download:	download sample
Signature	Adware.Generic Create hunting rule
File size:	1'776'568 bytes
First seen:	2023-03-20 13:44:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5044024844498395d0e63ba22bbd9978 (2 x Adware.Generic, 1 x RemcosRAT, 1 x RedLineStealer)
ssdeep	49152:jnvDxd88nQW3WOSPd+emfxxqbuymtoaNWzgWo6l:jntatOE+emJx3yraNWLH
TLSH	T13F85F10333E0D827D8A78EB5DB96C7D0901A25347BA5C49BF0402E5EDFA17A94C3979B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	10687972b19090a0 (1 x Adware.Generic)
Reporter	jstrosch
Tags:	Adware.Generic exe signed

Code Signing Certificate

Organisation:	songmeanings.com
Issuer:	Amazon RSA 2048 M01
Algorithm:	sha256WithRSAEncryption
Valid from:	2023-02-27T00:00:00Z
Valid to:	2024-03-27T23:59:59Z
Serial number:	0bcd4c8f30a03ecbed67b00b31277b42
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	0ed3741c69733635a85fa8b94480fc1417c37d088aa0c2b3d24257ad6795d982
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

288

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Suspicious activity

Analysis date:

2023-03-20 13:47:26 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e74b3f24-5f1f-4a0a-923d-b38c28d52491

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/375944/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Launching a process

Creating a file in the %temp% directory

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Detecting VM

Sending an HTTP GET request

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/74291/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

83%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/64186362e91ddba083cec246/reports/af5dcf84-5b98-4277-bff8-ee6d844285e3/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/8dfd137c0592cd48eb2d9bebef145253d46616122ed281c3ae1a1fe34ae5ba8c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Mustang Panda

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/72e01989-4a5b-4eea-8052-d751780693df

Result

Threat name:

RHADAMANTHYS, lgoogLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1197736

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Contain functionality to detect virtual machines

Contains functionality to infect the boot sector

Contains functionality to inject code into remote processes

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Snort IDS alert for network traffic

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected lgoogLoader

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8dfd137c0592cd48eb2d9bebef145253d46616122ed281c3ae1a1fe34ae5ba8c/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Malicious

First seen:

2023-03-18 08:26:14 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rx6rg7afslgur2zntpv66fcskpkgmfqsf3jidq5odip6gsxfxkga._file

Verdict:

malicious

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:lgoogloader family:rhadamanthys downloader stealer

Link:

https://tria.ge/reports/230320-q2ebbafg5s/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Loads dropped DLL

Detect rhadamanthys stealer shellcode

Detects LgoogLoader payload

LgoogLoader

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Unpacked files

SH256 hash:

2daf961f5067839d02e35e0d491bc663bd6aacb02c317071f06ee1109b41c7bf

MD5 hash:

63656e3c831de16c3048097113ecdc50

SHA1 hash:

f7aecf4a1d03fd4c352781629cea122ddae10f90

Link:

https://www.unpac.me/results/a3ead463-31f1-47b7-8b1d-be309a7e8a06/

SH256 hash:

8dfd137c0592cd48eb2d9bebef145253d46616122ed281c3ae1a1fe34ae5ba8c

MD5 hash:

79c8e340bb4dd823c4bff464aa996054

SHA1 hash:

adcf2e474c30fb2b8064ed4c7347c610762c1985

Link:

https://www.unpac.me/results/a3ead463-31f1-47b7-8b1d-be309a7e8a06/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8dfd137c0592/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.92

Link:

https://yomi.yoroi.company/submissions/8dfd137c0592cd48eb2d9bebef145253d46616122ed281c3ae1a1fe34ae5ba8c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAS_Malware_Hunting Create hunting rule
Author:	Michael Reinprecht
Description:	DEMO CAS YARA Rules for sample2.exe

Rule name:	grakate_stealer_nov_2021 Create hunting rule

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	MALWARE_Win_Chebka Create hunting rule
Author:	ditekSHen
Description:	Detects Chebka

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	SUSP_XORed_MSDOS_Stub_Message Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

Rule name:	Windows_Trojan_Generic_a681f24a Create hunting rule
Author:	Elastic Security

Rule name:	yara_template Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Adware.Generic

exe 8dfd137c0592cd48eb2d9bebef145253d46616122ed281c3ae1a1fe34ae5ba8c

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/375944/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample