MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94587b41a0eb5e2c592976fa283b0bfc0ef2e2c5cec24bba298cda0eb67270de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94587b41a0eb5e2c592976fa283b0bfc0ef2e2c5cec24bba298cda0eb67270de
SHA3-384 hash: ccde004fdf390402f19666d2e3afeb7d184d2eff25cb33bd438585010e5a50de7922189a6707ca4ba2983e4bb6e84ebc
SHA1 hash: 6f5da5c57900190e59e1a04fa3f854dc0caf0ca3
MD5 hash: 06da5e36cab8aa9ceef50ceb2e48c026
humanhash: south-blue-chicken-bulldog
File name:Setup.exe
Download: download sample
File size:7'262'008 bytes
First seen:2024-01-10 07:42:05 UTC
Last seen:2024-06-20 07:05:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 21314122cd4542a6b9b297f52a87acbe (3 x GuLoader, 2 x LummaStealer, 2 x ConnectWise)
ssdeep 98304:jtfl0kYax0dMiNsqWGXwtyI1Uk+XFBflMPzidUtytQyj1s9wPVn/8/Z7:Rfl0kYa0c27BfMEt5Swt/i7
TLSH T183767C21758AC537E66E01B16A2CDAAB61797FB20B7154CBB3DC3D6E0B704C21236E17
TrID 56.3% (.OCX) Windows ActiveX control (116521/4/18)
27.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
5.0% (.EXE) Win64 Executable (generic) (10523/12/4)
3.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
dhash icon 696a6ee2b2b2c2cc (18 x RedLineStealer, 17 x LummaStealer, 16 x CoinMiner)
Reporter MaxMax66
Tags:exe signed

Code Signing Certificate

Organisation:Dragon Boss Solutions LLC
Issuer:GlobalSign GCC R45 CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2023-08-05T09:08:47Z
Valid to:2023-12-24T11:38:55Z
Serial number: 72a7b646ba49e796a7ef012c
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: de315ef07ff351a66a60c3e97c4e04d3e1b445e406c8f7a7e4f2c0765ddf8162
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
MaxMax66
Program often referred as a PUP

Intelligence

File Origin
# of uploads :
3
# of downloads :
354
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/470153/
Detection(s):
SecuriteInfo.com.FileRepMalware.21237.25278.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %temp% subdirectories
Searching for synchronization primitives
Searching for the window
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Restart of the analyzed sample
Launching a service
Modifying a system file
Creating a file in the Windows subdirectories
Creating a process from a recently created file
DNS request
Deleting a recently created file
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching a process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm control evasive fingerprint greyware installer lolbin msiexec overlay remote setupapi shell32
Link:
https://www.filescan.io/uploads/659e4a8759502c0e7b31be0d/reports/6c7d10e4-347e-4a23-b3b1-41298b1a6f8d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/94587b41a0eb5e2c592976fa283b0bfc0ef2e2c5cec24bba298cda0eb67270de
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c0120847-5e99-4f58-bad4-534b4c3c6abc
Result
Threat name:
n/a
Detection:
suspicious
Classification:
spyw.evad
Score:
38 / 100
Link:
https://www.joesandbox.com/analysis/1372254
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Creates an undocumented autostart registry key
Found evasive API chain (may stop execution after checking volume information)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1372254 Sample: Setup.exe Startdate: 10/01/2024 Architecture: WINDOWS Score: 38 108 www.chromnius.com 2->108 128 Antivirus detection for URL or domain 2->128 130 Multi AV Scanner detection for submitted file 2->130 12 msiexec.exe 15 33 2->12         started        15 Setup.exe 73 2->15         started        17 svchost.exe 2->17         started        signatures3 process4 dnsIp5 90 C:\Windows\Installer\MSIF10C.tmp, PE32 12->90 dropped 92 C:\Windows\Installer\MSIF001.tmp, PE32 12->92 dropped 94 C:\Windows\Installer\MSIEFB2.tmp, PE32 12->94 dropped 102 3 other files (none is malicious) 12->102 dropped 20 browser.data 4 12->20         started        24 msiexec.exe 9 12->24         started        26 msiexec.exe 12->26         started        28 msiexec.exe 12->28         started        96 C:\Users\user\AppData\Local\...\shi58D9.tmp, PE32+ 15->96 dropped 98 C:\Users\user\AppData\Local\...\MSI5D0D.tmp, PE32 15->98 dropped 100 C:\Users\user\AppData\Local\...\MSI5CBE.tmp, PE32 15->100 dropped 104 13 other files (none is malicious) 15->104 dropped 30 Setup.exe 6 15->30         started        106 127.0.0.1 unknown unknown 17->106 file6 process7 file8 80 C:\Users\user\AppData\Local\...\setup.exe, PE32+ 20->80 dropped 132 Found evasive API chain (may stop execution after checking volume information) 20->132 32 setup.exe 97 106 20->32         started        82 C:\Windows\SystemTemp\scrF221.ps1, Unicode 24->82 dropped 84 C:\Windows\SystemTemp\pssF233.ps1, Unicode 24->84 dropped 36 powershell.exe 14 15 24->36         started        134 Bypasses PowerShell execution policy 26->134 86 C:\Users\user\AppData\Local\...\shiEC63.tmp, PE32+ 30->86 dropped signatures9 process10 dnsIp11 70 C:\Program Files\...\eventlog_provider.dll, PE32+ 32->70 dropped 72 C:\Program Files\...\d3dcompiler_47.dll, PE32+ 32->72 dropped 74 C:\Program Files\Chromnius\...\chrome_wer.dll, PE32+ 32->74 dropped 78 4 other files (none is malicious) 32->78 dropped 122 Creates an undocumented autostart registry key 32->122 39 chromnius.exe 32->39         started        44 setup.exe 32->44         started        46 setup.exe 32->46         started        110 www.chromnius.com 104.21.28.136, 443, 49733 CLOUDFLARENETUS United States 36->110 76 C:\Users\user\AppData\Local\...\browser.data, PE32+ 36->76 dropped 124 Powershell drops PE file 36->124 48 conhost.exe 36->48         started        file12 signatures13 process14 dnsIp15 112 192.168.2.4, 443, 49733 unknown unknown 39->112 114 239.255.255.250 unknown Reserved 39->114 88 C:\Users\user\AppData\Local\...\History, SQLite 39->88 dropped 136 Tries to harvest and steal browser information (history, passwords, etc) 39->136 50 chromnius.exe 39->50         started        53 chrmstp.exe 39->53         started        55 chromnius.exe 39->55         started        60 9 other processes 39->60 58 setup.exe 44->58         started        file16 signatures17 process18 dnsIp19 126 Tries to harvest and steal browser information (history, passwords, etc) 50->126 62 chrmstp.exe 53->62         started        64 chrmstp.exe 53->64         started        116 142.251.111.94 GOOGLEUS United States 55->116 118 142.251.16.95 GOOGLEUS United States 55->118 120 6 other IPs or domains 55->120 66 chromnius.exe 60->66         started        signatures20 process21 process22 68 chrmstp.exe 62->68         started       
Score:
31%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/94587b41a0eb5e2c592976fa283b0bfc0ef2e2c5cec24bba298cda0eb67270de
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94587b41a0eb5e2c592976fa283b0bfc0ef2e2c5cec24bba298cda0eb67270de/
Threat name:
Win32.PUA.Lodi
Create hunting rule
Status:
Malicious
First seen:
2023-09-12 11:11:35 UTC
File Type:
PE (Exe)
Extracted files:
110
AV detection:
11 of 24 (45.83%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=srmhwqna5npcywjjo35cqoyl7qhpfywfz3bexorjrtna5ntsodpa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240110-jj8zmscdd2/
Behaviour
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates physical storage devices
Unpacked files
SH256 hash:
94587b41a0eb5e2c592976fa283b0bfc0ef2e2c5cec24bba298cda0eb67270de
MD5 hash:
06da5e36cab8aa9ceef50ceb2e48c026
SHA1 hash:
6f5da5c57900190e59e1a04fa3f854dc0caf0ca3
Link:
https://www.unpac.me/results/af3cd40c-fcdf-4664-a633-f03e220ed44b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94587b41a0eb5e2c592976fa283b0bfc0ef2e2c5cec24bba298cda0eb67270de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/470153/

Comments