MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 945cf884b485a56b317e46a583cf8c54e144143daa82d20362e11fbfb89dfe66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 945cf884b485a56b317e46a583cf8c54e144143daa82d20362e11fbfb89dfe66
SHA3-384 hash: 44aea1d57ac5bfd365b44b265b9bddb5b042694e872327b6cdb56daf7df90ce6c5f291b4b355886547c2751b54ca7018
SHA1 hash: b83f150c68ca8cdc159700e97569746070e49831
MD5 hash: 3edf776028552ddfe855e6b04d80b5cc
humanhash: football-east-lake-north
File name:SecuriteInfo.com.Trojan.Win32.Casur.Acl.15070.6801
Download: download sample
File size:1'693'025 bytes
First seen:2022-06-17 11:59:44 UTC
Last seen:2022-06-17 12:39:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (258 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:q7FUDowAyrTVE3U5FeC0wFIy/gCutN9ZtX4yd/8ojOQvMT8xzJesjSJ6:qBuZrEUSmJ/FuD94yd0eMQhE6
TLSH T1CC75BF3FB268753ED5AA4B3246739350997BBB61B81B8C1E07F0084DCF664701E3BA56
TrID 59.6% (.EXE) Inno Setup installer (109740/4/30)
22.5% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.7% (.EXE) Win64 Executable (generic) (10523/12/4)
3.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/280974/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

SecuriteInfo.com.Trojan.Win32.Casur.Acl.15070.6801.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21719/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/62ac6cc7473553ed3199281e/reports/a160ca24-da09-4f2d-8f26-090873a80edb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/837223b5-948b-4cff-9ee4-e4f0ad7d4b96
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
44 / 100
Link:
https://www.joesandbox.com/analysis/1015163
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/945cf884b485a56b317e46a583cf8c54e144143daa82d20362e11fbfb89dfe66/
Threat name:
ByteCode-MSIL.Dropper.Dapato
Create hunting rule
Status:
Malicious
First seen:
2022-06-17 12:00:14 UTC
File Type:
PE (Exe)
AV detection:
13 of 26 (50.00%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sroprbfuqwswwml6i2syht4mktquifb5vkbnea3c4ep37oe57zta._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220617-n6a4caeda5/
Behaviour
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
18f25fab4afeac3f015294766e801d23d8e1260f39a26cedb0d264c506a6a29c
MD5 hash:
4c8d871cb00eb42ff63b38dd572e78ce
SHA1 hash:
21c124959d471db8fa33b6ffbbd39325bc67a11f
Link:
https://www.unpac.me/results/ccf86d5e-1e1c-48cf-8e7a-c026ed59e906/
SH256 hash:
f622fe801b18ff98b40dd4f278c95073c01ebfb69feb508524721251c0a52471
MD5 hash:
ef9261f3e595f886319098d60e7a629d
SHA1 hash:
aa3eb3953f8d1f867266fc5b77663efc02fddb71
Link:
https://www.unpac.me/results/ccf86d5e-1e1c-48cf-8e7a-c026ed59e906/
SH256 hash:
945cf884b485a56b317e46a583cf8c54e144143daa82d20362e11fbfb89dfe66
MD5 hash:
3edf776028552ddfe855e6b04d80b5cc
SHA1 hash:
b83f150c68ca8cdc159700e97569746070e49831
Link:
https://www.unpac.me/results/ccf86d5e-1e1c-48cf-8e7a-c026ed59e906/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/945cf884b485a56b317e46a583cf8c54e144143daa82d20362e11fbfb89dfe66

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 945cf884b485a56b317e46a583cf8c54e144143daa82d20362e11fbfb89dfe66

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/280974/
  
URLhaus
https://urlhaus.abuse.ch/url/2241990/
  
Delivery method
Distributed via web download

Comments