MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Neoreklami


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773
SHA3-384 hash: ad06132ab3388af7685c72a1fd1c4d816eee5845efe50aa273c2d18d910121506445ee7999d1dbc88d56b9ba286e1464
SHA1 hash: 1dfc4d42da90fe070d4474ddd7fa7b6f6ffa97ab
MD5 hash: 5cc472dcd66120aed74de36341bfd75a
humanhash: hawaii-blossom-uncle-emma
File name:setup.exe
Download: download sample
Signature Adware.Neoreklami
Create hunting rule
File size:6'552'179 bytes
First seen:2024-05-10 16:47:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3786a4cf8bfee8b4821db03449141df4 (2'102 x Adware.Neoreklami, 2 x RedLineStealer, 2 x Adware.MultiPlug)
ssdeep 196608:91OTMJdJiB9rrezjknd2evIO726Kc0ODm2ys6V:3OTA8wYvt2vc0OnydV
TLSH T1F566330439E149F8DAA35071E1561BABB1E9E3F54F214E737BD04E2A2E3E026CA55738
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter NDA0E
Tags:Adware.Neoreklami exe


Avatar
NDA0E
http://5.42.96.78/files/setup.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
351
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0.exe
Verdict:
Malicious activity
Analysis date:
2024-05-10 16:35:39 UTC
Tags:
opendir loader gcleaner adware neoreklami
Link:
https://app.any.run/tasks/faf98099-196a-48a2-881d-e0c8e8da5556

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Program.Unwanted.2823.171.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Searching for the window
Creating a file
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer lolbin overlay packed sfx shell32
Link:
https://www.filescan.io/uploads/663e4fc3b8652ad994a52e5f/reports/fc5f4958-28e6-410d-adfc-a3baaa613681/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/27125197-a822-4b41-971d-d474a0a49229
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1439758
Signature
Creates files in the recycle bin to hide itself
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1439758 Sample: setup.exe Startdate: 10/05/2024 Architecture: WINDOWS Score: 100 116 service-domain.xyz 2->116 118 api2.check-data.xyz 2->118 120 3 other IPs or domains 2->120 132 Snort IDS alert for network traffic 2->132 134 Multi AV Scanner detection for dropped file 2->134 136 Multi AV Scanner detection for submitted file 2->136 140 7 other signatures 2->140 13 setup.exe 6 2->13         started        16 Install.exe 2->16         started        19 Install.exe 2->19         started        signatures3 138 Performs DNS queries to domains with low reputation 118->138 process4 file5 104 C:\Users\user\AppData\Local\...\changepk.exe, PE32+ 13->104 dropped 106 C:\Users\user\AppData\Local\Temp\...\calc.exe, PE32+ 13->106 dropped 108 C:\Users\user\AppData\Local\...\Install.exe, PE32 13->108 dropped 21 Install.exe 1 13->21         started        110 C:\Windows\Temp\...\nyScLOO.exe, PE32 16->110 dropped 112 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 16->112 dropped 122 Suspicious powershell command line found 16->122 124 Creates files in the recycle bin to hide itself 16->124 126 Uses cmd line tools excessively to alter registry or file data 16->126 128 Modifies Group Policy settings 16->128 24 cmd.exe 16->24         started        114 C:\Windows\Temp\...\vyFliIr.exe, PE32 19->114 dropped 130 Modifies Windows Defender protection settings 19->130 26 cmd.exe 19->26         started        signatures6 process7 signatures8 142 Multi AV Scanner detection for dropped file 21->142 144 Machine Learning detection for dropped file 21->144 146 Uses schtasks.exe or at.exe to add and modify task schedules 21->146 28 cmd.exe 1 21->28         started        41 3 other processes 21->41 148 Modifies Windows Defender protection settings 24->148 31 forfiles.exe 24->31         started        33 forfiles.exe 24->33         started        35 forfiles.exe 24->35         started        43 3 other processes 24->43 37 forfiles.exe 26->37         started        39 forfiles.exe 26->39         started        45 4 other processes 26->45 process9 signatures10 152 Suspicious powershell command line found 28->152 154 Uses cmd line tools excessively to alter registry or file data 28->154 156 Modifies Windows Defender protection settings 28->156 58 6 other processes 28->58 47 cmd.exe 31->47         started        50 cmd.exe 33->50         started        52 cmd.exe 35->52         started        54 cmd.exe 37->54         started        56 cmd.exe 39->56         started        60 5 other processes 41->60 62 2 other processes 43->62 64 3 other processes 45->64 process11 signatures12 66 reg.exe 47->66         started        68 reg.exe 50->68         started        70 reg.exe 52->70         started        162 Uses cmd line tools excessively to alter registry or file data 54->162 72 reg.exe 54->72         started        74 reg.exe 56->74         started        164 Modifies Windows Defender protection settings 58->164 76 5 other processes 58->76 79 2 other processes 60->79 81 2 other processes 62->81 166 Suspicious powershell command line found 64->166 83 3 other processes 64->83 process13 signatures14 158 Suspicious powershell command line found 76->158 160 Uses cmd line tools excessively to alter registry or file data 76->160 85 reg.exe 1 1 76->85         started        88 powershell.exe 12 76->88         started        90 reg.exe 1 1 76->90         started        96 2 other processes 76->96 92 WMIC.exe 1 79->92         started        94 gpupdate.exe 81->94         started        process15 signatures16 150 Suspicious powershell command line found 85->150 98 gpupdate.exe 1 88->98         started        100 conhost.exe 94->100         started        process17 process18 102 conhost.exe 98->102         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773/
Threat name:
Win32.Trojan.Operaloader
Create hunting rule
Status:
Malicious
First seen:
2024-05-10 16:48:06 UTC
File Type:
PE (Exe)
Extracted files:
33
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=swg5cteqwhdtquxzezqi6ijdo6vduntgnqcaet4xyig6wn26s5zq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion execution spyware stealer trojan
Link:
https://tria.ge/reports/240510-va38ksfe4z/
Behaviour
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Checks installed software on the system
Drops Chrome extension
Drops desktop.ini file(s)
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Unpacked files
SH256 hash:
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60
MD5 hash:
220a02a940078153b4063f42f206087b
SHA1 hash:
02fc647d857573a253a1ab796d162244eb179315
Link:
https://www.unpac.me/results/bbe4dd05-f559-42c1-9950-35be3b0849a7/
SH256 hash:
c6929b7dd7ead3bddb12f3fb953602464c426425a354ce7ab0b77cc53f696a36
MD5 hash:
ee0f08f2b1799960786efc38f1d212d5
SHA1 hash:
c6708b30c974cd326ea540415bae0666d6a0780a
Link:
https://www.unpac.me/results/bbe4dd05-f559-42c1-9950-35be3b0849a7/
SH256 hash:
958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773
MD5 hash:
5cc472dcd66120aed74de36341bfd75a
SHA1 hash:
1dfc4d42da90fe070d4474ddd7fa7b6f6ffa97ab
Link:
https://www.unpac.me/results/bbe4dd05-f559-42c1-9950-35be3b0849a7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0

Adware.Neoreklami

Executable exe 958dd14c90b1c73852f926608f212377aa3a36666c04024f97c20deb375e9773

(this sample)

  
Dropped by
SHA256 a0e3a64e0e6aee3370ccbbca59f8ae0b34be674963c1dabe14926b24fdcae7d0
  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/2845735/
  
URLhaus
https://urlhaus.abuse.ch/url/2845930/
  
Dropped by
MD5 731ff38afbc5a664f5a458e222d91f84

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::DeleteFileW

Comments