MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 965ffe53515fbfed4dcb587c263151b2ce0d0136e1f6e354836d805070b8590c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 965ffe53515fbfed4dcb587c263151b2ce0d0136e1f6e354836d805070b8590c
SHA3-384 hash: 9dacec8bcd760c26016458852f4d367aa0cf5017e4b979d568e398a459464544506c7379732b994bebcfa4cfaaf5dad9
SHA1 hash: 8e88613d4c43e277ae305eb1385cd4bef439c54b
MD5 hash: ff93d6fabecd247bf67c66e781eef1ad
humanhash: east-green-glucose-oklahoma
File name:Aimbot.exe
Download: download sample
File size:1'726'752 bytes
First seen:2024-08-27 11:31:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 40ab50289f7ef5fae60801f88d4541fc (59 x ValleyRAT, 49 x Gh0stRAT, 41 x OffLoader)
ssdeep 24576:gawwKusHwEwS2fGqKZzO6I6h6gEGe/NIsWvMyCShxmS:wwREDbOShv2NuMsmS
Threatray 42 similar samples on MalwareBazaar
TLSH T11485BE23F2CBE43EE05D1B3305B2A05894F76A616923BE568AECB4ACCF751501D3E746
TrID 39.3% (.EXE) Inno Setup installer (107240/4/30)
21.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
15.7% (.EXE) InstallShield setup (43053/19/16)
15.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
Magika pebin
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter likeastar20
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
376
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Aimbot.exe
Verdict:
Suspicious activity
Analysis date:
2024-08-27 11:31:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2c1e416c-6ea5-45c1-90fa-69fb90fd3d12

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownLoad4.16298.13373.12409.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66cdb934e7ff3f5a063c185e
Tags:
Encryption Execution Generic Infostealer Network Stealth Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
embarcadero_delphi fingerprint installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/66cdb9378088be736117b96f/reports/f8d4faa9-7a2f-479e-93ab-85a0457149fe/overview
Verdict:
Malicious
Labled as:
Infostealer/InnoLoader
Link:
https://www.hybrid-analysis.com/sample/965ffe53515fbfed4dcb587c263151b2ce0d0136e1f6e354836d805070b8590c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/23c14e6e-3473-41fe-8d5b-2fb3565edfef
Result
Threat name:
n/a
Detection:
suspicious
Classification:
n/a
Score:
34 / 100
Link:
https://www.joesandbox.com/analysis/1499721
Signature
Antivirus detection for URL or domain
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
85%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/965ffe53515fbfed4dcb587c263151b2ce0d0136e1f6e354836d805070b8590c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/965ffe53515fbfed4dcb587c263151b2ce0d0136e1f6e354836d805070b8590c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=szp74u2rl6762tollb6cmmkrwlha2ajw4h3ogvednwafa4fylega._file
Verdict:
unknown
Similar samples:
315e6d1736e2ec8465a172d289a6520ec127e1b02190716b383226275672170b
7a71a886d46f90a91cd0994a372db22c11c7bc23f4b3fa88177c2ed4def4ba9f
965ffe53515fbfed4dcb587c263151b2ce0d0136e1f6e354836d805070b8590c
a785bb5943ae900656aec2cfca17124ce7292eb6d14be835c0f6461d90aee689
b16b380f60786a78e3e8760f4a65e0906f744e43b2a04eead206596727443082
e11dc8d2e7fba91857df6a38c6e64ad491a9271b9f0bfda937680dd0da453665
+ 32 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/240827-nm94bsyclg/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/fd4cbf4f-a202-4612-9d27-2d6f29106dbf/
SH256 hash:
06868f7d74e9f339479e34ca7cdf8fcf969235f23c753210c98f7f581cf26764
MD5 hash:
1b293a3ae0af133da8a96d8343a43580
SHA1 hash:
875d4ab1ea5f019bc4e32bf4bcd29ab5403ceaa1
Link:
https://www.unpac.me/results/fd4cbf4f-a202-4612-9d27-2d6f29106dbf/
SH256 hash:
965ffe53515fbfed4dcb587c263151b2ce0d0136e1f6e354836d805070b8590c
MD5 hash:
ff93d6fabecd247bf67c66e781eef1ad
SHA1 hash:
8e88613d4c43e277ae305eb1385cd4bef439c54b
Link:
https://www.unpac.me/results/fd4cbf4f-a202-4612-9d27-2d6f29106dbf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/965ffe53515fbfed4dcb587c263151b2ce0d0136e1f6e354836d805070b8590c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
advapi32.dll::EqualSid
advapi32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments