MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96ea33db8096584990af218a6f8a25c8ab726c7bac1a5762e9f3ed4fa8eddab5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96ea33db8096584990af218a6f8a25c8ab726c7bac1a5762e9f3ed4fa8eddab5
SHA3-384 hash: ec102935e8a123c59b0153f3a11dcbadb90fc862bb7705e15f6bb38656f949e0927dd99ab4be8700846826bdc3c01f96
SHA1 hash: e31021b2704ac840982415430824ecff7e1cc47e
MD5 hash: 793fb71aad1ac7a48dd5db737be8590a
humanhash: moon-nineteen-fourteen-montana
File name:企业税务稽查名单查询client_silent_S3471755167_.exe
Download: download sample
File size:15'354'128 bytes
First seen:2024-05-18 01:51:43 UTC
Last seen:2024-05-18 02:46:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 57e98d9a5a72c8d7ad8fb7a6a58b3daf (60 x GuLoader, 20 x AZORult, 12 x RemcosRAT)
ssdeep 393216:qpa8lYgTdnc9GK50HAZxWFuUSmz2MlYMc7lc:GogTwGzHAyF9z2E
Threatray 2 similar samples on MalwareBazaar
TLSH T197F63360FD03E7A1E2E0A1792494163A4B125E96833006F7BF7537B75C252273EB27E6
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
dhash icon f0d2d8c488acb4ec (1 x CryptBot)
Reporter Anonymous
Tags:exe signed

Code Signing Certificate

Organisation:Shandong Gooxion Software Co.,Ltd.
Issuer:DigiCert Assured ID Code Signing CA-1
Algorithm:sha1WithRSAEncryption
Valid from:2019-09-04T00:00:00Z
Valid to:2022-08-11T12:00:00Z
Serial number: 0f2dcc39185a9c0b9a4e984bba9b8ee3
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: ddd5900c01d7f873cd9eac85dbc4931a1c6776e4618d8515e09d098143834825
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
323
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
96ea33db8096584990af218a6f8a25c8ab726c7bac1a5762e9f3ed4fa8eddab5.exe
Verdict:
Malicious activity
Analysis date:
2024-05-18 02:19:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9ae0a9a1-cc71-492e-accc-281d73c1b5b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Banker1.30494.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/96ea33db8096584990af218a6f8a25c8ab726c7bac1a5762e9f3ed4fa8eddab5
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ccc1f454-14f1-47ba-996c-f9964b2040f5
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
62 / 100
Link:
https://www.joesandbox.com/analysis/1443654
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates an undocumented autostart registry key
Creates files in the system32 config directory
Creates files inside the volume driver (system volume information)
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Drops executables to the windows directory (C:\Windows) and starts them
Hooks clipboard functions (used to sniff clipboard data)
Hooks files or directories query functions (used to hide files and directories)
Malicious sample detected (through community Yara rule)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to delay execution (extensive OutputDebugStringW loop)
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1443654 Sample: #U4f01#U4e1a#U7a0e#U52a1#U7... Startdate: 18/05/2024 Architecture: WINDOWS Score: 62 68 171.39.242.20.in-addr.arpa 2->68 80 Malicious sample detected (through community Yara rule) 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 NDIS Filter Driver detected (likely used to intercept and sniff network traffic) 2->84 86 5 other signatures 2->86 8 #U4f01#U4e1a#U7a0e#U52a1#U7a3d#U67e5#U540d#U5355#U67e5#U8be2client_silent_S3471755167_.exe 5 141 2->8         started        12 pobus64.exe 507 158 2->12         started        15 svchost.exe 2->15         started        17 5 other processes 2->17 signatures3 process4 dnsIp5 52 C:\Windows\projone\potcm\poda64.exe, PE32+ 8->52 dropped 54 C:\Windows\projone\potcm\poda32.exe, PE32 8->54 dropped 56 C:\Windows\projone\potcm\pobus64.exe, PE32+ 8->56 dropped 64 87 other files (1 malicious) 8->64 dropped 94 Drops executables to the windows directory (C:\Windows) and starts them 8->94 96 Contains functionality to compare user and computer (likely to detect sandboxes) 8->96 19 pobus64.exe 7 8->19         started        22 regsvr32.exe 8->22         started        70 206.238.199.159, 13001, 13003, 13023 COGENT-174US United States 12->70 72 127.0.0.1 unknown unknown 12->72 58 C:\System Volume Information\cid, ASCII 12->58 dropped 60 C:\Windows\projone\potcm\ffmpeg.exe, PE32 12->60 dropped 62 C:\Windows\projone\...\ffebas54.dll (copy), PE32 12->62 dropped 66 9 other files (none is malicious) 12->66 dropped 98 Creates files inside the volume driver (system volume information) 12->98 100 Creates files in the system32 config directory 12->100 24 poda32.exe 12->24         started        26 assisths.exe 12->26         started        28 assisths.exe 12->28         started        30 21 other processes 12->30 102 Changes security center settings (notifications, updates, antivirus, firewall) 15->102 104 Query firmware table information (likely to detect VMs) 17->104 file6 signatures7 process8 signatures9 88 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->88 90 Tries to delay execution (extensive OutputDebugStringW loop) 19->90 32 regsvr32.exe 22->32         started        92 Drops executables to the windows directory (C:\Windows) and starts them 24->92 35 poda64.exe 24->35         started        38 conhost.exe 26->38         started        40 conhost.exe 28->40         started        42 conhost.exe 30->42         started        44 conhost.exe 30->44         started        46 conhost.exe 30->46         started        48 17 other processes 30->48 process10 file11 74 Creates an undocumented autostart registry key 32->74 50 C:\Windows\System32\drivers\poflt64.sys, PE32+ 35->50 dropped 76 Disables the Windows task manager (taskmgr) 35->76 78 Disables the Windows registry editor (regedit) 35->78 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96ea33db8096584990af218a6f8a25c8ab726c7bac1a5762e9f3ed4fa8eddab5/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s3vdhw4aszmetefpegfg7crfzcvxe3d3vqnfoyxj6pwu7khn3k2q._file
Verdict:
malicious
Similar samples:
96ea33db8096584990af218a6f8a25c8ab726c7bac1a5762e9f3ed4fa8eddab5
ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240518-cadzkseg29/
Behaviour
Enumerates physical storage devices
Unpacked files
SH256 hash:
f0e6fcfeca3589bede387ef7ac1b81b66431bea1056a01bbf5e2994604f9a820
MD5 hash:
0111926fadd2f0dc566eab9d32609688
SHA1 hash:
d27bcf9a8898a45203a4bfdb686e8c656c818161
Link:
https://www.unpac.me/results/62aabcd2-a291-4848-9724-31240c894100/
SH256 hash:
8b15eb72e80f1971bdd0f2fef3e70ba23574368505075d5869108144b0023b62
MD5 hash:
334c32302a77d86169a7b1b4cd306258
SHA1 hash:
05fb478c81c6a27e49a72f07e0ed23d6855f4036
Link:
https://www.unpac.me/results/62aabcd2-a291-4848-9724-31240c894100/
SH256 hash:
ff92aa0ed1d9f381e9b46b5836f02216c23fd2c0f67571eae4576be95decf586
MD5 hash:
81884d41672c9b391284fd003448e2e1
SHA1 hash:
e6f10944eb84b145722e4bd7c830c1f2691c951e
Link:
https://www.unpac.me/results/62aabcd2-a291-4848-9724-31240c894100/
SH256 hash:
0837ce2b2f358798d516de91c1b49e7cd9cb647695cbb69a9318c293da2fa332
MD5 hash:
df9c87b241c32b8f8fb5e06adb07cfc5
SHA1 hash:
b25ca866adc09019e52dbe40be7b697573afc7c7
Link:
https://www.unpac.me/results/62aabcd2-a291-4848-9724-31240c894100/
SH256 hash:
53c17883192124b2ad404764a3d302fb45e92dbaf4a53e4234b7cfbdf7504e2e
MD5 hash:
adf6735e696c725ec433d8a8a1095623
SHA1 hash:
77568c4a5de124da75c3f29ad77f4682eecb8155
Link:
https://www.unpac.me/results/62aabcd2-a291-4848-9724-31240c894100/
SH256 hash:
56249f41c3af3f9a9476ec00b76a2b027123e5107b3280e25e8fde694fbbbe8e
MD5 hash:
063f6ea1311d0f1093569eef761ec974
SHA1 hash:
341e6ce9a015c57618041689257e2f3489fedb12
Link:
https://www.unpac.me/results/62aabcd2-a291-4848-9724-31240c894100/
SH256 hash:
363b0f1940b57e7e099d875296c113834a9b8c8a54bc37499ec57d2a64fbfaa9
MD5 hash:
9a58a9b9a86ef28ed550f9a8d9314bbb
SHA1 hash:
03e063558820471691e9d19f2cc9bfff48cd8c4b
Link:
https://www.unpac.me/results/62aabcd2-a291-4848-9724-31240c894100/
SH256 hash:
bcc0171a06d856569f43007d23c27fc4f54f098ad231d3e4ee4fdbe3cd4bf85f
MD5 hash:
04760a888a3fa6a55a48093c7d7b2795
SHA1 hash:
6d2f4c0dc582885d3fea21700ad8013a1d0eb52d
Link:
https://www.unpac.me/results/62aabcd2-a291-4848-9724-31240c894100/
SH256 hash:
b56052c5a6037badd469626ee8f57f04a5ec5056a732802b7f02ef328c3c2f1d
MD5 hash:
42d6766509cfe037ea45efab0f06bd3a
SHA1 hash:
fcb6307f9f24762d484828e2f576b406405b3453
Link:
https://www.unpac.me/results/62aabcd2-a291-4848-9724-31240c894100/
SH256 hash:
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
MD5 hash:
fbe295e5a1acfbd0a6271898f885fe6a
SHA1 hash:
d6d205922e61635472efb13c2bb92c9ac6cb96da
Link:
https://www.unpac.me/results/62aabcd2-a291-4848-9724-31240c894100/
SH256 hash:
a076c5707b4ae82d3a62f7300023a2a933dbf3cc3f83b4bb8edc6867105be013
MD5 hash:
355152cca9e9493de9fde0fde7c5d21f
SHA1 hash:
a1687ce7793a38e82db3eeeafacb439c44aa78a5
Link:
https://www.unpac.me/results/62aabcd2-a291-4848-9724-31240c894100/
SH256 hash:
496134cf94370bf1df575829439888dcefed18c4c1a4c0274572eff27c5278b6
MD5 hash:
34f31522fadb94d074024065f60a2619
SHA1 hash:
5c299590038a8add456e610295e560b940e7c706
Link:
https://www.unpac.me/results/62aabcd2-a291-4848-9724-31240c894100/
SH256 hash:
3cdf3e24c87666ed5c582b8b028c01ee6ac16d5a9b8d8d684ae67605376786ea
MD5 hash:
ab101f38562c8545a641e95172c354b4
SHA1 hash:
ec47ac5449f6ee4b14f6dd7ddde841a3e723e567
Link:
https://www.unpac.me/results/62aabcd2-a291-4848-9724-31240c894100/
SH256 hash:
f6519b801eb5be0f96f489d2e4daff377d06f6270e09c385a2a44b0cd5349dbe
MD5 hash:
f6c463f625b25866c9111dc8538bb36f
SHA1 hash:
851367ccef2ba73dc5c344f6bf271d08c3d1ded4
Link:
https://www.unpac.me/results/62aabcd2-a291-4848-9724-31240c894100/
SH256 hash:
96ea33db8096584990af218a6f8a25c8ab726c7bac1a5762e9f3ed4fa8eddab5
MD5 hash:
793fb71aad1ac7a48dd5db737be8590a
SHA1 hash:
e31021b2704ac840982415430824ecff7e1cc47e
Link:
https://www.unpac.me/results/62aabcd2-a291-4848-9724-31240c894100/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/96ea33db8096584990af218a6f8a25c8ab726c7bac1a5762e9f3ed4fa8eddab5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:NSIS_April_2024
Create hunting rule
Author:NDA0N
Description:Detects NSIS installers
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::SetFileSecurityA
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments