MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97464eeb75791bf12ac3c78eeae121d066ef799e33cd4959f13eff4c257776d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97464eeb75791bf12ac3c78eeae121d066ef799e33cd4959f13eff4c257776d8
SHA3-384 hash: 1d5448d265c0508be443b6a2eaf73370c0ad9b6c9bb63342a782520306b6e58413319b5292e9a3760a079ca9dc2020e5
SHA1 hash: 520708e247e52a5899143a768d36f0544828cadb
MD5 hash: bf0c635d0132b4318ae9dc4bc7269919
humanhash: montana-harry-magnesium-magnesium
File name:bf0c635d0132b4318ae9dc4bc7269919
Download: download sample
File size:20'480 bytes
First seen:2024-06-01 04:43:44 UTC
Last seen:2024-06-01 05:18:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f759007e07f7aedda3ac166cfe9bb272
ssdeep 192:UEIyExuirmqFrmPdOzD0NPgLT5rx1PEg8rF6XW5w:VIyEAixwYRrxVGF6XW5w
TLSH T149920C23F6889076F289DAF21A62C3A904167D715E509E077A8D7F2D1E306C39DF4B27
TrID 81.0% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
6.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
367
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
97464eeb75791bf12ac3c78eeae121d066ef799e33cd4959f13eff4c257776d8.exe
Verdict:
Suspicious activity
Analysis date:
2024-06-01 04:50:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7cc0a61a-38ef-4763-8a0b-bed662a6fdf7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=665b1bb429ebcd67665cb233win7simulatehigh_evasion
Tags:
Dropper
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
visual_basic
Link:
https://www.filescan.io/uploads/665aa713a0ef3028c88344b8/reports/2eb748d6-88bc-42d7-bd26-192afcdc0834/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/97464eeb75791bf12ac3c78eeae121d066ef799e33cd4959f13eff4c257776d8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/99ff6869-2217-4dbd-8443-21de208f1453
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1450315
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/97464eeb75791bf12ac3c78eeae121d066ef799e33cd4959f13eff4c257776d8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97464eeb75791bf12ac3c78eeae121d066ef799e33cd4959f13eff4c257776d8/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-05-20 11:31:22 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s5de523vpen7ckwdy6hovyjb2bto66m6gpguswprh37uyjlxo3ma._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240601-fctdtsac6t/
Behaviour
Suspicious use of SetWindowsHookEx
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/da4b5248-8bf4-4d76-a651-8eed72bebbb5
Unpacked files
SH256 hash:
97464eeb75791bf12ac3c78eeae121d066ef799e33cd4959f13eff4c257776d8
MD5 hash:
bf0c635d0132b4318ae9dc4bc7269919
SHA1 hash:
520708e247e52a5899143a768d36f0544828cadb
Link:
https://www.unpac.me/results/70183411-b8c0-4b60-ade1-189e82cf4ac7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97464eeb75791bf12ac3c78eeae121d066ef799e33cd4959f13eff4c257776d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 97464eeb75791bf12ac3c78eeae121d066ef799e33cd4959f13eff4c257776d8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2870867/
  
URLhaus
https://urlhaus.abuse.ch/url/2870887/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
VB_APILegacy Visual Basic API usedMSVBVM60.DLL::__vbaFileOpen
MSVBVM60.DLL::__vbaErrorOverflow

Comments


Avatar
zbet commented on 2024-06-01 04:43:45 UTC

url : hxxp://53rf.l.time4vps.cloud/crc/maikati.exe