MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a17697e37a42173e32331d61acb9b786c3daae7d8eb1cac4caf71fa988c43341. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	a17697e37a42173e32331d61acb9b786c3daae7d8eb1cac4caf71fa988c43341
SHA3-384 hash:	2db7124f660edd794599f3e99bb1fa32df7ca379e9b62c27962a5252c6c9ffd0371ea1552ca9458f3828e99fd2bdc4f4
SHA1 hash:	5ae94ea327d957b94330b422dddb6f5b1557f6e1
MD5 hash:	89d47d8998e3a5c7b9afbeafaca4bc9c
humanhash:	potato-happy-xray-quebec
File name:	ReasonLabs-EPP-setup.exe
Download:	download sample
File size:	1'866'288 bytes
First seen:	2023-06-01 07:59:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	56a78d55f3f7af51443e58e0ce2fb5f6 (720 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep	49152:Col3229hUEHp9zDl4F3A11jiWcSyJVAs5t0/6r80z7wRv/Kb:ColLdKF3AfxcSyJkkEv/
Threatray	676 similar samples on MalwareBazaar
TLSH	T1658512262E61E8AFC0161BF049678CB69E9AED0115582DC81F3DFFBD5E333821505E7A
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	f1cd714d1414cdf2 (1 x PureCrypter)
Reporter	Anonymous
Tags:	exe signed

Code Signing Certificate

Organisation:	Reason Cybersecurity Inc.
Issuer:	Sectigo Public Code Signing CA R36
Algorithm:	sha384WithRSAEncryption
Valid from:	2023-01-31T00:00:00Z
Valid to:	2024-01-31T23:59:59Z
Serial number:	bacc6bc7a707b86f34567da12d68c30d
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	f221665f605848baabcd9566eb6fec635a095532804522acd008c2efa2e2f71f
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Anonymous

https://shield.reasonsecurity.com/ReasonLabs-EPP-setup.exe?aflt=71

Intelligence

File Origin

# of uploads :

# of downloads :

271

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ReasonLabs-EPP-setup.exe

Verdict:

Malicious activity

Analysis date:

2023-06-01 08:01:32 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/675ee05f-674b-4ca7-ba09-f5d1438004ad

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/394316/

Detection(s):

SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %temp% subdirectories

Searching for synchronization primitives

Creating a process from a recently created file

Moving a file to the %temp% subdirectory

Using the Windows Management Instrumentation requests

Creating a window

DNS request

Sending a custom TCP request

Unauthorized injection to a recently created process

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/88905/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

lolbin overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/647850044df06e521535903c/reports/125f963f-d1c0-411e-823f-741b163e7b0b/overview

Verdict:

Malicious

Labled as:

Win/grayware_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/a17697e37a42173e32331d61acb9b786c3daae7d8eb1cac4caf71fa988c43341

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/177397a4-fd75-42a9-8663-658041a3fa5a

Result

Threat name:

n/a

Detection:

suspicious

Classification:

evad

Score:

26 / 100

Link:

https://www.joesandbox.com/analysis/1246632

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Installs Task Scheduler Managed Wrapper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a17697e37a42173e32331d61acb9b786c3daae7d8eb1cac4caf71fa988c43341/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uf3jpy32iilt4mrtdvq2zonxq3b5vlt5r2y4vrgk64p2tcgegnaq._file

Verdict:

suspicious

3b58425d746d06b145008132053d1f57079cf757eaae75b589b7950f2d95f88a

62b5561c513232a33e817d7d0e4f51564c953d9d851de3d1f77a86fb8608f006

6339a14fb049a069fed24b0a9827ab82710426e174139d172a6536bfb1519402

8e52ec55f770b443affcfb668d3ac3f904426b94635f6a16e0fd73c1d7323af9

ac3b32a95de5abf9c4e23a6f0f30691ff8e28c3e6a49b4a8c921c91da617c818

c46f8bdc611e253950773ca2daf8a59ebedd55b1d50c33b011a0709fe63c35e0

d623550382d57e1f3b8a521f00d4f05179da3073ac07d4ccaf4ced2999afc18b

de0859dc256e79ebcf1787589be8826e08c775ceb8e40f45e55f86bb3b648725

+ 666 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230601-jvzv4sdf7w/

Behaviour

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Executes dropped EXE

Loads dropped DLL

Unpacked files

SH256 hash:

a4c026663c0cfdd204d807a13519dac8359c630054098a068633d5d859a4448c

MD5 hash:

f298f9d7b90ba62dbdcfa3a1828041c0

SHA1 hash:

2e668141d8d1e6101584c292f4d7afed97416c0a

Link:

https://www.unpac.me/results/0669a38d-4dc4-4b52-8573-bfa126a4a395/

SH256 hash:

aafbe48966dbc5372a308ab9501245ce261d2715f336ad1908c799d354c981a2

MD5 hash:

3cefec17baac089c54c8102a4cfd160c

SHA1 hash:

a54cd9bd4181a591937a99be88beb006279837de

Link:

https://www.unpac.me/results/0669a38d-4dc4-4b52-8573-bfa126a4a395/

SH256 hash:

e6a163673c31e086a8b339c26028dadf582014bb2aa7a61ab170187bb99bbf9e

MD5 hash:

4b90d3c5ad0e7b0a72352e5a1c4e45e7

SHA1 hash:

a9da0d7fd58c50ecca6ff4f8d4df1a93c5495575

Link:

https://www.unpac.me/results/0669a38d-4dc4-4b52-8573-bfa126a4a395/

SH256 hash:

34b74571677057f00e57f37367513276306ce7796742507d2ab1a6cc8257f97d

MD5 hash:

cde9f8e3a192e4e1d6089ac4e5328133

SHA1 hash:

5c3aa7df1bfd2a691539121a2637887db0329843

Link:

https://www.unpac.me/results/0669a38d-4dc4-4b52-8573-bfa126a4a395/

SH256 hash:

e7c1e27fc7268f87462c84d161b3ccb230250c6e81407f2f92aa0efbc3f05364

MD5 hash:

d1c10204bb084b2927ce3bf74ef1f0ff

SHA1 hash:

7ed6de6ff40e45f49743636ff416bd6e45116db9

Link:

https://www.unpac.me/results/0669a38d-4dc4-4b52-8573-bfa126a4a395/

SH256 hash:

6d9f5639dd38fc2223209371d738f98ef50274bd38264ed9bc664ee31942041c

MD5 hash:

1a9c15f55e818a83c37f1271b6a872c0

SHA1 hash:

897a3f13e7e220993c84b633d2328a45ed3dba70

Link:

https://www.unpac.me/results/0669a38d-4dc4-4b52-8573-bfa126a4a395/

SH256 hash:

cf1eb09efec5c54b5f60df6a779b3bcd53fd6874a3868d3602de6fb7eb8ab2e9

MD5 hash:

f78001f86fa0ec95c8b6f881d516b34f

SHA1 hash:

8f0f4752b2140e189c89c1ffdb4f311c7dd47eea

Link:

https://www.unpac.me/results/0669a38d-4dc4-4b52-8573-bfa126a4a395/

SH256 hash:

434cfd886cc9494ae2d5101af748f200d68a0c8d8c78c95cb49f37cb48e688f6

MD5 hash:

c8ae659f96cbcb97a7b75cfd24929240

SHA1 hash:

2dfa8b1a3c18e7df5d5f2c016c6ff4f9b9b2cba2

Link:

https://www.unpac.me/results/0669a38d-4dc4-4b52-8573-bfa126a4a395/

SH256 hash:

9bd6ec6f79573a4de10e525389e1444408c65c9d19ed413e51187a04e3e5639b

MD5 hash:

2d69ecc9634cc8d577a7b9340a3d4a7f

SHA1 hash:

97df807acc9d4ed39bd03b8ee3cd820fb8f67970

Link:

https://www.unpac.me/results/0669a38d-4dc4-4b52-8573-bfa126a4a395/

SH256 hash:

868bd91bbab11a46c414e959ba8233a24bfcb5f7e49704a7e3f93dfe182cf23a

MD5 hash:

dd755451b3333eb8aab2c2dff9f4b059

SHA1 hash:

c2347c58a360066a17f9a1b77db57cbd4564ebf9

Link:

https://www.unpac.me/results/0669a38d-4dc4-4b52-8573-bfa126a4a395/

SH256 hash:

bbb9e6dd2303945cf09ef7a80049258c93e091e70318eb615d98768088058443

MD5 hash:

41ea9340d89f6c435b4989a9fe9d293f

SHA1 hash:

9fdb5bb2311e22694621dd7eb4e37731c238f1b7

Link:

https://www.unpac.me/results/0669a38d-4dc4-4b52-8573-bfa126a4a395/

SH256 hash:

59d6082ca16122b2825330f516f403e1c505382a70011cba54daf2533c26b5e4

MD5 hash:

bc9cb3bff3bc7bc9508507de57d68347

SHA1 hash:

ba8d0a0dfa5fc0041ebcd2a17c511ad61af136d6

Link:

https://www.unpac.me/results/0669a38d-4dc4-4b52-8573-bfa126a4a395/

SH256 hash:

a17697e37a42173e32331d61acb9b786c3daae7d8eb1cac4caf71fa988c43341

MD5 hash:

89d47d8998e3a5c7b9afbeafaca4bc9c

SHA1 hash:

5ae94ea327d957b94330b422dddb6f5b1557f6e1

Link:

https://www.unpac.me/results/0669a38d-4dc4-4b52-8573-bfa126a4a395/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a17697e37a42173e32331d61acb9b786c3daae7d8eb1cac4caf71fa988c43341

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/394316/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample