MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6018683f3fd1a7590a653b96849165a3d5ff66bb58c6b2da2f8f5706c39f53d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments

SHA256 hash: a6018683f3fd1a7590a653b96849165a3d5ff66bb58c6b2da2f8f5706c39f53d
SHA3-384 hash: 462482d1c104f75dfa48033b61a29fe4942bcbd247da4127b4bfde760acf16a8491a6edb96a5d2d81418f17fb925aab6
SHA1 hash: e3e97840a3939a66a8053a2fab428f49f3e48461
MD5 hash: 24410a5a9b880ebf3499820f2d875701
humanhash: seventeen-pluto-magnesium-fanta
File name:V1.5.3.exe
Download: download sample
File size:105'338 bytes
First seen:2023-12-19 16:49:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 744 x AgentTesla, 438 x GuLoader)
ssdeep 3072:IThRuiU7PEEuhPO+RDlb9t+I4J3FQcVUJqJL:IT5Uz8POkDlJt3wVU0
TLSH T1ABA3C0427FA0C1A3EED20E3119779F33AE75AD2249D4470B2390B75AFD733416A1E64A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 92e0b496a2cada72 (11 x Adware.Generic, 6 x Adware.InstalleRex, 2 x Adware.Yantai)
Reporter malwareinfosec
Tags:exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
345
Origin country :
CA CA
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin masquerade overlay packed shell32
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad
Score:
100 / 100
Signature
Allocates many large memory junks
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
DLL side loading technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious ZIP file
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1364688 Sample: V1.5.3.exe Startdate: 19/12/2023 Architecture: WINDOWS Score: 100 148 www.powershellgallery.com 2->148 150 shed.dual-low.part-0013.t-0009.t-msedge.net 2->150 152 2 other IPs or domains 2->152 156 Malicious sample detected (through community Yara rule) 2->156 158 Antivirus detection for URL or domain 2->158 160 Yara detected UAC Bypass using CMSTP 2->160 162 3 other signatures 2->162 12 taskhostsw.exe 6 2->12         started        16 V1.5.3.exe 32 2->16         started        19 cmd.exe 1 2->19         started        signatures3 process4 dnsIp5 132 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 12->132 dropped 134 C:\Users\user\AppData\Local\...\libeay32.dll, PE32+ 12->134 dropped 178 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->178 180 Found many strings related to Crypto-Wallets (likely being stolen) 12->180 182 Tries to harvest and steal browser information (history, passwords, etc) 12->182 190 2 other signatures 12->190 21 cmd.exe 12->21         started        24 cmd.exe 12->24         started        26 cmd.exe 12->26         started        39 5 other processes 12->39 146 185.109.48.27, 49708, 80 ORC-UKGB United Kingdom 16->146 136 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 16->136 dropped 138 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 16->138 dropped 140 C:\Users\user\AppData\Local\...\inetc.dll, PE32 16->140 dropped 142 3 other files (none is malicious) 16->142 dropped 28 VolumeControl-Installer_6.6.3.exe 2 16->28         started        184 Suspicious powershell command line found 19->184 186 Uses cmd line tools excessively to alter registry or file data 19->186 188 Bypasses PowerShell execution policy 19->188 31 conhost.exe 19->31         started        33 reg.exe 1 1 19->33         started        35 reg.exe 1 1 19->35         started        37 reg.exe 1 19->37         started        file6 signatures7 process8 file9 166 Suspicious powershell command line found 21->166 41 powershell.exe 21->41         started        45 conhost.exe 21->45         started        47 powershell.exe 24->47         started        49 conhost.exe 24->49         started        51 powershell.exe 26->51         started        54 conhost.exe 26->54         started        144 C:\...\VolumeControl-Installer_6.6.3.tmp, PE32 28->144 dropped 56 VolumeControl-Installer_6.6.3.tmp 3 15 28->56         started        168 Tries to harvest and steal browser information (history, passwords, etc) 39->168 58 powershell.exe 39->58         started        60 8 other processes 39->60 signatures10 process11 dnsIp12 114 C:\Users\user\...\x2j7gcruap4f0679318031.tmp, JSON 41->114 dropped 126 4 other malicious files 41->126 dropped 174 Tries to harvest and steal browser information (history, passwords, etc) 41->174 62 conhost.exe 41->62         started        128 3 other malicious files 47->128 dropped 176 Powershell drops PE file 47->176 64 conhost.exe 47->64         started        154 part-0013.t-0009.t-msedge.net 13.107.246.41, 443, 49746, 49748 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 51->154 116 C:\Users\user\AppData\Local\...\3sylygav.5pn, PE32 51->116 dropped 118 Microsoft.PackageM...t.NuGetProvider.dll, PE32 51->118 dropped 120 C:\Users\user\AppData\...\niujak4v.cmdline, Unicode 51->120 dropped 66 csc.exe 51->66         started        70 conhost.exe 51->70         started        122 C:\Users\user\AppData\Local\...\drvon.dll, PE32+ 56->122 dropped 130 2 other files (none is malicious) 56->130 dropped 72 VolumeControl-Installer_6.6.3.exe 2 56->72         started        74 rundll32.exe 56->74         started        76 cmd.exe 1 56->76         started        124 vs23qrgeboqvpdam5k...v2mw9u234686671.tmp, SQLite 58->124 dropped 78 conhost.exe 58->78         started        80 3 other processes 60->80 file13 signatures14 process15 file16 102 C:\Users\user\AppData\Local\...\niujak4v.dll, PE32 66->102 dropped 164 DLL side loading technique detected 66->164 82 cvtres.exe 66->82         started        104 C:\...\VolumeControl-Installer_6.6.3.tmp, PE32 72->104 dropped 84 VolumeControl-Installer_6.6.3.tmp 5 16 72->84         started        88 rundll32.exe 74->88         started        90 taskkill.exe 1 76->90         started        92 conhost.exe 76->92         started        signatures17 process18 file19 106 C:\tmp\taskhostsw.exe (copy), PE32+ 84->106 dropped 108 C:\tmp\is-DLJEL.tmp, PE32+ 84->108 dropped 110 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 84->110 dropped 112 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 84->112 dropped 170 Uses schtasks.exe or at.exe to add and modify task schedules 84->170 94 cmd.exe 1 84->94         started        96 schtasks.exe 1 84->96         started        172 Hides threads from debuggers 88->172 signatures20 process21 process22 98 conhost.exe 94->98         started        100 conhost.exe 96->100         started       
Threat name:
Win32.Trojan.Generic
Status:
Malicious
First seen:
2023-12-06 21:06:37 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
4 of 23 (17.39%)
Threat level:
  2/5
Verdict:
unknown
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Unpacked files
SH256 hash:
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906
MD5 hash:
675c4948e1efc929edcabfe67148eddd
SHA1 hash:
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e
SH256 hash:
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
MD5 hash:
cff85c549d536f651d4fb8387f1976f2
SHA1 hash:
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SH256 hash:
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
MD5 hash:
40d7eca32b2f4d29db98715dd45bfac5
SHA1 hash:
124df3f617f562e46095776454e1c0c7bb791cc7
SH256 hash:
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
MD5 hash:
6c3f8c94d0727894d706940a8a980543
SHA1 hash:
0d1bcad901be377f38d579aafc0c41c0ef8dcefd
SH256 hash:
0b2277d8aaf36e01aca3ae33e227b44bebc541a9c5cef6eb4fef93e96821a6cd
MD5 hash:
b1ba7a8263281244782ca5604876cb2c
SHA1 hash:
b8523dee6d7e74512a05c60cc35c0fddac370252
SH256 hash:
a6018683f3fd1a7590a653b96849165a3d5ff66bb58c6b2da2f8f5706c39f53d
MD5 hash:
24410a5a9b880ebf3499820f2d875701
SHA1 hash:
e3e97840a3939a66a8053a2fab428f49f3e48461
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a6018683f3fd1a7590a653b96849165a3d5ff66bb58c6b2da2f8f5706c39f53d

(this sample)

  
Delivery method
Distributed via web download

Comments