MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a69e7a0ef0e1cbd6f95b5fbea1a9c297d49bac80bc158b0016b8381081015def. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	a69e7a0ef0e1cbd6f95b5fbea1a9c297d49bac80bc158b0016b8381081015def
SHA3-384 hash:	1310c3619e488fdd4c4530164db4cdc6c040a08830cf4412e1340870524bd5afbe037f3d6408f0d2cdbd0e6526defe51
SHA1 hash:	0ec250b6013ab8c2ba5fab3388d82640c6e8a11f
MD5 hash:	258563db4c5a2d5697e58dd19f950074
humanhash:	equal-california-failed-purple
File name:	Installer.exe
Download:	download sample
File size:	3'370'176 bytes
First seen:	2023-04-04 22:28:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4d363d3b473a6c355539abd95921390d (4 x ValleyRAT, 3 x FatalRAT, 1 x YoungLotus)
ssdeep	49152:/BUWAyRqlTyAnxbBIEdEeu8mJEW8WaGu3/Lg5TenGzzYNc/UOGqSLjhK6GltEv/u:/BRRgyAnxbBhu8mJAWlu8enS
Threatray	10 similar samples on MalwareBazaar
TLSH	T149F55B31764AC43BD67201F1192C9A9F5128BF721BB664C7B3CC2E6E1BB45C21636E27
TrID	88.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 4.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 2.0% (.EXE) Win32 Executable (generic) (4505/5/1) 0.9% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	6ded69c7b130b2c0 (12 x CryptBot, 8 x ValleyRAT, 4 x NetSupport)
Reporter	Anonymous
Tags:	exe signed

Code Signing Certificate

Organisation:	FACE AESTHETICS LTD
Issuer:	Sectigo Public Code Signing CA R36
Algorithm:	sha384WithRSAEncryption
Valid from:	2022-07-08T00:00:00Z
Valid to:	2023-07-08T23:59:59Z
Serial number:	65cfd8419d70ce4011d97bc79d18315e
Intelligence:	4 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	7cff10e37a43843e971f02ca6ad6510f08a5209d21745181fc4d003a8287cd1b
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

287

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Installer.exe

Verdict:

Malicious activity

Analysis date:

2023-04-04 22:31:44 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/50b97e8a-4d2e-4eef-b024-2e852d4e3c0c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/380139/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fingerprint greyware msiexec.exe overlay packed setupapi.dll shell32.dll

Link:

https://www.filescan.io/uploads/642ca4af05c72da113b37b55/reports/5b5619cf-13e8-4786-92cf-6dd5aa2d29ed/overview

Verdict:

Malicious

Labled as:

Trojan[Spy]/Ousaban

Link:

https://www.hybrid-analysis.com/sample/a69e7a0ef0e1cbd6f95b5fbea1a9c297d49bac80bc158b0016b8381081015def

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/26dd2c8d-957c-4813-812e-1b5dc5b5a870

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

42 / 100

Link:

https://www.joesandbox.com/analysis/1208461

Signature

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a69e7a0ef0e1cbd6f95b5fbea1a9c297d49bac80bc158b0016b8381081015def/

Threat name:

Win32.Trojan.Tnega

Status:

Malicious

First seen:

2023-04-04 00:28:31 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

6 of 24 (25.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=u2phudxq4hf5n6k3l67kdkocs7kjxleaxqkywaawxa4bbaiblxxq._file

Verdict:

unknown

082ac271e7068243ead494e9447288e5969d22bc461e6de9dd1203145a203a73

4f6cb888a4dfade727490683feaee96679d7044f0181799c18a8c7060cb8dab3

9d2321341dc5804543514a81cab9aac8dbc52466c77bad98a3835819cb9d9c7d

bf13eb2026e85f67cbe27ba0ba349a615776976ae8c47ae979335a7d556e04bc

e00609f98a5ce391934710a1a47f748bb063ae939555e1cb491c4e5cff69fa97

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230404-2d749scc6x/

Behaviour

Enumerates physical storage devices

Unpacked files

SH256 hash:

a69e7a0ef0e1cbd6f95b5fbea1a9c297d49bac80bc158b0016b8381081015def

MD5 hash:

258563db4c5a2d5697e58dd19f950074

SHA1 hash:

0ec250b6013ab8c2ba5fab3388d82640c6e8a11f

Link:

https://www.unpac.me/results/2874ff7e-1803-4a77-870a-4e07c06f3723/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a69e7a0ef0e1cbd6f95b5fbea1a9c297d49bac80bc158b0016b8381081015def

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	APT_Sandworm_ArguePatch_Apr_2022_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:	https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Suspicious_Macro_Presence Create hunting rule
Author:	Mehmet Ali Kerimoglu (CYB3RMX)
Description:	This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/380139/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample