MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aac36ff20ea7bfc0591c1d6b145b456bad394ee8e619343ec10d1809188edd75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aac36ff20ea7bfc0591c1d6b145b456bad394ee8e619343ec10d1809188edd75
SHA3-384 hash: f33f6337d66369878847c5f17db63f0689a9848fc87c102ef916a463016a117ac6f6ef09d270efff0d43eb4446ba87a1
SHA1 hash: a72b881867b7eaa9187398bd0e9e144af02ffff4
MD5 hash: e6d27b60afe69ac02b1eaec864c882ae
humanhash: carpet-gee-sink-twenty
File name:file
Download: download sample
File size:1'451'088 bytes
First seen:2024-10-16 17:26:54 UTC
Last seen:2025-03-05 08:25:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2a3a77821d17fe4f1ddd06a7e2305b3c
ssdeep 24576:8IzF6Nh21lqc5q+ufSpodH9iJFK3PJ+4PvXpWRq1Wd3pUNKrXDIcmt:8IQo1IcM+ufSmdiUfg4PPpWRKkUZ3
TLSH T1C965231539D0C472C1B615321EE4DE715A3EBA714FA1DD8F23908FBE9F20381EA2566B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter jstrosch
Tags:185-215-113-209 exe


Avatar
jstrosch
Found at hxxp://185.215.113[.]117/inc/legas.exe by #subcrawl

Intelligence

File Origin
# of uploads :
4
# of downloads :
451
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
1f6f88a416bd360be8829d32372972eff5e83d7e25fcd2e789862ca482a5fb69.exe
Verdict:
Malicious activity
Analysis date:
2024-10-10 11:54:28 UTC
Tags:
amadey botnet stealer lumma themida loader exfiltration metastealer evasion opendir stealc redline uac
Link:
https://app.any.run/tasks/15497967-8c79-4d3c-bbf8-d8b80f37f5c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen29.49196.26677.32173.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=670ff76a1d4ef219fa636ca5
Tags:
Injection Kryptik Exploit
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint invalid-signature lumma microsoft_visual_cc overlay packed signed virus
Link:
https://www.filescan.io/uploads/670ff7693b9fe36e26635818/reports/19a9c8d1-806d-4c3b-a8d1-4510be1af50a/overview
Verdict:
Malicious
Labled as:
Babar.Generic
Link:
https://www.hybrid-analysis.com/sample/aac36ff20ea7bfc0591c1d6b145b456bad394ee8e619343ec10d1809188edd75
Malware family:
Kuhaname
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d880f4e5-e2d4-4988-8493-fca5bb940a38
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1535265
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Reads the System eventlog
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1535265 Sample: file.exe Startdate: 16/10/2024 Architecture: WINDOWS Score: 92 31 shed.dual-low.s-part-0017.t-0009.t-msedge.net 2->31 33 s-part-0017.t-0009.t-msedge.net 2->33 35 206.23.85.13.in-addr.arpa 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Machine Learning detection for sample 2->39 41 AI detected suspicious sample 2->41 8 file.exe 2->8         started        signatures3 process4 signatures5 51 Writes to foreign memory regions 8->51 53 Allocates memory in foreign processes 8->53 55 Injects a PE file into a foreign processes 8->55 11 MSBuild.exe 3 8->11         started        14 WerFault.exe 21 16 8->14         started        16 MSBuild.exe 8->16         started        18 MSBuild.exe 8->18         started        process6 file7 25 C:\Users\user\AppData\...\jm5tuzicTE.exe, PE32 11->25 dropped 27 C:\Users\user\AppData\...\ex7ydy8Lnn.exe, PE32 11->27 dropped 20 ex7ydy8Lnn.exe 3 11->20         started        23 jm5tuzicTE.exe 3 11->23         started        29 C:\ProgramData\Microsoft\...\Report.wer, Unicode 14->29 dropped process8 signatures9 43 Antivirus detection for dropped file 20->43 45 Multi AV Scanner detection for dropped file 20->45 47 Machine Learning detection for dropped file 20->47 49 Reads the System eventlog 23->49
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/aac36ff20ea7bfc0591c1d6b145b456bad394ee8e619343ec10d1809188edd75
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aac36ff20ea7bfc0591c1d6b145b456bad394ee8e619343ec10d1809188edd75/
Threat name:
Win32.Trojan.LummaC
Create hunting rule
Status:
Malicious
First seen:
2024-10-11 03:45:02 UTC
File Type:
PE (Exe)
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vlbw74qou674awi4dvvriw2fnowtstxi4ymtipwbbumasgeo3v2q._file
Verdict:
malicious
Label(s):
redlinestealer
Create hunting rule
Similar samples:
error
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/241016-v1eb5swbkl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6723412b-9867-4629-a9e7-cb567e5750b9
Unpacked files
SH256 hash:
aac36ff20ea7bfc0591c1d6b145b456bad394ee8e619343ec10d1809188edd75
MD5 hash:
e6d27b60afe69ac02b1eaec864c882ae
SHA1 hash:
a72b881867b7eaa9187398bd0e9e144af02ffff4
Link:
https://www.unpac.me/results/033c62cf-c2cf-4c10-b4aa-f2afe521c55a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/aac36ff20ea7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aac36ff20ea7bfc0591c1d6b145b456bad394ee8e619343ec10d1809188edd75

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe aac36ff20ea7bfc0591c1d6b145b456bad394ee8e619343ec10d1809188edd75

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleTitleA
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments