MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abecc0256e95bbe633bd3139e6baf60b95db22b8271878f3f35ae3c412ff557d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Adware.InstallCore

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	abecc0256e95bbe633bd3139e6baf60b95db22b8271878f3f35ae3c412ff557d
SHA3-384 hash:	2f6dc70ebe936a88ff7e89ae7f94774ffda53ba5eb473fe5e9cdf050b8563b3b8c3994ea776b4e73b969f81a60556386
SHA1 hash:	92dbed9a976191f17357082391fd69c38847875e
MD5 hash:	b1382f20fc2ac8ee00bc5d35cfe2a883
humanhash:	alpha-coffee-hydrogen-football
File name:	SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571
Download:	download sample
Signature	Adware.InstallCore Create hunting rule
File size:	333'639 bytes
First seen:	2024-09-28 20:23:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2fb819a19fe4dee5c03e8c6a79342f79 (56 x Adware.InstallCore, 8 x RedLineStealer, 7 x Adware.ExtenBro)
ssdeep	6144:oP7OolMPaDCUFSjKDQBH3AgeedRuUCFJ2H/uRGtfotLxVDZF8b8a0gX5jT/R26WM:g7blMPaDCUFSO0d37N3uUCeYGtf0jZOX
TLSH	T123641203D7CA81B8D07286742D3657248737BE223EB4542A7B9D3E9ECF77081991D78A
TrID	76.2% (.EXE) Inno Setup installer (107240/4/30) 10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
File icon (PE):
dhash icon	92e0b496a2cada72 (11 x Adware.Generic, 5 x Adware.InstalleRex, 2 x Adware.Yantai)
Reporter	SecuriteInfoCom
Tags:	Adware.InstallCore exe

Intelligence

File Origin

# of uploads :

# of downloads :

420

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571

Verdict:

Suspicious activity

Analysis date:

2024-09-28 20:37:47 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/bdbd47e2-8150-4fe5-a0a7-1d8af711d60f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.not-a-virus.HEUR.AdWare.Win32.Convagent.gen.29670.14571.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66fac282c85f12c405da6200

Tags:

Installcore Powershell Salgorea Dealply

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for the window

Launching a process

Creating a process with a hidden window

Windows shutdown

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

borland_delphi fingerprint installer lolbin overlay packed setupapi shell32

Link:

https://www.filescan.io/uploads/66f865e4f71b9c224c143315/reports/b37db84b-9c95-479e-8d73-e185fa37b92f/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/abecc0256e95bbe633bd3139e6baf60b95db22b8271878f3f35ae3c412ff557d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/5a302d1a-4f76-4400-82fc-5d0214128e96

Result

Threat name:

n/a

Detection:

suspicious

Classification:

rans

Score:

29 / 100

Link:

https://www.joesandbox.com/analysis/1521531

Signature

Uses shutdown.exe to shutdown or reboot the system

Behaviour

Behavior Graph:

Download SVG

Score:

51%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/abecc0256e95bbe633bd3139e6baf60b95db22b8271878f3f35ae3c412ff557d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/abecc0256e95bbe633bd3139e6baf60b95db22b8271878f3f35ae3c412ff557d/

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vpwmajlosw56mm55ge46noxwbok5wivye4mhr47tllr4iex7kv6q._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/240928-y6n1baxgkf/

Behaviour

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Executes dropped EXE

Loads dropped DLL

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ff62a52d-dd09-42fe-a56a-aa3a5225d621

Unpacked files

SH256 hash:

abecc0256e95bbe633bd3139e6baf60b95db22b8271878f3f35ae3c412ff557d

MD5 hash:

b1382f20fc2ac8ee00bc5d35cfe2a883

SHA1 hash:

92dbed9a976191f17357082391fd69c38847875e

Link:

https://www.unpac.me/results/a207609b-14bd-4830-9f26-9e09ff9905c8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/abecc0256e95bbe633bd3139e6baf60b95db22b8271878f3f35ae3c412ff557d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Adware.InstallCore

exe abecc0256e95bbe633bd3139e6baf60b95db22b8271878f3f35ae3c412ff557d

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3199068/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessA advapi32.dll::OpenProcessToken kernel32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryA kernel32.dll::CreateFileA kernel32.dll::DeleteFileA kernel32.dll::GetWindowsDirectoryA kernel32.dll::GetSystemDirectoryA kernel32.dll::GetFileAttributesA
WIN_BASE_USER_API	Retrieves Account Information	advapi32.dll::LookupPrivilegeValueA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample