MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac91b2a2db1909a2c166e243391846ad8d9ede2c6fcfd33b60acf599e48f9afc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 17

Intelligence 17 IOCs YARA 8 File information Comments

SHA256 hash:	ac91b2a2db1909a2c166e243391846ad8d9ede2c6fcfd33b60acf599e48f9afc
SHA3-384 hash:	53d6d76e2a2ad35127c17e9e60ff3674d24931638c0af81f40f8eb30fd0b1b875033fe12b9da3a6195244039fe40113a
SHA1 hash:	8ec200e2d836354a62f16cdb3eed4bb760165425
MD5 hash:	c213162c86bb943bcdf91b3df381d2f6
humanhash:	fillet-social-oven-pasta
File name:	c213162c86bb943bcdf91b3df381d2f6.exe
Download:	download sample
File size:	1'785'344 bytes
First seen:	2024-09-30 07:49:45 UTC
Last seen:	2024-10-11 21:00:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a89655faa2b6840e801be1e1c779fc67
ssdeep	24576:+rKxoVT2iXc+IZP+6WiaTAsN/3ebTvK+63CWH8iA/iD2hgPjcC8SVdKumYr7:vHZGpdqYH8ia6GcKuR7
Threatray	9 similar samples on MalwareBazaar
TLSH	T17D851818F6D8423ED817D235DA3153B2D7FAB9482F20738A69280B5ABF673D01B35758
TrID	39.3% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 28.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 9.6% (.EXE) Win32 Executable Delphi generic (14182/79/4) 7.1% (.EXE) Win64 Executable (generic) (10523/12/4) 6.8% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
Magika	pebin
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

378

Origin country :

Vendor Threat Intelligence

Malware family:

vidar

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2024-09-27 23:30:45 UTC

Tags:

vidar telegram lumma stealer loader evasion

Link:

https://app.any.run/tasks/90e2e1ad-52ba-4455-a22b-398662f5081f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Malware.Msilperseus-9807948-0

Win.Malware.Ursu-9937395-0

PUA.Win.Virus.Rdpwrap-6793227-0

PUA.Win.Virus.Rdpwrap-6793229-0

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66fac4261fc3f42f04e862dd

Tags:

Dropper Patcher

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Verdict:

Malicious

Threat level:

10/10

Confidence:

89%

Tags:

apt borland_delphi rdpwrap remoteadmin

Link:

https://www.filescan.io/uploads/66fa582d161fc470c7176587/reports/0299570c-6e3b-455a-b8d6-27eee769bd3e/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/ac91b2a2db1909a2c166e243391846ad8d9ede2c6fcfd33b60acf599e48f9afc

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RDPWrap

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/2b9672d0-fb93-4e68-9942-e57258084d63

Result

Threat name:

RDPWrap Tool

Detection:

malicious

Classification:

spre

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1522506

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected RDPWrap Tool

Behaviour

Behavior Graph:

Download SVG

Score:

91%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ac91b2a2db1909a2c166e243391846ad8d9ede2c6fcfd33b60acf599e48f9afc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ac91b2a2db1909a2c166e243391846ad8d9ede2c6fcfd33b60acf599e48f9afc/

Threat name:

Win32.PUA.RDPWrap

Status:

Malicious

First seen:

2024-09-26 16:33:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 38 (68.42%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vsi3fiw3dee2fqlg4jbtsgcgvwgz5xrmn7h5go3avt2ztzeptl6a._file

Verdict:

malicious

Label(s):

rdpwrap

2a9f856bc9fe5a41540aa3800cd8e50adfbfbc3661845a9791c02c13bcadddf6

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50

56afc3a4d1976c141a65895d5fb4e6fc5756a593cf97d234626f8107ad2141d5

70efbdb447fb1205e4a9fd9ce59d3cf31abd43ea60eb2322e744d3a13cb9c069

8454dbda35354737c7f1162466738d7077c0a9af21e93c2e49c2d7a8d5084647

97ff84a22b9ae106c9c6d6893575360411773f084d600ae3ae21bec7b26a4c66

ac91b2a2db1909a2c166e243391846ad8d9ede2c6fcfd33b60acf599e48f9afc

feb090fe2a018ba71f2db302a253998b66f9655a0d83f80db512604093aee9de

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/240930-jn9fzatcpk/

Behaviour

System Location Discovery: System Language Discovery

Verdict:

Malicious

Tags:

red_team_tool lazarus lazarus

YARA:

RDPWrap

Link:

https://app.threat.zone/submission/5ad63ab3-d2b8-4097-87f4-f66ead64b0d3

Unpacked files

SH256 hash:

2f33ed67124a2225104726cb59f001e5ff4d78b0d88a650ced997890b515a73b

MD5 hash:

51b15fc8de1a07851f648ffe4362e5ca

SHA1 hash:

b8215e0a97424eff245eaf196ed4fccd154723b6

Link:

https://www.unpac.me/results/364a63ac-d3be-4d26-8bdd-c8d456465dd2/

SH256 hash:

4c19d053751a68b30c045119642964268659bf79bd066046c32ddb875ec339eb

MD5 hash:

b52ac2b928342ee016739834af802beb

SHA1 hash:

1d4d62475d6ab667fdbc68a46177b7ae01c2ddeb

Link:

https://www.unpac.me/results/364a63ac-d3be-4d26-8bdd-c8d456465dd2/

SH256 hash:

798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

MD5 hash:

461ade40b800ae80a40985594e1ac236

SHA1 hash:

b3892eef846c044a2b0785d54a432b3e93a968c8

Detections:

RDPWrap

potential_termserv_dll_replacement

Link:

https://www.unpac.me/results/364a63ac-d3be-4d26-8bdd-c8d456465dd2/

Parent samples :

ac91b2a2db1909a2c166e243391846ad8d9ede2c6fcfd33b60acf599e48f9afc
4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de
663bb8fd085cf61f0204f2f5a9cbed5c5d1eb08aebbb6dbb47702c328b44c3e2
fc16a364530103595b8d36d6c3e7f00a08bf5783c6860bf63bcdbeb90b6c78f8
f08f77c93c18f55c22c54418b22c4e658d1272f838572a2063796545be6d2015
5c48f798b6580ed54a0d46bffe344ae35e1de3db5530d9e6072a92eee47fafc6

SH256 hash:

861ad4bbf682b35affda23fab92c8db945f3fa34f78177843c87802d1fd02020

MD5 hash:

9c6a68742ea7abf802940e7f1502e20f

SHA1 hash:

54418c9537830772fc5a7a441867829ec533828f

Detections:

RDPWrap

win_infy_auto

RDPWrap

potential_termserv_dll_replacement

Link:

https://www.unpac.me/results/364a63ac-d3be-4d26-8bdd-c8d456465dd2/

Parent samples :

SH256 hash:

63fb201040002775e6ef6f836a8f0f4d94324fc299c0f9bc1f17a97c6bb24552

MD5 hash:

5505592313b74f2e2c8727837750f66d

SHA1 hash:

d0394cf350090ba4fc68c7e12fd806881b0c42e0

Link:

https://www.unpac.me/results/364a63ac-d3be-4d26-8bdd-c8d456465dd2/

SH256 hash:

ac91b2a2db1909a2c166e243391846ad8d9ede2c6fcfd33b60acf599e48f9afc

MD5 hash:

c213162c86bb943bcdf91b3df381d2f6

SHA1 hash:

8ec200e2d836354a62f16cdb3eed4bb760165425

Detections:

RDPWrap

potential_termserv_dll_replacement

Link:

https://www.unpac.me/results/364a63ac-d3be-4d26-8bdd-c8d456465dd2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ac91b2a2db1909a2c166e243391846ad8d9ede2c6fcfd33b60acf599e48f9afc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	APT_Lazarus_Loader_Dec_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect loader used by Lazarus group in december 2020
Reference:	Internal Research

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Mimikatz_Generic Create hunting rule
Author:	Still
Description:	attempts to match all variants of Mimikatz

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RDPWrap Create hunting rule
Author:	@bartblaze
Description:	Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:	https://github.com/stascorp/rdpwrap

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe ac91b2a2db1909a2c166e243391846ad8d9ede2c6fcfd33b60acf599e48f9afc

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3203142/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high
CHECK_TRUST_INFO	Requires Elevated Execution (level:requireAdministrator)	high

Reviews

ID	Capabilities	Evidence
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessW kernel32.dll::OpenProcess advapi32.dll::OpenProcessToken kernel32.dll::CloseHandle wininet.dll::InternetCloseHandle
WIN_BASE_API	Uses Win Base API	kernel32.dll::TerminateProcess kernel32.dll::LoadLibraryA kernel32.dll::LoadLibraryExW kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceW
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryW kernel32.dll::CreateFileW kernel32.dll::DeleteFileW kernel32.dll::GetFileAttributesW kernel32.dll::FindFirstFileW kernel32.dll::RemoveDirectoryW
WIN_BASE_USER_API	Retrieves Account Information	advapi32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegConnectRegistryW advapi32.dll::RegCreateKeyExW advapi32.dll::RegDeleteKeyW advapi32.dll::RegLoadKeyW advapi32.dll::RegOpenKeyExW advapi32.dll::RegQueryInfoKeyW
WIN_SVC_API	Can Manipulate Windows Services	advapi32.dll::ChangeServiceConfigW advapi32.dll::OpenSCManagerW advapi32.dll::OpenServiceW advapi32.dll::QueryServiceConfigW advapi32.dll::StartServiceW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample