MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 acea947d605b138a64a02f3577998666a42b5e985dbebba7f6a4f0a116f4bc32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	acea947d605b138a64a02f3577998666a42b5e985dbebba7f6a4f0a116f4bc32
SHA3-384 hash:	be2e756864e41348ab2eb4241c18d7015eb7732edda951d7fbdbb0c3229852c91aa2739fefd1910cde5aebcc330bc154
SHA1 hash:	fc64e7816f1edf51ab0c01ce590d196128b6bb92
MD5 hash:	61d401b2ba41f8bdc57182043c826eea
humanhash:	august-spaghetti-queen-kansas
File name:	61d401b2ba41f8bdc57182043c826eea.exe
Download:	download sample
File size:	179'200 bytes
First seen:	2025-02-06 15:50:47 UTC
Last seen:	2025-02-06 17:02:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b9d5e6231a729f64685d981b20518bd0
ssdeep	3072:6GO4uWRgu9bELjrW2a/lXlvMZ4Iu8oq+zK3+wYlhqTgyZ:bXuMgm4Lm22lXFMZ5l+wB8y
TLSH	T1DA048C2135C0C0B2D1B3027149B8AB629ABDFD714BB2165F27D85EDE1F745D0AB293A3
TrID	46.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 8.5% (.EXE) Win64 Executable (generic) (10522/11/4) 5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

465

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.MulDrop29.3992.24061.13256.UNOFFICIAL

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67a4dc6d2dcee78dd819d304

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a file

Enabling the 'hidden' option for recently created files

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling a "Do not show hidden files" option

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fingerprint microsoft_visual_cc obfuscated

Link:

https://www.filescan.io/uploads/67a4da756c9b889537f8a902/reports/ffcef129-e00d-494f-b25b-9644ca75f900/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/acea947d605b138a64a02f3577998666a42b5e985dbebba7f6a4f0a116f4bc32

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/367f935b-d5cc-49b3-9ad2-b6d092364da1

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1608530

Signature

Changes the view of files in windows explorer (hidden files and folders)

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking mutex)

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/acea947d605b138a64a02f3577998666a42b5e985dbebba7f6a4f0a116f4bc32

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/acea947d605b138a64a02f3577998666a42b5e985dbebba7f6a4f0a116f4bc32/

Threat name:

Win32.Infostealer.Tinba

Status:

Malicious

First seen:

2025-02-06 15:51:16 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 38 (52.63%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vtvji7lalmjyuzfaf42xpgmgm2scwxuylw7lxj7wutykcfxuxqza._file

Result

Malware family:

n/a

Score:

6/10

Tags:

discovery persistence

Link:

https://tria.ge/reports/250206-tak7bszjat/

Behaviour

System Location Discovery: System Language Discovery

Adds Run key to start application

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/201b1d74-24fb-4fd0-a347-5ddef92f24eb

Unpacked files

SH256 hash:

acea947d605b138a64a02f3577998666a42b5e985dbebba7f6a4f0a116f4bc32

MD5 hash:

61d401b2ba41f8bdc57182043c826eea

SHA1 hash:

fc64e7816f1edf51ab0c01ce590d196128b6bb92

Link:

https://www.unpac.me/results/a1a44f87-36db-4efa-bf3d-0a3fc9f6c968/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/acea947d605b138a64a02f3577998666a42b5e985dbebba7f6a4f0a116f4bc32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe acea947d605b138a64a02f3577998666a42b5e985dbebba7f6a4f0a116f4bc32

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3423155/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegSetValueExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample