MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 adc1f57e7c6c1cd13a1d338e56b2cf45f5c019513149d42bd4e68e4667b49ec3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: adc1f57e7c6c1cd13a1d338e56b2cf45f5c019513149d42bd4e68e4667b49ec3
SHA3-384 hash: 50be89ec054d46e157dfc61cf32de38dcae8b351fe8b1d25d2cfdabc5d42912b69e299332e297d7edfb457a635d5ac9b
SHA1 hash: 802507ea3703a68f7652b1bb78d54dda4365a12a
MD5 hash: 8255b586ebcfefc9c5ee4fa13ecf0343
humanhash: edward-white-wyoming-lactose
File name:adc1f57e7c6c1cd13a1d338e56b2cf45f5c019513149d42bd4e68e4667b49ec3
Download: download sample
File size:7'335'984 bytes
First seen:2025-03-25 14:29:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dda1a1d1f8a1d13ae0297b47046b26e (65 x Formbook, 45 x GuLoader, 28 x RemcosRAT)
ssdeep 196608:kigZQQpR77AR1/HPG0Zz66HSV4kKl4Ciy:kik77AbPPG36o4kKKCiy
TLSH T1DB76330027E2DFE2F5CA683691BC93360E56931342DDEBEC79056CD4A07B79B4E119E8
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 2812307131f0b00e
Reporter JAMESWT_WT
Tags:exe Ftechnics Inc signed

Code Signing Certificate

Organisation:Ftechnics, Inc
Issuer:SSL.com EV Code Signing Intermediate CA RSA R3
Algorithm:sha256WithRSAEncryption
Valid from:2024-09-05T12:23:27Z
Valid to:2025-09-14T15:45:36Z
Serial number: 3c16154e4d7de3dce12a0030a213491f
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 7a79024ef245ec0fc73482bf140c2b2d755f174e3749febe5ee73a462a84c5aa
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
448
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.NSIS.TrojanX-gen.17270.14798.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e2bdfbbb84e066269f077c
Tags:
shellcode emotet virus sage
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Searching for the window
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context installer microsoft_visual_cc overlay packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/67e2bdf93e6805386c0012bf/reports/c25d6bcb-cb7d-4989-91ad-8bc5cf005c77/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/adc1f57e7c6c1cd13a1d338e56b2cf45f5c019513149d42bd4e68e4667b49ec3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b2f1d956-f852-4e46-9c07-62a7da3a4666
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad.mine
Score:
42 / 100
Link:
https://www.joesandbox.com/analysis/1648141
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1648141 Sample: l7bllBsz8E.exe Startdate: 25/03/2025 Architecture: WINDOWS Score: 42 66 www.luckyblock.com 2->66 68 insight.antminimg.com 2->68 70 fg.microsoft.map.fastly.net 2->70 82 Antivirus detection for URL or domain 2->82 84 Antivirus detection for dropped file 2->84 86 Antivirus / Scanner detection for submitted sample 2->86 88 2 other signatures 2->88 9 l7bllBsz8E.exe 7 28 2->9         started        12 svchost.exe 2->12         started        15 octoward.exe 1 2->15         started        18 8 other processes 2->18 signatures3 process4 dnsIp5 50 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 9->50 dropped 52 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->52 dropped 54 C:\Program Files (x86)\...\uninst.exe, PE32 9->54 dropped 56 2 other malicious files 9->56 dropped 20 lucky Block.exe 9->20         started        22 octoward.exe 3 1 9->22         started        24 octoward.exe 1 9->24         started        90 Changes security center settings (notifications, updates, antivirus, firewall) 12->90 26 MpCmdRun.exe 12->26         started        78 insight.antminimg.com 104.21.16.1, 443, 49728, 49756 CLOUDFLARENETUS United States 15->78 28 octoward.exe 15->28         started        80 127.0.0.1 unknown unknown 18->80 file6 signatures7 process8 process9 30 msedgewebview2.exe 34 254 20->30         started        33 conhost.exe 22->33         started        35 conhost.exe 24->35         started        37 conhost.exe 26->37         started        39 conhost.exe 28->39         started        file10 58 C:\...\the-real-index~RF540cf7.TMP (copy), COM 30->58 dropped 60 C:\...\the-real-index~RF534f54.TMP (copy), COM 30->60 dropped 62 C:\Users\user\...\the-real-index (copy), COM 30->62 dropped 64 C:\Users\user\AppData\Roaming\...\temp-index, COM 30->64 dropped 41 msedgewebview2.exe 30->41         started        44 msedgewebview2.exe 30->44         started        46 msedgewebview2.exe 30->46         started        48 6 other processes 30->48 process11 dnsIp12 72 104.18.32.192, 443, 49727, 49730 CLOUDFLARENETUS United States 41->72 74 challenges.cloudflare.com 104.18.94.41, 443, 49737 CLOUDFLARENETUS United States 41->74 76 3 other IPs or domains 41->76
Score:
83%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/adc1f57e7c6c1cd13a1d338e56b2cf45f5c019513149d42bd4e68e4667b49ec3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/adc1f57e7c6c1cd13a1d338e56b2cf45f5c019513149d42bd4e68e4667b49ec3/
Threat name:
Win32.Trojan.Nemesis
Create hunting rule
Status:
Malicious
First seen:
2024-12-26 09:07:28 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
14 of 36 (38.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vxa7k7t4nqoncoq5gohfnmwpix24agkrgfe5ik6u42hemz5ut3bq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery trojan
Link:
https://tria.ge/reports/250325-rt82dsxvfy/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Checks installed software on the system
Checks whether UAC is enabled
Network Share Discovery
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f6c2256c-b0e3-4160-8051-507f0f8e8a46
Unpacked files
SH256 hash:
adc1f57e7c6c1cd13a1d338e56b2cf45f5c019513149d42bd4e68e4667b49ec3
MD5 hash:
8255b586ebcfefc9c5ee4fa13ecf0343
SHA1 hash:
802507ea3703a68f7652b1bb78d54dda4365a12a
Link:
https://www.unpac.me/results/780539f5-3257-4c63-a7fe-effdb7e7bb87/
SH256 hash:
3f47a24d6eeb1203e3325f0b06023e9678df7e860e953925057de17e6c539be4
MD5 hash:
fd78a68cb7e9fa26dec0d9d1b2342c72
SHA1 hash:
06d39a9eadc6d4272a5ae2f2ce632de5628d375b
Link:
https://www.unpac.me/results/780539f5-3257-4c63-a7fe-effdb7e7bb87/
SH256 hash:
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c
MD5 hash:
d095b082b7c5ba4665d40d9c5042af6d
SHA1 hash:
2220277304af105ca6c56219f56f04e894b28d27
Link:
https://www.unpac.me/results/780539f5-3257-4c63-a7fe-effdb7e7bb87/
SH256 hash:
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
MD5 hash:
80e44ce4895304c6a3a831310fbf8cd0
SHA1 hash:
36bd49ae21c460be5753a904b4501f1abca53508
Link:
https://www.unpac.me/results/780539f5-3257-4c63-a7fe-effdb7e7bb87/
SH256 hash:
c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3
MD5 hash:
b4faf654de4284a89eaf7d073e4e1e63
SHA1 hash:
8efcfd1ca648e942cbffd27af429784b7fcf514b
Link:
https://www.unpac.me/results/780539f5-3257-4c63-a7fe-effdb7e7bb87/
SH256 hash:
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
MD5 hash:
ec0504e6b8a11d5aad43b296beeb84b2
SHA1 hash:
91b5ce085130c8c7194d66b2439ec9e1c206497c
Link:
https://www.unpac.me/results/780539f5-3257-4c63-a7fe-effdb7e7bb87/
SH256 hash:
a921cc9cc4af332be96186d60d2539cb413dfa44cfd73e85687f9338505ff85e
MD5 hash:
f8b6dd1f9620be4ef2ad1e81fb6b79fa
SHA1 hash:
f06c8c8650335bace41c8dbe73307cbe4e61b3b1
Link:
https://www.unpac.me/results/780539f5-3257-4c63-a7fe-effdb7e7bb87/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/adc1f57e7c6c1cd13a1d338e56b2cf45f5c019513149d42bd4e68e4667b49ec3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments