MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b68bf709ac86ed32664e0e2ddd27da386281480979860e95240ced16f50fd926. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b68bf709ac86ed32664e0e2ddd27da386281480979860e95240ced16f50fd926
SHA3-384 hash: 28049b0add581919ccb88088e76f5b149b0da9bcd00b5657b52d0b0f53dfd9a791ac3390b96ca0d589848479d6c3a98c
SHA1 hash: 5a43d2e4314e32572d6399ec61175f42af567822
MD5 hash: 99f74d2572735bbacb8251a73e9cb312
humanhash: early-beer-single-summer
File name:SecuriteInfo.com.Trojan.MulDrop26.56882.6817.6147
Download: download sample
File size:2'995'928 bytes
First seen:2024-05-05 12:31:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ae9e38912ff6bd742a1b9e5c003576a (10 x DCRat, 7 x RedLineStealer, 4 x AsyncRAT)
ssdeep 49152:vILFsMqFOlvutlmPtjMwI6osgyxod2NTtrnDz2mu+Re8dVq1OTLsGG:vuYFuUoPtjPI6ngUSchf2rXZOPY
TLSH T1C3D52302BBC586B3E61329334B604B25893CBD206F255CE767F96A0FEF631C19235796
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter SecuriteInfoCom
Tags:exe signed

Code Signing Certificate

Organisation:Bitsum LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-07T00:00:00Z
Valid to:2025-03-08T23:59:59Z
Serial number: 0b494d7df02097107b9065025133fe92
Intelligence: 27 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: b309179e6516e33d374264683b0751db5f23b09e625ff0b6a4163df28051d08c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
537
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b68bf709ac86ed32664e0e2ddd27da386281480979860e95240ced16f50fd926.exe
Verdict:
Malicious activity
Analysis date:
2024-05-05 12:33:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/22b24bc9-178a-4802-a7e0-063edad96de8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.MulDrop26.56882.6817.6147.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Malware.Dropper
Link:
https://www.hybrid-analysis.com/sample/b68bf709ac86ed32664e0e2ddd27da386281480979860e95240ced16f50fd926
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7d87c247-3dc2-4a92-a5b3-2f237ad575bf
Result
Threat name:
n/a
Detection:
suspicious
Classification:
evad
Score:
31 / 100
Link:
https://www.joesandbox.com/analysis/1436481
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 1436481 Sample: SecuriteInfo.com.Trojan.Mul... Startdate: 05/05/2024 Architecture: WINDOWS Score: 31 8 SecuriteInfo.com.Trojan.MulDrop26.56882.6817.6147.exe 37 2->8         started        11 bitsumsessionagent.exe 2->11         started        14 bitsumsessionagent.exe 2->14         started        file3 48 C:\Users\user\...\bitsumsessionagent.exe, PE32+ 8->48 dropped 50 C:\Users\user\Desktop\ProcessLasso.exe, PE32+ 8->50 dropped 52 C:\Users\user\Desktop\vistammsc.exe, PE32+ 8->52 dropped 54 27 other files (none is malicious) 8->54 dropped 16 PostUpdate.exe 21 53 8->16         started        68 Found direct / indirect Syscall (likely to bypass EDR) 11->68 signatures4 process5 file6 46 C:\Users\user\Desktop\QuickUpgrade.exe, PE32+ 16->46 dropped 19 ProcessLasso.exe 1 34 16->19         started        process7 signatures8 66 Found direct / indirect Syscall (likely to bypass EDR) 19->66 22 chrome.exe 1 19->22         started        25 chrome.exe 19->25         started        27 chrome.exe 19->27         started        29 12 other processes 19->29 process9 dnsIp10 56 192.168.2.4 unknown unknown 22->56 58 239.255.255.250 unknown Reserved 22->58 31 chrome.exe 22->31         started        34 chrome.exe 25->34         started        36 chrome.exe 27->36         started        38 chrome.exe 29->38         started        40 chrome.exe 29->40         started        42 chrome.exe 29->42         started        44 9 other processes 29->44 process11 dnsIp12 60 www.google.com 142.251.111.104 GOOGLEUS United States 31->60 62 stats.g.doubleclick.net 142.251.111.154 GOOGLEUS United States 31->62 64 17 other IPs or domains 31->64
Score:
52%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/b68bf709ac86ed32664e0e2ddd27da386281480979860e95240ced16f50fd926
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b68bf709ac86ed32664e0e2ddd27da386281480979860e95240ced16f50fd926/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w2f7ocnmq3wtezsobyw52j62hbricsajpgda5fjebtwrn5ip3eta._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240505-pqlqksaa7v/
Behaviour
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unpacked files
SH256 hash:
fe64c09a3465bae4879b4cf21b1705c7adb9d94f6cb1fbb53a34c3a73efa8efa
MD5 hash:
cf4379af7ba29a857f9097cc29592c6e
SHA1 hash:
79541209871cd0b7019fdf82a49e9b9df7eb1660
Link:
https://www.unpac.me/results/34ff6a39-e71a-4429-92c8-2a31d8dbedee/
SH256 hash:
e0c7cfc3f55d0fda0b055d86d7e1455c1601a2f2ad83f206edd06de2b1828705
MD5 hash:
f0b00ca102ac015bc0c5d4ad3be0a628
SHA1 hash:
0fabb020edfb8c7d9a8ea5f41d412ad186bf410a
Link:
https://www.unpac.me/results/34ff6a39-e71a-4429-92c8-2a31d8dbedee/
SH256 hash:
cd5500ec707405eb15705db6a48c12d8f8308078b0c1d068f54b1d4a23d9efd7
MD5 hash:
14b4dcc0b2f86edd7e1005e17fa73bf3
SHA1 hash:
bf16db9f9e8e362b8c0829f005fbcdb4def950d2
Link:
https://www.unpac.me/results/34ff6a39-e71a-4429-92c8-2a31d8dbedee/
SH256 hash:
bba475623c91f16568d01ff9304e41b37149b90fb66e47b400276b0c5d58f48a
MD5 hash:
8020a9a51f2c7c203c6503617f17d6f4
SHA1 hash:
88f3a618207b3dd5931b968aeeb0f2ebcc142ff7
Link:
https://www.unpac.me/results/34ff6a39-e71a-4429-92c8-2a31d8dbedee/
SH256 hash:
ad417f208cb882adc1b38401bcda4c831350718eb3b69ce561188ece228a8b8d
MD5 hash:
d7c84d4500fd024d18cf8b796c54fc02
SHA1 hash:
5d205226af2168f35f7280b8f274d6a9037399f1
Link:
https://www.unpac.me/results/34ff6a39-e71a-4429-92c8-2a31d8dbedee/
SH256 hash:
9aa43be1985de256ebf3dfa3a831888d31510889c2667365d42714d3d471bf66
MD5 hash:
9e19cf161188eadb4ab6b543d98328b0
SHA1 hash:
1a56d0f466c09e9d68a33762f701cd956bbac533
Link:
https://www.unpac.me/results/34ff6a39-e71a-4429-92c8-2a31d8dbedee/
SH256 hash:
8103858e4fa238886ea2963e38f6884d0397b87bdcc00be092227d205a9e0400
MD5 hash:
98d32ef6e5a609b0e91502b4d0dfc661
SHA1 hash:
d345a144865ec2dc984e1060e2f22230bf39d88c
Link:
https://www.unpac.me/results/34ff6a39-e71a-4429-92c8-2a31d8dbedee/
SH256 hash:
75181c57ba04195b8c3d579dfa3bae2a5fecfecf866854d928b7f2a520e38029
MD5 hash:
62b49f7bdbcabf07705e6456a44ae0ea
SHA1 hash:
344389c2df52871bb3b9c02ee5f8480c8b1e2650
Link:
https://www.unpac.me/results/34ff6a39-e71a-4429-92c8-2a31d8dbedee/
SH256 hash:
735a72817e779017b8ffd79dd8412e561e9bd28ec421c0b111ac076f3176c3f6
MD5 hash:
51245584901a842663c44dde092e6edf
SHA1 hash:
bea0163aefd438ca341cd09061655bc3f9dc7e8c
Link:
https://www.unpac.me/results/34ff6a39-e71a-4429-92c8-2a31d8dbedee/
SH256 hash:
6922e78423aab1347a74f625ae694c0a3a0c55ebce89392e28cebcd54c0f26a5
MD5 hash:
f1f7838224674be14f8602d7a8bb19ab
SHA1 hash:
fe767102dbdc83d80b9eb4071e57f0eb3a353928
Link:
https://www.unpac.me/results/34ff6a39-e71a-4429-92c8-2a31d8dbedee/
SH256 hash:
58f37dd687e5788739e89d9407c7235c4caebdfa6498cc4ff5a9ee76dfde08cf
MD5 hash:
6a7e0d871ad3c4f4b7f0bd5addd65e86
SHA1 hash:
eb02fe34bee6eb1db17671e44139c6ed1759d33d
Link:
https://www.unpac.me/results/34ff6a39-e71a-4429-92c8-2a31d8dbedee/
SH256 hash:
4225d7fa5661c8ce20de72ef4aad92c36e4e929ed2080fbe57a01d1167acf5cc
MD5 hash:
a2e9d766300624f173b676861ad3d3bf
SHA1 hash:
ff7fb970d883dfce982d0595d34814205f9aff0d
Link:
https://www.unpac.me/results/34ff6a39-e71a-4429-92c8-2a31d8dbedee/
SH256 hash:
23b8c7f4a816b4c0a0c119c21cf60e9b7bf104a86f0fd13c53fa8ef220bfc307
MD5 hash:
8241439f6bfb3e40e71f23a77d06ad63
SHA1 hash:
a942bae522bdbc69d5dadc80ea8e9eeea30074d2
Link:
https://www.unpac.me/results/34ff6a39-e71a-4429-92c8-2a31d8dbedee/
SH256 hash:
18edc8d5ae5aecd2f38dbea8923ee9c1ae986b103eb9d3aafe791590e7c0d942
MD5 hash:
b6040cb259f024126e171b8c9bd0316d
SHA1 hash:
850669ef5edefa1e2561c906788df1f841ae0d47
Link:
https://www.unpac.me/results/34ff6a39-e71a-4429-92c8-2a31d8dbedee/
SH256 hash:
0d5cfcdaaf8c50ab4ecf55d8e716aee561dc09e0a08f316e13efc45edc404efa
MD5 hash:
9ad220ebcc5887380fe04a734f725038
SHA1 hash:
297335608c6af9ae4d8ae8844dbc878ff49bf75b
Link:
https://www.unpac.me/results/34ff6a39-e71a-4429-92c8-2a31d8dbedee/
SH256 hash:
056656316fe240f4e3cb645a11f2836d955f4a79894b046607730c31e39b1b9a
MD5 hash:
8c7fb3d9a81fbf761860a2da18db52e7
SHA1 hash:
c4172e49067b3c59af83aae2727df54fc1326b54
Link:
https://www.unpac.me/results/34ff6a39-e71a-4429-92c8-2a31d8dbedee/
SH256 hash:
b68bf709ac86ed32664e0e2ddd27da386281480979860e95240ced16f50fd926
MD5 hash:
99f74d2572735bbacb8251a73e9cb312
SHA1 hash:
5a43d2e4314e32572d6399ec61175f42af567822
Link:
https://www.unpac.me/results/34ff6a39-e71a-4429-92c8-2a31d8dbedee/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b68bf709ac86ed32664e0e2ddd27da386281480979860e95240ced16f50fd926

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments