MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b92419fed9d1c40328157fd0e937a1c891138590d4857de113c052b3148a0f8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socelars


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b92419fed9d1c40328157fd0e937a1c891138590d4857de113c052b3148a0f8f
SHA3-384 hash: 2d77d3093ad4af3e5f2abede6ebdbe952266ebef7bf739079c1e0b936d446295c6832b0433e317702bd151501a93bcd7
SHA1 hash: 77340a75abaea4f7c215670b76f813222d892a22
MD5 hash: 5417b1ca4da061fc9bb034627fbbda40
humanhash: quebec-charlie-harry-connecticut
File name:5417b1ca4da061fc9bb034627fbbda40
Download: download sample
Signature Socelars
Create hunting rule
File size:817'664 bytes
First seen:2022-10-04 04:52:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'854 x Amadey, 290 x Smoke Loader)
ssdeep 12288:YS7MFtdtT7/0jaLlwUoZvWZRDg3OWctlMVd/eAWqL0sJ4xy72TOOkLVBne5k:mXcjaLlRRqFcnMNWsz77Ln
TLSH T14D0512C355C54523EA3627B044FF098231337D922879A24E6699FCDC1AF3365A173BAB
TrID 71.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f88692b2a2b69ec4 (1 x Socelars)
Reporter zbetcheckin
Tags:32 exe Socelars

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://171.22.30.79/files/HD1.exe
Verdict:
Malicious activity
Analysis date:
2022-10-04 20:18:33 UTC
Tags:
opendir loader
Link:
https://app.any.run/tasks/a40814ca-f241-4e32-9b9b-3a1913ca5041

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316302/
Detection(s):
SecuriteInfo.com.Generic.ML.PUA.31886.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
DNS request
Launching the process to create tasks for the scheduler
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/40975/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/35684051-96b3-435c-8afa-a05006107889
Result
Threat name:
ManusCrypt, Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.evad.phis.bank.spyw.expl.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1082945
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (creates a PE file in dynamic memory)
Detected VMProtect packer
DLL reload attack detected
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites Mozilla Firefox settings
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically)
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected ManusCrypt
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 715502 Sample: l39HA25qjw.exe Startdate: 04/10/2022 Architecture: WINDOWS Score: 100 137 www.savesucpnys.xyz 2->137 139 www.mxnzvc.xyz 2->139 141 11 other IPs or domains 2->141 163 Snort IDS alert for network traffic 2->163 165 Multi AV Scanner detection for domain / URL 2->165 167 Malicious sample detected (through community Yara rule) 2->167 169 15 other signatures 2->169 12 l39HA25qjw.exe 1 5 2->12         started        15 rundll32.exe 2->15         started        17 rundll32.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 signatures5 221 Uses schtasks.exe or at.exe to add and modify task schedules 12->221 21 cmd.exe 1 12->21         started        24 at.exe 1 12->24         started        26 rundll32.exe 15->26         started        28 vc_redist.x64.exe 17->28         started        31 WerFault.exe 19->31         started        33 WerFault.exe 19->33         started        35 WerFault.exe 19->35         started        process6 file7 171 Obfuscated command line found 21->171 173 Uses ping.exe to sleep 21->173 175 Drops PE files with a suspicious file extension 21->175 177 Uses ping.exe to check the status of other devices and networks 21->177 37 cmd.exe 2 21->37         started        41 conhost.exe 21->41         started        43 PING.EXE 1 21->43         started        45 conhost.exe 24->45         started        179 Writes to foreign memory regions 26->179 181 Allocates memory in foreign processes 26->181 183 Creates a thread in another existing process (thread injection) 26->183 47 svchost.exe 26->47 injected 49 svchost.exe 26->49 injected 135 C:\Windows\Temp\...\vc_redist.x64.exe, PE32 28->135 dropped 51 vc_redist.x64.exe 28->51         started        signatures8 process9 file10 95 C:\Users\user\AppData\Local\...\Fuck.exe.pif, PE32 37->95 dropped 185 Obfuscated command line found 37->185 187 Uses ping.exe to sleep 37->187 53 Fuck.exe.pif 1 37->53         started        57 tasklist.exe 1 37->57         started        59 tasklist.exe 1 37->59         started        66 4 other processes 37->66 189 Sets debug register (to hijack the execution of another thread) 47->189 191 Modifies the context of a thread in another process (thread injection) 47->191 61 svchost.exe 47->61         started        97 C:\Windows\Temp\...\VC_redist.x64.exe, PE32 51->97 dropped 99 C:\Windows\Temp\...\wixstdba.dll, PE32 51->99 dropped 64 VC_redist.x64.exe 51->64         started        signatures11 process12 dnsIp13 101 C:\Users\user\AppData\...\fwrhglUiBb.dll, PE32 53->101 dropped 193 DLL reload attack detected 53->193 195 Detected unpacking (creates a PE file in dynamic memory) 53->195 197 Found API chain indicative of sandbox detection 53->197 205 2 other signatures 53->205 68 Fuck.exe.pif 43 53->68         started        72 Fuck.exe.pif 53->72         started        157 g.agametog.com 34.142.181.181 ATGS-MMD-ASUS United States 61->157 159 208.95.112.1 TUT-ASUS United States 61->159 161 104.21.34.132 CLOUDFLARENETUS United States 61->161 103 C:\Users\user\AppData\...\cookies.sqlite.db, SQLite 61->103 dropped 105 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 61->105 dropped 107 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 61->107 dropped 109 C:\Users\user\AppData\Local\...\Cookies.db, SQLite 61->109 dropped 199 Query firmware table information (likely to detect VMs) 61->199 201 Installs new ROOT certificates 61->201 203 Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 61->203 207 2 other signatures 61->207 111 C:\ProgramData\...\VC_redist.x64.exe, PE32 64->111 dropped file14 signatures15 process16 dnsIp17 147 www.savesucpnys.xyz 207.180.199.60 CONTABODE Germany 68->147 149 www.mxnzvc.xyz 103.136.42.153, 49843, 8888 AGPL-AS-APApeironGlobalPvtLtdIN India 68->149 151 8 other IPs or domains 68->151 113 C:\Users\user\AppData\Local\Temp\...\MpVMRr, PE32 68->113 dropped 115 C:\Users\user\AppData\Local\Temp\...\FagLhQ, PE32 68->115 dropped 117 C:\Users\user\AppData\Local\Temp\...\WyFBnl, PE32+ 68->117 dropped 119 10 other malicious files 68->119 dropped 74 FagLhQ 2 68->74         started        78 EfRhfn 68->78         started        80 WyFBnl 68->80         started        82 2 other processes 68->82 file18 process19 dnsIp20 129 C:\Users\user\AppData\Local\...\FagLhQ.tmp, PE32 74->129 dropped 209 Multi AV Scanner detection for dropped file 74->209 211 Obfuscated command line found 74->211 85 FagLhQ.tmp 26 41 74->85         started        131 C:\Users\user\Documents\...fRhfn.exe, PE32 78->131 dropped 213 Drops PE files to the document folder of the user 78->213 215 Machine Learning detection for dropped file 78->215 89 WerFault.exe 78->89         started        217 Antivirus detection for dropped file 80->217 91 WerFault.exe 80->91         started        143 148.251.234.83 HETZNER-ASDE Germany 82->143 145 149.28.253.196 AS-CHOOPAUS United States 82->145 133 C:\Users\user\AppData\Local\Temp\db.dll, PE32 82->133 dropped 219 Creates processes via WMI 82->219 93 conhost.exe 82->93         started        file21 signatures22 process23 dnsIp24 153 d2l7sw81k13yby.cloudfront.net 13.32.99.56, 443, 49838 AMAZON-02US United States 85->153 155 aka.ms 23.79.157.152, 443, 49839 AKAMAI-ASUS United States 85->155 121 C:\Users\user\...\xmrBridge.dll (copy), PE32+ 85->121 dropped 123 C:\Users\user\...\unins000.exe (copy), PE32 85->123 dropped 125 C:\Users\user\...\nvrtc64_100_0.dll (copy), PE32+ 85->125 dropped 127 31 other files (30 malicious) 85->127 dropped file25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b92419fed9d1c40328157fd0e937a1c891138590d4857de113c052b3148a0f8f/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-10-03 14:31:42 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xesbt7wz2hcagkavp7iosn5bzcirhbmq2scx3yitybjlgfekb6hq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/221004-fhywhachg2/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4f976269-f790-44dd-a33e-62c3a40dcd0d
Unpacked files
SH256 hash:
6dc625149ea24ccbf732c146eca0f40a43780adf22306709c125b55c6483b1fe
MD5 hash:
57ccf8ab55ddb1f6f00a3c0e2d4e3780
SHA1 hash:
7a6ee2c9a504bfc2893be46d072932b3c22226a5
Link:
https://www.unpac.me/results/07d7ae65-585f-4371-a5d4-a8b17063aba6/
SH256 hash:
b92419fed9d1c40328157fd0e937a1c891138590d4857de113c052b3148a0f8f
MD5 hash:
5417b1ca4da061fc9bb034627fbbda40
SHA1 hash:
77340a75abaea4f7c215670b76f813222d892a22
Link:
https://www.unpac.me/results/07d7ae65-585f-4371-a5d4-a8b17063aba6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b92419fed9d1c40328157fd0e937a1c891138590d4857de113c052b3148a0f8f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socelars

Executable exe b92419fed9d1c40328157fd0e937a1c891138590d4857de113c052b3148a0f8f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2349955/
Cape
Cape
https://www.capesandbox.com/analysis/316302/

Comments


Avatar
zbet commented on 2022-10-04 04:52:32 UTC

url : hxxp://171.22.30.79/files/HD1.exe