MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba8e9358ed6bf5b3f2a976850ed3fdccd00ceee0f50a09008b7a957c7c8e2415. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba8e9358ed6bf5b3f2a976850ed3fdccd00ceee0f50a09008b7a957c7c8e2415
SHA3-384 hash: 4a47ce6b9f35c13828c4b2355b90b00aee26131567f0ce3aaddacf94a69844d54689e3797b2fb6a7bf720f1cfe7fec82
SHA1 hash: 0338bea6fc05b36e42cc509d18f955c2636c4214
MD5 hash: e1625dbc1f61e1e2a91d876c7217f0e9
humanhash: enemy-fillet-ceiling-tennessee
File name:updx-v2.5.23-setup.exe
Download: download sample
File size:3'072'792 bytes
First seen:2023-04-05 19:59:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (259 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 49152:cBuZrEUK79XySTSMa+nLb7hr+UpMhd55DdN7POGjS:ikLUXySTLa+n37hqEMhd55ljS
Threatray 249 similar samples on MalwareBazaar
TLSH T1C6E5F13FF268A53EC5AA1B3145738210997BBA61781A8C1E47FC384DCF729601F3B656
TrID 49.7% (.EXE) Inno Setup installer (109740/4/30)
19.5% (.EXE) InstallShield setup (43053/19/16)
18.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter jw4lsec
Tags:agentb BazarLoader exe signed vsntai23

Code Signing Certificate

Organisation:APTX Updater Software
Issuer:APTX Updater Software
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-20T21:35:45Z
Valid to:2032-12-17T21:35:45Z
Serial number: 6fb2ec80ba1dad984ad3427195d71f0f88bc7331
Thumbprint Algorithm:SHA256
Thumbprint: e4db55476e21dc602524a54cc6568e34f646e9322a795ab128af09d21dcb837f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
jw4lsec
Dropped by ducktail PHP variant

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
updx-v2.5.23-setup.exe.vir
Verdict:
Malicious activity
Analysis date:
2023-01-30 13:00:04 UTC
Tags:
installer
Link:
https://app.any.run/tasks/296e4861-8cef-489f-a35a-3863c58df117

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380446/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop21.30328.5686.26542.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Sending a custom TCP request
DNS request
Creating a file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/76710/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bazarloader installer overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/642dd3442f938d3b4e0615a4/reports/8a46d01c-868b-4fa1-a165-03cade6bcfc9/overview
Verdict:
Malicious
Labled as:
Trojan.Agentb
Link:
https://www.hybrid-analysis.com/sample/ba8e9358ed6bf5b3f2a976850ed3fdccd00ceee0f50a09008b7a957c7c8e2415
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/aba9034c-76a3-4f5a-b37f-d7afe7c403bc
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1161602
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 794353 Sample: updx-v2.5.23-setup.exe Startdate: 30/01/2023 Architecture: WINDOWS Score: 76 49 Multi AV Scanner detection for domain / URL 2->49 51 Antivirus detection for URL or domain 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 2 other signatures 2->55 9 updx-v2.5.23-setup.exe 2 2->9         started        13 WDDiscovery.exe 2 2->13         started        process3 dnsIp4 41 C:\Users\user\...\updx-v2.5.23-setup.tmp, PE32 9->41 dropped 59 Obfuscated command line found 9->59 16 updx-v2.5.23-setup.tmp 3 13 9->16         started        45 104.21.60.70, 443, 49705 CLOUDFLARENETUS United States 13->45 47 delurais.com 13->47 file5 signatures6 process7 file8 29 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 16->29 dropped 19 updx-v2.5.23-setup.exe 2 16->19         started        process9 file10 31 C:\Users\user\...\updx-v2.5.23-setup.tmp, PE32 19->31 dropped 57 Obfuscated command line found 19->57 23 updx-v2.5.23-setup.tmp 5 48 19->23         started        signatures11 process12 file13 33 C:\Users\user\AppData\...\is-QQ5J2.tmp, PE32 23->33 dropped 35 C:\Users\user\AppData\...\unins000.exe (copy), PE32 23->35 dropped 37 C:\Users\user\AppData\...\is-SLD2I.tmp, PE32 23->37 dropped 39 14 other files (none is malicious) 23->39 dropped 26 WDDiscovery.exe 15 4 23->26         started        process14 dnsIp15 43 delurais.com 172.67.193.99, 443, 49704 CLOUDFLARENETUS United States 26->43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba8e9358ed6bf5b3f2a976850ed3fdccd00ceee0f50a09008b7a957c7c8e2415/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-12-21 09:39:44 UTC
File Type:
PE (Exe)
Extracted files:
203
AV detection:
9 of 37 (24.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xkhjgwhnnp23h4vjo2cq5u75ztiaz3xa6ufasaelpkkxy7eoeqkq._file
Verdict:
malicious
Similar samples:
5795e1e656eef516e884bcf0b57dfdccd24863893a5804532125242df09dc07b
65bea8ecbc22a05fe6cdd7108d9859e22de0a6796c7597ff299e4baf0dde04ad
8a78e2f08052660fdedbb04ec46b40bde9b20b81b2b4695595cfefed1cd5bc40
9cb4357e2a87559617f3adfcdcfe5dba5f02de53d9d7acd8cc5415bbab703e65
a7496f64d8f6fedf5d7684e9b073afc39f7f0254ca3a35de6383445a9235329e
a88df82e4b619c1586b5640c801616486f08b3bd32f766847f468d6a23b6c23e
b7581c0e2dc71578ffd55e69ce2c306a4372b8d11a4f34d2eb2ba7780e757b73
c180f58783642d9688ad20f32ce72e504accf1d101f1591b39b0d4e0f429fe3f
c7554a7609cf9428545460211a203ed575173798679198a502fe847bff3cc044
ffe2e43e59074cf27875cc31e8be84503b1a6854dd3f2480b5aff7b6b220a416
+ 239 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230405-yqy6cahc32/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
35f13cd94d98c8614bb1334b4bb9559d6b3d5a33254347675018c57d59a43432
MD5 hash:
6b9c3abe803187eb74d1d0412341373e
SHA1 hash:
cea38a6e846abbffe56b149cd54e4475bb0938be
Link:
https://www.unpac.me/results/90b8a51e-62e4-4bdc-957d-70a0508a1592/
SH256 hash:
498230be4c40d04c404374d5d1db4a3012c7d12e3fdbda4480033ed373746742
MD5 hash:
ffcb24f4f8348fee2605b4c1095aedb3
SHA1 hash:
6c270f396978901fdbf193bfee2d6783feb68218
Link:
https://www.unpac.me/results/90b8a51e-62e4-4bdc-957d-70a0508a1592/
SH256 hash:
8d9066fee0e058e41323a6c98f72068d970bb9eb271058ae8caba9e88be4495f
MD5 hash:
fa2f84509d89491649db8c7dcc412884
SHA1 hash:
672dc77720104bf4773d80c308f3d37215f62f5b
Link:
https://www.unpac.me/results/90b8a51e-62e4-4bdc-957d-70a0508a1592/
SH256 hash:
2f6782589083fb7a464143f015fd84cda56ab4edde072b74c2c902c56a7e2eb9
MD5 hash:
3a4c83e0f58eff7f32f42fc4c85bd73b
SHA1 hash:
5d4a8fcb206355fe99b63eb9baac78d7585aa772
Link:
https://www.unpac.me/results/90b8a51e-62e4-4bdc-957d-70a0508a1592/
SH256 hash:
b422cf4e50371a80d8b17479fb206af061701baa0e453d76185d6a0b310e3f26
MD5 hash:
3caf2e3d48a66115202ce97185531bb7
SHA1 hash:
55bf121c4752931baef2f687a26034283f296e17
Link:
https://www.unpac.me/results/90b8a51e-62e4-4bdc-957d-70a0508a1592/
SH256 hash:
0fecb86871540a6825e2fa70fd08525d38be1296e1380b006c6d0c53ae7e5f6c
MD5 hash:
4cc4224395b0fb7ea5667f25c8dbab96
SHA1 hash:
4af688c393baea82ff2f511c4ae0ea02aa3932c9
Link:
https://www.unpac.me/results/90b8a51e-62e4-4bdc-957d-70a0508a1592/
SH256 hash:
5c7e24e561de5ca78ae62d4692dcba36de580de3bdf8e9b47238bb6c20117d9a
MD5 hash:
2d19ef1a6e01e332c5c0c4a8e0aeb810
SHA1 hash:
0d8f4e063db42e4eab39a47ff4f867dd48a861f1
Link:
https://www.unpac.me/results/90b8a51e-62e4-4bdc-957d-70a0508a1592/
SH256 hash:
16a140b81db5b70e324a965e619d30f5ae94cb800439f5fa0cf824011604aee9
MD5 hash:
db30243d43c06ccd9c314f183f151894
SHA1 hash:
976d49905a0509b90b79e569139ea9732060bb31
Link:
https://www.unpac.me/results/90b8a51e-62e4-4bdc-957d-70a0508a1592/
SH256 hash:
ba8e9358ed6bf5b3f2a976850ed3fdccd00ceee0f50a09008b7a957c7c8e2415
MD5 hash:
e1625dbc1f61e1e2a91d876c7217f0e9
SHA1 hash:
0338bea6fc05b36e42cc509d18f955c2636c4214
Link:
https://www.unpac.me/results/90b8a51e-62e4-4bdc-957d-70a0508a1592/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/ba8e9358ed6bf5b3f2a976850ed3fdccd00ceee0f50a09008b7a957c7c8e2415

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/380446/

Comments