MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bac17a64fdf5cb62e16e053919f01b724dc3abbf1bc0e33e20a8f0cbdc7e0fc0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 14 File information Comments

SHA256 hash:	bac17a64fdf5cb62e16e053919f01b724dc3abbf1bc0e33e20a8f0cbdc7e0fc0
SHA3-384 hash:	8b025f074739778fa897be89a8163c6c9187edb278d6ff63dafab9bca5a16662444029afb06da8250e4655ab9c327b66
SHA1 hash:	0b2c8007a42fab9d50b46325caeb08b687cb04c8
MD5 hash:	73b80a68c704e6e1f91595db16205501
humanhash:	shade-diet-nineteen-thirteen
File name:	73b80a68c704e6e1f91595db16205501.exe
Download:	download sample
File size:	3'170'304 bytes
First seen:	2024-12-29 08:10:16 UTC
Last seen:	2025-02-26 00:17:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4cd5619633296a8e205c54abbe90ee8d
ssdeep	49152:GEjSL635tBXj4PmzQMR9Ica/c6WwQ2Qkq0wjbJZWJvqU4SfV2AM4pqnigA:zS235t94T0I9/caHTwoz4Eg4pH
TLSH	T1D3E5E102B68641F2D51216B008B7173AFA359E524B218BC3F79CFE795F722A1D73624E
TrID	37.4% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 17.5% (.EXE) UPX compressed Win32 Executable (27066/9/6) 17.2% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 10.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 6.8% (.EXE) Win64 Executable (generic) (10522/11/4)
Magika	pebin
File icon (PE):
dhash icon	a261bae8d2a896ca (39 x Blackmoon, 9 x Gh0stRAT, 3 x CobaltStrike)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

417

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

73b80a68c704e6e1f91595db16205501.exe

Verdict:

No threats detected

Analysis date:

2024-12-29 08:17:58 UTC

Tags:

upx

Link:

https://app.any.run/tasks/217f0eef-8b16-4e2e-98f4-2a88879edbcb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.W32.Agent.NNJU-2136.UNOFFICIAL

Win.Malware.Generic-10032482-0

Win.Malware.Onlinegames-10033352-0

Win.Malware.Flystudio-10035594-0

Win.Malware.Flystudio-10035600-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6771041875fb913a14790e32

Tags:

flystudio shellcode injection virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context hacktool keylogger microsoft_visual_cc overlay packed packed packer_detected

Link:

https://www.filescan.io/uploads/6771041bd986a2005f8de4f4/reports/f6bca558-e1ab-4124-a8b7-c9c6b9300873/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/bac17a64fdf5cb62e16e053919f01b724dc3abbf1bc0e33e20a8f0cbdc7e0fc0

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/00ebfb4e-6cf9-42b8-83a4-e3aad0aa8555

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1581897

Signature

AI detected suspicious sample

Contains functionality to detect sleep reduction / modifications

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bac17a64fdf5cb62e16e053919f01b724dc3abbf1bc0e33e20a8f0cbdc7e0fc0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bac17a64fdf5cb62e16e053919f01b724dc3abbf1bc0e33e20a8f0cbdc7e0fc0/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xlaxuzh56xfwfyloau4rt4a3ojg4hk57dpaogpravdymxxd6b7aa._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery upx

Link:

https://tria.ge/reports/241229-j29nwsxkd1/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

System Location Discovery: System Language Discovery

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Verdict:

Malicious

Tags:

red_team_tool Win.Malware.Generic-10032482-0

YARA:

Chinese_Hacktool_1014

Link:

https://app.threat.zone/submission/4fdfb8ac-74b2-45a2-8bd7-0306d5da4bcb

Unpacked files

SH256 hash:

232d03183b42ee055c690cf7f96460d749a50a902a40a94db08120c150734799

MD5 hash:

6f056e44afeab6f4e128d965849c9fbf

SHA1 hash:

2806bf85ea1598a3bd2d41d611a959501881c971

Link:

https://www.unpac.me/results/6740f29b-7cf9-40ab-ad07-bf0a94f5b881/

SH256 hash:

59f1ca15f7bd32480574da26742c49e1bb0931c4966413ce01236a1f6ff73f00

MD5 hash:

b835cd5c51dde39cff4ee260eaaf0e3b

SHA1 hash:

bf9db026dfd0d56703d97430f2770dcabfb0f947

Link:

https://www.unpac.me/results/6740f29b-7cf9-40ab-ad07-bf0a94f5b881/

SH256 hash:

bac17a64fdf5cb62e16e053919f01b724dc3abbf1bc0e33e20a8f0cbdc7e0fc0

MD5 hash:

73b80a68c704e6e1f91595db16205501

SHA1 hash:

0b2c8007a42fab9d50b46325caeb08b687cb04c8

Link:

https://www.unpac.me/results/6740f29b-7cf9-40ab-ad07-bf0a94f5b881/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bac17a64fdf5/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bac17a64fdf5cb62e16e053919f01b724dc3abbf1bc0e33e20a8f0cbdc7e0fc0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Chinese_Hacktool_1014 Create hunting rule
Author:	Florian Roth
Description:	Detects a chinese hacktool with unknown use

Rule name:	Chinese_Hacktool_1014 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a chinese hacktool with unknown use

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Hacktools_CN_Panda_andrew Create hunting rule
Author:	Florian Roth
Description:	Disclosed hacktool set - file andrew.exe - sethc.exe Debugger backdoor

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	RansomPyShield_Antiransomware Create hunting rule
Author:	XiAnzheng
Description:	Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	reverse_http Create hunting rule
Author:	CD_R0M_
Description:	Identify strings with http reversed (ptth)

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	without_attachments Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the no presence of any attachment
Reference:	http://laboratorio.blogs.hispasec.com/

Rule name:	with_urls Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the presence of an or several urls
Reference:	http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe bac17a64fdf5cb62e16e053919f01b724dc3abbf1bc0e33e20a8f0cbdc7e0fc0

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3380469/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance
MULTIMEDIA_API	Can Play Multimedia	AVIFIL32.dll::AVIStreamGetFrame AVIFIL32.dll::AVIStreamInfoA MSVFW32.dll::DrawDibDraw WINMM.dll::midiOutPrepareHeader WINMM.dll::midiOutReset WINMM.dll::midiOutUnprepareHeader
RAS_API	Uses Remote Access	RASAPI32.dll::RasGetConnectStatusA RASAPI32.dll::RasHangUpA
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteA
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle WININET.dll::InternetCloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetVolumeInformationA KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WinExec KERNEL32.dll::SetStdHandle
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileA KERNEL32.dll::GetSystemDirectoryA KERNEL32.dll::GetFileAttributesA KERNEL32.dll::FindFirstFileA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegOpenKeyA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryValueA ADVAPI32.dll::RegQueryValueExA ADVAPI32.dll::RegSetValueExA
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuA USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::OpenClipboard USER32.dll::PeekMessageA USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample