MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbf19ab2cea14f070e7462babcc0f86ee9499ac0e971f70471386e43cf11cdd0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbf19ab2cea14f070e7462babcc0f86ee9499ac0e971f70471386e43cf11cdd0
SHA3-384 hash: 7133e437bd5758c81895033f23c4bc6f469ff9e0553bb21fe8917e3c8d756846aaafb5d4dcd016642a982d8a93c846a9
SHA1 hash: 25a1e189231ff7b4c660ddb2bec4e57bbee61ef8
MD5 hash: f3b37711b4fdccff04ac73db511e6c97
humanhash: finch-fix-monkey-oregon
File name:Install.exe
Download: download sample
File size:166'912 bytes
First seen:2025-02-23 16:07:39 UTC
Last seen:2025-03-04 03:12:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4a38b8722fee325fc3f6a86590c2be8a
ssdeep 3072:pQpspNSEHxdY14ByBbjLZV6nqZfBYios3dtM2RRmubBZEZT/WB83gNMxjeh:pQpspIKw19Hp0WJFBCjwqpe
TLSH T1E1F30286ABE81239FDF75636A77A14207873FCA0160DC66F473681AF0D64788C677A31
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter aachum
Tags:exe r77


Avatar
iamaachum
https://github.com/LoveRyajenja/lwafmwoafmw11/raw/refs/heads/main/Install.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
20
Origin country :
ES ES
Vendor Threat Intelligence
Detection(s):
Win.Rootkit.R77-10009366-0
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67bb477d28ab76d43a5cbb24
Tags:
emotet xtreme shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the Windows subdirectories
Creating a file in the system32 subdirectories
Searching for synchronization primitives
Setting browser functions hooks
Forced shutdown of a system process
Enabling autorun by creating a file
Using obfuscated Powershell scripts
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypto evasive microsoft_visual_cc obfuscated packed packed packer_detected zusy
Link:
https://www.filescan.io/uploads/67bb47ed3afc3763bec27eba/reports/686d15fa-597d-4153-b5b4-9dae1e7e4896/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/bbf19ab2cea14f070e7462babcc0f86ee9499ac0e971f70471386e43cf11cdd0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e434f75a-dfaf-496a-a4a1-ef42ff34ce46
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1622291
Signature
.NET source code contains process injector
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Suspicious powershell command line found
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1622291 Sample: Install.exe Startdate: 23/02/2025 Architecture: WINDOWS Score: 100 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 .NET source code references suspicious native API functions 2->36 38 10 other signatures 2->38 8 powershell.exe 2 15 2->8         started        11 Install.exe 1 2->11         started        process3 signatures4 46 Writes to foreign memory regions 8->46 48 Found suspicious powershell code related to unpacking or dynamic code loading 8->48 50 Creates a thread in another existing process (thread injection) 8->50 52 Injects a PE file into a foreign processes 8->52 13 winlogon.exe 8->13 injected 16 conhost.exe 8->16         started        process5 signatures6 54 Injects code into the Windows Explorer (explorer.exe) 13->54 56 Contains functionality to inject code into remote processes 13->56 58 Writes to foreign memory regions 13->58 60 3 other signatures 13->60 18 lsass.exe 13->18 injected 21 OfficeClickToRun.exe 11 372 13->21 injected 23 svchost.exe 13->23 injected 25 33 other processes 13->25 process7 dnsIp8 40 Installs new ROOT certificates 18->40 42 Writes to foreign memory regions 18->42 44 Creates files in the system32 config directory 21->44 28 WMIADAP.exe 23->28         started        30 199.232.214.172, 49723, 49724, 80 FASTLYUS United States 25->30 signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bbf19ab2cea14f070e7462babcc0f86ee9499ac0e971f70471386e43cf11cdd0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bbf19ab2cea14f070e7462babcc0f86ee9499ac0e971f70471386e43cf11cdd0/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2025-01-13 12:01:01 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xpyzvmwoufhqodtumk5lzqhyn3uutgwa5fy7obdrhbxehtyrzxia._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/250223-tlbf9ssrcp/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Command and Scripting Interpreter: PowerShell
Checks BIOS information in registry
Modifies security service
Verdict:
Malicious
Tags:
Win.Rootkit.R77-10009366-0
YARA:
n/a
Link:
https://app.threat.zone/submission/518ff262-672b-47be-9bbb-d7c0415954fc
Unpacked files
SH256 hash:
bbf19ab2cea14f070e7462babcc0f86ee9499ac0e971f70471386e43cf11cdd0
MD5 hash:
f3b37711b4fdccff04ac73db511e6c97
SHA1 hash:
25a1e189231ff7b4c660ddb2bec4e57bbee61ef8
Link:
https://www.unpac.me/results/847a288e-c07c-4570-83e8-97672597299f/
SH256 hash:
47ae22ee9b443c02210912122da06de38c6aa9c0b3c26e08b452404b0b3dee51
MD5 hash:
a2462d6a599b80dd2cbb3f1f6c6f3f8a
SHA1 hash:
c5d34d7e285e00f0570ef1de9dd9ea2c9c3035b6
Link:
https://www.unpac.me/results/847a288e-c07c-4570-83e8-97672597299f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bbf19ab2cea14f070e7462babcc0f86ee9499ac0e971f70471386e43cf11cdd0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_R77
Create hunting rule
Author:ditekSHen
Description:Detects r77 rootkit
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Rootkit_R77_d0367e28
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe fcd62f5f3f4ccaaf749a3435e750564894ba688129df32f3a27c01d60f97b676

Executable exe bbf19ab2cea14f070e7462babcc0f86ee9499ac0e971f70471386e43cf11cdd0

(this sample)

  
Link
https://tria.ge/250223-tg3pyssjgx/
  
Dropped by
SHA256 fcd62f5f3f4ccaaf749a3435e750564894ba688129df32f3a27c01d60f97b676
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3450147/
  
Dropped by
MD5 315fa8f488399e45dfcdd5c0e5b54855

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextW
ADVAPI32.dll::CryptGenRandom
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegSetValueExW

Comments