MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd7fc202d7669e5274554be14461ce65913e388c14500a3e774b1fe9d8d08700. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments 2
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd7fc202d7669e5274554be14461ce65913e388c14500a3e774b1fe9d8d08700
SHA3-384 hash: adeaffde315a48382d29f14e84dcbf89b2ea907321365570f905a486a8c88b8d8f754ed7ab9181b652f275b47816cc8a
SHA1 hash: 750bf411d5e68cb40d0ad97d71bcd7b68402e27f
MD5 hash: f0b92582513f9e8040670e6bb30256c8
humanhash: magazine-angel-johnny-finch
File name:SecuriteInfo.com.0053ed151.1946
Download: download sample
File size:7'863'137 bytes
First seen:2020-05-17 13:38:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f23f452093b5c1ff091a2f9fb4fa3e9 (274 x GuLoader, 36 x RemcosRAT, 23 x AgentTesla)
ssdeep 196608:CRA4IhPDXEGPlRjw0MJ3CNREj1OjWhG2h9v1Fls0FVBH:lLdgelRwP8Ej1JhG2h9vHi2VF
Threatray 26 similar samples on MalwareBazaar
TLSH 8D8633BE3072C267C92723FF48F1AB61AA38750F8259EA43CB109FFD81571961658B17
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.0053ed151.1946.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Browserio-6725861-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Garvi
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 15:35:18 UTC
File Type:
PE (Exe)
Extracted files:
935
AV detection:
21 of 31 (67.74%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2b6160a9720ed2cf3b818dafc81e4f092111d4df2e0db161b994b39a5ceb78f3
2c9a56116d34514c98f71a77cd80ab3b32d6523b2d7aa9b89b6e4f5c1cd8a8df
434ea880ad59cffded73a776f3a01a75e6afef21fc6dca45b364fd3f0ba54de3
4c1fe4c0f5d8d1277036802c83df3e083b31318dfc2c194ce93b7169d7ba6e3d
5cd1e21eef3c4ed694dc429b88b403995244060feb4fdea12473aff4d782e1f5
82621455e0c9ed9c46f6947beeaf2c5a6962a035eea50b337fad6368b5a6485b
8f9f89be357d1d17b6281bf9f6caebfa97fdbfcb6aec50e4aa147d0e24e909e7
95e35f1614df92a318a749a8f62a35b9c03f2f34f08ad5606b45c9d817ff1d93
ae2ee9f58ee2c27d739190e1176d8898a49ddac0c36e392115f12309ac07e63a
c829aa312e2ea1c043566e26517b2bf90e9c12ed68e9d7d24577ebc13f2cf3b1
+ 16 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-r8g9n4v7gn/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe bd7fc202d7669e5274554be14461ce65913e388c14500a3e774b1fe9d8d08700

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/363909/
  
Delivery method
Distributed via web download

Comments


Avatar
Stephan (@FirehaK@infosec.exchange) commented on 2020-05-18 14:13:00 UTC

Slight edit (since I can't update my first comment), the Chrome extension is bundled in the initial installer application.

Avatar
Stephan (@FirehaK@infosec.exchange) commented on 2020-05-18 04:37:22 UTC

Uses a compiled Python script (load.pyc) to create persistence through scheduled tasks and run keys. Performs DNS lookup to get TXT record of embedded domain (bestlivestat[.]com) which would have returned a base64 encoded URL. I did not see any TXT records for the domain. If the record exists, downloads a JSON config which contains a file to download and execute. Installations tracked via Google Analytics. Also checks for Chrome, Yandex and Opera browsers.

When run through any.run (https://app.any.run/tasks/515f7c4f-1d87-49cf-a7ae-25050cfdb474) it installed an older version of the "Yandex.Market Adviser" Chrome extension (ID: mcfckchjhehcdgoeihjjjbkcdpdfmloa).