MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf3fa6e701996cbdaf23ca371ce5591cf154390d4cdd15e3da1df608c68696eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	bf3fa6e701996cbdaf23ca371ce5591cf154390d4cdd15e3da1df608c68696eb
SHA3-384 hash:	c5995816de969123662e09e48e8b40b7767518f9ff132b31e41abcac68702af1a6e2d78c1cef612647bec06d296d4b70
SHA1 hash:	d623b02d7b75847498967d54d81c05c45a3fe929
MD5 hash:	bd195125702c88dbb53a747d14ab74e1
humanhash:	mexico-sodium-winner-alpha
File name:	SecuriteInfo.com.Win64.MalwareX-gen.25010.24037
Download:	download sample
File size:	6'479'360 bytes
First seen:	2024-10-20 21:23:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2327f58e2564a30d7182461fe55de246
ssdeep	196608:txGZbr6/asuIUI7bB1xnHVe1iEq2YDcNzLblUwMLd4hP2:tIx6Ss0InNwbwWh+d+P2
TLSH	T11D6623EE6144371CC45AC0749633AD09F2B5562E5EF6E8BA32CB3BA077EF425D642B04
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

377

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win64.MalwareX-gen.25010.24037

Verdict:

Malicious activity

Analysis date:

2024-10-20 21:41:08 UTC

Tags:

vmprotect

Link:

https://app.any.run/tasks/19916555-259a-4d7a-b426-466710a1d8d6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.25010.24037.UNOFFICIAL

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=671574f79e67c24682029375

Tags:

Vmprotect

Result

Verdict:

Clean

Maliciousness:

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

lolbin packed packed packed packer_detected shell32 vmprotect

Link:

https://www.filescan.io/uploads/671574d4cb929da7ec4dfd14/reports/6c18d46e-66c1-4aa5-a9cf-1b793939aabe/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/bf3fa6e701996cbdaf23ca371ce5591cf154390d4cdd15e3da1df608c68696eb

Result

Verdict:

MALICIOUS

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/081cc8c7-fef2-4b82-babe-86ed277f86cb

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1538273

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Detected VMProtect packer

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect debuggers (CloseHandle check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction (VM detection)

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bf3fa6e701996cbdaf23ca371ce5591cf154390d4cdd15e3da1df608c68696eb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bf3fa6e701996cbdaf23ca371ce5591cf154390d4cdd15e3da1df608c68696eb/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2024-10-04 00:47:26 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

18 of 38 (47.37%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=x472nzybtfwl3lzdzi3rzzkzdtyvioinjtorly62dx3arrugs3vq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

vmprotect

Link:

https://tria.ge/reports/241020-z8p6tssfqr/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

VMProtect packed file

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/928cca67-ba02-4a4c-a252-2ad030fb47bc

Unpacked files

SH256 hash:

bf3fa6e701996cbdaf23ca371ce5591cf154390d4cdd15e3da1df608c68696eb

MD5 hash:

bd195125702c88dbb53a747d14ab74e1

SHA1 hash:

d623b02d7b75847498967d54d81c05c45a3fe929

Link:

https://www.unpac.me/results/ff2f15f1-e1c0-4f22-92c0-b4a5a077d59d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bf3fa6e70199/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bf3fa6e701996cbdaf23ca371ce5591cf154390d4cdd15e3da1df608c68696eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_VMProtect Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with VMProtect.

Rule name:	pe_detect_tls_callbacks Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe bf3fa6e701996cbdaf23ca371ce5591cf154390d4cdd15e3da1df608c68696eb

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3245987/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high
CHECK_TRUST_INFO	Requires Elevated Execution (level:requireAdministrator)	high

Reviews

ID	Capabilities	Evidence
RPC_API	Can Execute Remote Procedures	RPCRT4.dll::RpcStringFreeA
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteA
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryA
WIN_CRYPT_API	Uses Windows Crypt API	CRYPT32.dll::CertFreeCertificateChainEngine
WIN_HTTP_API	Uses HTTP services	WINHTTP.dll::WinHttpSendRequest
WIN_SVC_API	Can Manipulate Windows Services	ADVAPI32.dll::ControlService

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample