MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfe85700c95ee65a50c47769f003c792d9b7cc407359a6d6df795c3bbb3fef8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Generic


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfe85700c95ee65a50c47769f003c792d9b7cc407359a6d6df795c3bbb3fef8b
SHA3-384 hash: 576f1cfe3292a8529b767b55fc9b6ac86b0bc490985a0cf7bcd799ce12c2147b9fab91d565cbae0014db68b6a9ab8692
SHA1 hash: ed7824bee1b817104b5555391b8763abee9636cf
MD5 hash: 4b921412e7a61d828cb6b78726747c5e
humanhash: comet-connecticut-red-carolina
File name:4b921412e7a61d828cb6b78726747c5e
Download: download sample
Signature Adware.Generic
Create hunting rule
File size:16'251'554 bytes
First seen:2023-06-08 03:46:55 UTC
Last seen:2023-06-08 07:28:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f5151e63f951542420f03e2fa50c82d8 (1 x Adware.Generic)
ssdeep 393216:9S9Q6sx8CfDNhWJ36Yt/MENAzN7pHlY2/E3oXtrP:9S98NBkBt/fYdHl1IU5
Threatray 40 similar samples on MalwareBazaar
TLSH T1B9F633623B59CC98E2B1C4F8297D4F84F87D89661D5785F8DBE68CE114B8EB8748F006
TrID 42.7% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 9270e894d4cc6992 (1 x Adware.Generic)
Reporter zbetcheckin
Tags:32 Adware.Generic exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
333
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4b921412e7a61d828cb6b78726747c5e
Verdict:
Malicious activity
Analysis date:
2023-06-08 03:47:27 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/077de34a-5b0e-4e90-8e1b-bfa947ac9b48

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Application.Bulz.664296.18897.20000.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lolbin overlay packed packed shell32.dll
Link:
https://www.filescan.io/uploads/64814f3962a26de2d1591055/reports/7c556f86-c927-43de-ba53-50bf0a25d623/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/bfe85700c95ee65a50c47769f003c792d9b7cc407359a6d6df795c3bbb3fef8b
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a5c89a35-c628-4c0a-954e-471048bb1286
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1250846
Signature
Antivirus / Scanner detection for submitted sample
Connects to many ports of the same IP (likely port scanning)
Detected VMProtect packer
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bfe85700c95ee65a50c47769f003c792d9b7cc407359a6d6df795c3bbb3fef8b/
Threat name:
Win32.Packed.VMProtect
Create hunting rule
Status:
Malicious
First seen:
2023-06-08 03:47:08 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
20 of 24 (83.33%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x7ufoagjl3tfuugeo5u7aa6hslm3ptcaonm2nvw7pfodxoz756fq._file
Verdict:
malicious
Similar samples:
20011215fe21d6a57a2a6af4b8788957d707bf965c1933573b0e3b71decdaff5
Adware.Generic
45982d6a7674a3ff4d2f28e95963d74729e0cb3059c08ef2e4c235182bf4591d
Adware.Generic
638d840d131eda4e2af96e320cebb35c9b3c660c94faa8f74d239daa1e2d3810
Adware.Generic
6ce171619dd97a51a8d5e6a4eaeea86f4fea6ed400c9e0a879b690b4fbd0a6b4
Adware.Generic
7c251123eb36d87a056ea6f68a795ba35595090e4f46b3e38e04a52bb9851cd2
Adware.Generic
83e11774e75ac33d5e754c051e42a87c516a646d78d06375d8c345761fca7e77
Adware.Generic
8e6ab3fa1fd0a8bcef6b042cd9f0120847180ec1e57b10c28336ace670470e22
Adware.Generic
94b85015bb3beb57e1810aec53712b8158fa10e3a970b0ee65484be34b3073cd
Adware.Generic
c5d24b4a21b5ce63ea8752778e37059f9fd0f4d738b760f6c03b2b902f67f848
Adware.Generic
+ 30 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
bootkit persistence upx vmprotect
Link:
https://tria.ge/reports/230608-eb7z6abf89/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Writes to the Master Boot Record (MBR)
UPX packed file
VMProtect packed file
Unpacked files
SH256 hash:
bfe85700c95ee65a50c47769f003c792d9b7cc407359a6d6df795c3bbb3fef8b
MD5 hash:
4b921412e7a61d828cb6b78726747c5e
SHA1 hash:
ed7824bee1b817104b5555391b8763abee9636cf
Link:
https://www.unpac.me/results/9063b1cd-a9d1-4bb4-9f64-1fbab818227b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/bfe85700c95ee65a50c47769f003c792d9b7cc407359a6d6df795c3bbb3fef8b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Adware.Generic

Executable exe bfe85700c95ee65a50c47769f003c792d9b7cc407359a6d6df795c3bbb3fef8b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2655280/

Comments


Avatar
zbet commented on 2023-06-08 03:46:56 UTC

url : hxxp://43.139.13.79:8186/%E4%BF%A1%E5%A4%A9%E6%B8%B8.exe