MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc9cc644f51ae4db1b77207f2cf9ef624ed5624e64b55513a2d4056534dbcf70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 9 File information Comments

SHA256 hash:	cc9cc644f51ae4db1b77207f2cf9ef624ed5624e64b55513a2d4056534dbcf70
SHA3-384 hash:	ffdd8a3ebb58fecd62d25b77c24ea2f44c1bd6908f3d5d9b8203f03144cbf9bd858980a16a9de1e4df7c2a4254db4727
SHA1 hash:	2128e3685998b227e4a1ac33313c444113823960
MD5 hash:	0f1278e0606fb786114c66a67c2a6425
humanhash:	alanine-johnny-cardinal-fish
File name:	0f1278e0606fb786114c66a67c2a6425.exe
Download:	download sample
File size:	5'862'112 bytes
First seen:	2023-12-02 16:53:39 UTC
Last seen:	2023-12-02 18:26:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	edac19bae7a55f5a30336032d0b4ae67
ssdeep	98304:LS1pVScBQJ3ZwKU1srxQaE9CEJFcF1ppIf60gNgqVpbTYVgZoj47MZ5FV0ZIvY4Q:LWTEmWeaEkuFcUfdgNvpbXZ778hsIvYN
TLSH	T1D4462306C84C39DDD4B724788D66AA3F31B31F18719478F8AC6E27EA49A7D603C36857
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4505/5/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	78ecdcdcccccc0f8 (1 x RiseProStealer)
Reporter	abuse_ch
Tags:	exe signed

Code Signing Certificate

Organisation:	Intel Core i5-13400 Raptor Lake-S LGA1700
Issuer:	Intel Core i5-13400 Raptor Lake-S LGA1700
Algorithm:	sha512WithRSAEncryption
Valid from:	2023-10-07T06:29:26Z
Valid to:	2026-02-17T00:00:00Z
Serial number:	5fbe9c93611c9e43b98e02278e890ad3
Intelligence:	4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	e175355885ce0b768bbd4caeb7f0dd3d630062558e66dccadcb14ab993b0b169
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

288

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

0f1278e0606fb786114c66a67c2a6425.exe

Verdict:

Malicious activity

Analysis date:

2023-12-02 17:11:25 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/897c360a-d7b1-47f8-8a84-1d5f5251a4f5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/461942/

Detection(s):

SecuriteInfo.com.FileRepMalware.27969.29171.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Сreating synchronization primitives

Creating a file

Creating a file in the %temp% directory

Enabling the 'hidden' option for recently created files

Running batch commands

Creating a process with a hidden window

Launching a process

Creating a process from a recently created file

Sending a custom TCP request

Enabling autorun by creating a file

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware lolbin overlay packed packed shell32 themidawinlicense

Link:

https://www.filescan.io/uploads/656b62bb0a09154b192717f1/reports/fc707ae0-ff1d-4e13-a5b6-a36ffb8ce43f/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/cc9cc644f51ae4db1b77207f2cf9ef624ed5624e64b55513a2d4056534dbcf70

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/763295e4-7360-4f99-aedc-da37a7b86251

Result

Threat name:

MicroClip

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1352136

Signature

Hides threads from debuggers

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected MicroClip

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/cc9cc644f51ae4db1b77207f2cf9ef624ed5624e64b55513a2d4056534dbcf70

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cc9cc644f51ae4db1b77207f2cf9ef624ed5624e64b55513a2d4056534dbcf70/

Threat name:

Win32.Trojan.ClipBanker

Status:

Malicious

First seen:

2023-12-01 18:21:43 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 23 (73.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zsommrhvdlsnwg3xeb7sz6ppmjhnkysoms2vke5c2qcwkng3z5ya._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion themida trojan

Link:

https://tria.ge/reports/231202-veh37seb79/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks whether UAC is enabled

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Unpacked files

SH256 hash:

e8a449df4b09cc1a12a2977e8fc0da0a5f7acbe8740e5bf8bb864f5971c0a141

MD5 hash:

2aca2b4c3ae9142053b2ccb13e3f82b9

SHA1 hash:

acacc45afb79929614375b64109917899375617a

Detections:

INDICATOR_EXE_Packed_Themida

Link:

https://www.unpac.me/results/898b4890-3772-447e-8fce-1db105605000/

SH256 hash:

2612713fed82331940ba3e568896ec241922c26ffd3ce345a25f2b386db7ff4e

MD5 hash:

303286f99250459bcd9eff37f15d4955

SHA1 hash:

cdf7f3486473725f14850057de84fa5a27317053

Detections:

INDICATOR_EXE_Packed_Themida

Link:

https://www.unpac.me/results/898b4890-3772-447e-8fce-1db105605000/

SH256 hash:

4060eb39f4cea42e16d954180c857dbb3fb511db4054d00afb66055b804748d1

MD5 hash:

74a57c87e58de1a8067c08312d3b45fd

SHA1 hash:

e7c4843bb6f912ae0480bc5e672d4954efc8d5e3

Detections:

INDICATOR_EXE_Packed_Themida

Link:

https://www.unpac.me/results/898b4890-3772-447e-8fce-1db105605000/

SH256 hash:

cc9cc644f51ae4db1b77207f2cf9ef624ed5624e64b55513a2d4056534dbcf70

MD5 hash:

0f1278e0606fb786114c66a67c2a6425

SHA1 hash:

2128e3685998b227e4a1ac33313c444113823960

Detections:

INDICATOR_EXE_Packed_Themida

Link:

https://www.unpac.me/results/898b4890-3772-447e-8fce-1db105605000/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.91

Link:

https://yomi.yoroi.company/submissions/cc9cc644f51ae4db1b77207f2cf9ef624ed5624e64b55513a2d4056534dbcf70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe cc9cc644f51ae4db1b77207f2cf9ef624ed5624e64b55513a2d4056534dbcf70

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2735404/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2733619/

Cape

https://www.capesandbox.com/analysis/461942/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample