MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdfd799f58cfb6800884242837a27ec19a25effa8943325512df1c08374580cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 10 File information Comments

SHA256 hash:	cdfd799f58cfb6800884242837a27ec19a25effa8943325512df1c08374580cc
SHA3-384 hash:	26b71a8308a727216687ba4fea18a75918241c5e74d7324573d70b3d7882c97923293b5442ee44fadfbcdad08bb02e6d
SHA1 hash:	46e6f83690008e0d144fb4c31ed35a67a1c98edd
MD5 hash:	77c9c8378cb71156fa1dbd5d55ace921
humanhash:	lemon-oxygen-april-uniform
File name:	77c9c8378cb71156fa1dbd5d55ace921.exe
Download:	download sample
File size:	2'626'936 bytes
First seen:	2023-12-04 09:29:21 UTC
Last seen:	2023-12-04 10:33:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	98531db40515fb8043e9239e78cac583
ssdeep	24576:+Yvh5sVnb5SapjSYnsHrshJf9H00qTorWW0qJJfPyoZWayIzfXxwkzJCa8h8+WdD:+YJunYefnAreJJ0+rF0qJpyahJevG9
TLSH	T116C53340FD041ACBCAB217317EBC0646AA727A67099C63FC2E7FD0A42924F8FB755614
TrID	32.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 28.9% (.EXE) Win32 Executable (generic) (4505/5/1) 13.0% (.EXE) OS/2 Executable (generic) (2029/13) 12.8% (.EXE) Generic Win/DOS Executable (2002/3) 12.8% (.EXE) DOS Executable Generic (2000/1)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

291

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

77c9c8378cb71156fa1dbd5d55ace921.exe

Verdict:

Malicious activity

Analysis date:

2023-12-04 09:54:14 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/30611892-dced-428f-b1ef-eff1b3e8ef8f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/462328/

Detection(s):

SecuriteInfo.com.FileRepMalware.30619.7266.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a process from a recently created file

Searching for the window

Searching for analyzing tools

Сreating synchronization primitives

Creating a file

Creating a file in the %temp% directory

Sending a custom TCP request

Running batch commands

Creating a process with a hidden window

Enabling the 'hidden' option for recently created files

Launching a process

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

89%

Tags:

lolbin overlay packed packed shell32 themidawinlicense

Link:

https://www.filescan.io/uploads/656d9c25380413dc0c2f8d68/reports/bb3e7406-3dd9-4f13-87ac-86fe85c16d24/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/cdfd799f58cfb6800884242837a27ec19a25effa8943325512df1c08374580cc

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8a300526-5691-42fe-945c-d6bfbbc18a25

Result

Threat name:

MicroClip

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1353045

Signature

Hides threads from debuggers

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected MicroClip

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/cdfd799f58cfb6800884242837a27ec19a25effa8943325512df1c08374580cc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cdfd799f58cfb6800884242837a27ec19a25effa8943325512df1c08374580cc/

Threat name:

Win32.Spyware.Lummastealer

Status:

Malicious

First seen:

2023-12-04 07:41:22 UTC

AV detection:

11 of 23 (47.83%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zx6xth2yz63iaceeequdpit6ygncl372rfbtevis34oaqn2fqdga._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion themida trojan

Link:

https://tria.ge/reports/231204-lggtgsac82/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks whether UAC is enabled

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Unpacked files

SH256 hash:

6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c

MD5 hash:

c5124caf4aea3a83b63a9108fe0dcef8

SHA1 hash:

a43a5a59038fca5a63fa526277f241f855177ce6

Link:

https://www.unpac.me/results/9831ecf9-9127-4633-9c26-74b40f77753d/

SH256 hash:

c42f006070479c98884c5c8512cda892df51dec80231e9d6776b2c1f2e29493e

MD5 hash:

024e065bd51e15948ed734e28f8aca7c

SHA1 hash:

f6cf64ce59a272b789ecb27c9bc064d333332e7c

Detections:

INDICATOR_EXE_Packed_Themida

Link:

https://www.unpac.me/results/9831ecf9-9127-4633-9c26-74b40f77753d/

SH256 hash:

9d0a97db75a27c88cea90e8d9b29bcb0cff4a24303ade33718f9744c7cb97f36

MD5 hash:

437bf108e43f7db1e6c1c41f2fcb9a5e

SHA1 hash:

32f52676271f35b7a14abe4d9ccbc12b5b137072

Detections:

INDICATOR_EXE_Packed_Themida

Link:

https://www.unpac.me/results/9831ecf9-9127-4633-9c26-74b40f77753d/

SH256 hash:

423457445b9b0f45317864d72e44b6b746d52923461ffb9542376b52721619de

MD5 hash:

cb26eb0176d809ea366073272d6aa473

SHA1 hash:

494e2b6cec2be95a238b8f599f170eb4548a3321

Detections:

INDICATOR_EXE_Packed_Themida

Link:

https://www.unpac.me/results/9831ecf9-9127-4633-9c26-74b40f77753d/

SH256 hash:

cdfd799f58cfb6800884242837a27ec19a25effa8943325512df1c08374580cc

MD5 hash:

77c9c8378cb71156fa1dbd5d55ace921

SHA1 hash:

46e6f83690008e0d144fb4c31ed35a67a1c98edd

Detections:

INDICATOR_EXE_Packed_Themida

Link:

https://www.unpac.me/results/9831ecf9-9127-4633-9c26-74b40f77753d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/cdfd799f58cfb6800884242837a27ec19a25effa8943325512df1c08374580cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	HeavensGate Create hunting rule
Author:	kevoreilly
Description:	Heaven's Gate: Switch from 32-bit to 64-mode

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe cdfd799f58cfb6800884242837a27ec19a25effa8943325512df1c08374580cc

(this sample)

Cape

https://www.capesandbox.com/analysis/462328/

URLhaus

https://urlhaus.abuse.ch/url/2737076/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2735404/

URLhaus

https://urlhaus.abuse.ch/url/2733619/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample