MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf4ecdd070a6b6806a0ee42b6367ff474077b35f493f75477327888f2fd6a905. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf4ecdd070a6b6806a0ee42b6367ff474077b35f493f75477327888f2fd6a905
SHA3-384 hash: b17b01e73ecdd1a0718d79d4eba820c41461b09a9eafcafde7a9436a9367080262add9138f5c6265da6a16a2586a71bc
SHA1 hash: 869ac02714efdd4309f74b363a973ae4de58f831
MD5 hash: bf9994b7ca3455426fbe2f810b062b35
humanhash: london-blossom-november-apart
File name:Compass Cloud.exe
Download: download sample
File size:12'169'832 bytes
First seen:2025-04-24 15:15:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep 196608:qnFNIiPyKhGgLZflk5jFMb4GU49fryKNZcQ8CmF1jUH9kpkPZUXusY9AUjLtTvZD:v/KhGmlk5NGUyGMOG81c9kVPqFTvL5ci
TLSH T1E7C6335B56A33214CADB02F0849AC361946932D11E5A6D14E6A3DCFF3FD3A8E5F39087
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 704c96b3b79eccf0
Reporter TheSillyFEllo
Tags:exe signed Themida

Code Signing Certificate

Organisation:Internet Testing Systems, LLC
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2024-06-26T00:00:00Z
Valid to:2027-06-26T23:59:59Z
Serial number: a728fdc9158a84ad3788eb447b9cc14d
Thumbprint Algorithm:SHA256
Thumbprint: 9f47b83bff6afd076e8552a9d307142f88619e0742ae00b02f5db85d54457015
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
456
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Compass Cloud.exe
Verdict:
Malicious activity
Analysis date:
2025-04-24 13:52:51 UTC
Tags:
themida
Link:
https://app.any.run/tasks/f6d244fe-8ba5-4cca-a684-2e687a5a04fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/3901/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680a56f6a37ff28e12993db9
Tags:
vmdetect cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Launching a process
Searching for synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm danabot entropy obfuscated overlay overlay packed packed packer_detected rat signed themidawinlicense virtual
Link:
https://www.filescan.io/uploads/680a5591212716475fae63e3/reports/88f8aad3-0748-4148-941b-ede052971767/overview
Verdict:
Malicious
Labled as:
BScope.Trojan
Link:
https://www.hybrid-analysis.com/sample/cf4ecdd070a6b6806a0ee42b6367ff474077b35f493f75477327888f2fd6a905
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2c46d672-03e9-4a77-894e-7410c683f69d
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad.mine
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1673281
Signature
.NET source code contains potential unpacker
Detected unpacking (changes PE section rights)
Found strings related to Crypto-Mining
Hides threads from debuggers
Installs a global event hook (focus changed)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
May use the Tor software to hide its network traffic
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1673281 Sample: Compass Cloud.exe Startdate: 24/04/2025 Architecture: WINDOWS Score: 84 49 www.starttest.com 2->49 51 pki-goog.l.google.com 2->51 53 c.pki.goog 2->53 59 Multi AV Scanner detection for submitted file 2->59 61 Detected unpacking (changes PE section rights) 2->61 63 .NET source code contains potential unpacker 2->63 65 5 other signatures 2->65 8 Compass Cloud.exe 18 36 2->8         started        signatures3 process4 dnsIp5 55 www.starttest.com 161.47.163.213, 443, 49690, 49692 RACKSPACEUS United States 8->55 41 C:\Users\user\AppData\...\SignInfoConsole.exe, PE32 8->41 dropped 43 C:\Users\user\...\Compass Cloud.exe.log, ASCII 8->43 dropped 45 C:\Users\user\AppData\Local\...\3b850059.dll, PE32 8->45 dropped 47 2 other files (none is malicious) 8->47 dropped 67 Query firmware table information (likely to detect VMs) 8->67 69 May use the Tor software to hide its network traffic 8->69 71 Hides threads from debuggers 8->71 73 4 other signatures 8->73 13 msedgewebview2.exe 8->13         started        16 msedgewebview2.exe 8->16         started        18 SignInfoConsole.exe 2 8->18         started        20 2 other processes 8->20 file6 signatures7 process8 signatures9 75 Found strings related to Crypto-Mining 13->75 22 msedgewebview2.exe 13->22         started        24 msedgewebview2.exe 13->24         started        26 msedgewebview2.exe 13->26         started        37 2 other processes 13->37 28 msedgewebview2.exe 16->28         started        39 4 other processes 16->39 31 conhost.exe 18->31         started        33 conhost.exe 20->33         started        35 conhost.exe 20->35         started        process10 dnsIp11 57 chrome.cloudflare-dns.com 162.159.61.3, 443, 49698 CLOUDFLARENETUS United States 28->57
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cf4ecdd070a6b6806a0ee42b6367ff474077b35f493f75477327888f2fd6a905
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf4ecdd070a6b6806a0ee42b6367ff474077b35f493f75477327888f2fd6a905/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z5hm3udqu23ia2qo4qvwgz77i5ahpm27je7xkr3te6ei6l6wvecq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery themida trojan
Link:
https://tria.ge/reports/250424-sm25yaypz3/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Network Share Discovery
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c5d30591-6937-4663-8791-7d802742a75d
Unpacked files
SH256 hash:
cf4ecdd070a6b6806a0ee42b6367ff474077b35f493f75477327888f2fd6a905
MD5 hash:
bf9994b7ca3455426fbe2f810b062b35
SHA1 hash:
869ac02714efdd4309f74b363a973ae4de58f831
Link:
https://www.unpac.me/results/bb01e1d1-bf99-4af8-8327-0d316cb7ac06/
SH256 hash:
de0aa79373299d38e79f5895530c54d43970c18867212ee171580e5e28dca5eb
MD5 hash:
8c7fb0e684cd7873d2641f301c2d41dd
SHA1 hash:
0a65293bd4af0d865c4d7dabacd49ca978cc063b
Link:
https://www.unpac.me/results/bb01e1d1-bf99-4af8-8327-0d316cb7ac06/
SH256 hash:
86c1b142e3ca539692304177744e2a29e0681b324461ce138540cf50c391e65d
MD5 hash:
f752a14cbfc71f7080a7c7285ac4bfc7
SHA1 hash:
0ce074adfbbb6b4e0fd228d4908ce8434dff5077
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/bb01e1d1-bf99-4af8-8327-0d316cb7ac06/
Parent samples :
a35b7570b7818fb47837073b594b4581049edaa087a9e854b5b395abdc7b6773
cf4ecdd070a6b6806a0ee42b6367ff474077b35f493f75477327888f2fd6a905
b16be5d71f0bfd28ed7356bd84c3b61d1c7b2590bd2c485530060f8900182789
34a87671d9a7225ad9aafdca0bdff858b9ae1c8fcdf834c505268507052a7a80
8fc47c0972e855f0866d9cf9cba29d56210fc709f13214e6ae6687ca40ca51b8
0259075adca93861dd02c548ece119844d3a790548e892be43d5a526690725cd
899cb424a250e13191b2d85de9a380c9a2e1ce316c4f46ad0db88d46a01aa8ab
SH256 hash:
770ceb19a10b9fd4d944545da0f94391dae9c38e34371209e5947a1a562b49f3
MD5 hash:
8ede3846adb0dcb8df542cbcc2f2063c
SHA1 hash:
105a82872341a00758f2db72d17cb0a2d244fc02
Link:
https://www.unpac.me/results/bb01e1d1-bf99-4af8-8327-0d316cb7ac06/
SH256 hash:
784ad3fb3cb1a68265f3c69169ecda958910b8dd843ab7dcf208fc50ca702143
MD5 hash:
3d5723b672c970467bb0d8973bd0f5d0
SHA1 hash:
36fecf372eec8b9a405dea2cbdf1207aff21c317
Link:
https://www.unpac.me/results/bb01e1d1-bf99-4af8-8327-0d316cb7ac06/
SH256 hash:
60d6211c70661614efb02d16e6020f86b0484847885a6bbe97522a0d50cdeed1
MD5 hash:
0c4c45b4231c9e58e1fc84807d91435c
SHA1 hash:
48eb84e2af0999f2e7eab0eca23d60c7de8c7080
Link:
https://www.unpac.me/results/bb01e1d1-bf99-4af8-8327-0d316cb7ac06/
SH256 hash:
8dac5fc6bfef8a3ac5a0f9a4badc56d973cd82271efc1ad009edc7153270c3b0
MD5 hash:
745f340d014e979ce7b726a2224af722
SHA1 hash:
5e7dc248feb3fecbd346d78383334d6f4ccc0443
Link:
https://www.unpac.me/results/bb01e1d1-bf99-4af8-8327-0d316cb7ac06/
SH256 hash:
3e5f7c2a08355b4046e6ac23b973666b8daf1109ce908e6af6ea0d31f3d2003d
MD5 hash:
7575c487119b610c9359314e54a5f2ff
SHA1 hash:
65aeb928f8e56075d4a7ef8fb6d6b14e3a797b46
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/bb01e1d1-bf99-4af8-8327-0d316cb7ac06/
SH256 hash:
5b70dc2eeceb1963f9c3690c1cc8ffa793b280e903fa9a31780e6a7bb0bdfcf9
MD5 hash:
c25357a7950dcfc7f85ee9d593cb1a24
SHA1 hash:
6a533712852465ab3c11b5c76004312d6482f07f
Link:
https://www.unpac.me/results/bb01e1d1-bf99-4af8-8327-0d316cb7ac06/
SH256 hash:
1bc93af767d65281c0bea27517e6de2d2907c31bcea77ed3a56bfac65dd84a85
MD5 hash:
cf19b51bb2713aebedc83b50575bd3c3
SHA1 hash:
7c28e298558aba5d8964b2a34e5b01ceb9efb8c0
Link:
https://www.unpac.me/results/bb01e1d1-bf99-4af8-8327-0d316cb7ac06/
SH256 hash:
032d38bb6487768f96fe578f353aa98c3dfbc27e484f1c7500e6ddf7e9c062db
MD5 hash:
9cef6428a76dc2652c5a09794507539f
SHA1 hash:
8a8899b13f02fb24f4f993a5ef0474de3b243db9
Link:
https://www.unpac.me/results/bb01e1d1-bf99-4af8-8327-0d316cb7ac06/
SH256 hash:
538cbcb5a53811b1342ee714c3ed6bea7ab67ed6de9d372e6954ba922fefe366
MD5 hash:
012ab6b4a3ccac8e2adf864fc879e161
SHA1 hash:
922c4abbc09b3a428df828e1d670113736041301
Link:
https://www.unpac.me/results/bb01e1d1-bf99-4af8-8327-0d316cb7ac06/
SH256 hash:
ea35505e3b0ed328e4be5c07dfbf645c1ec1e1447f7f3dd87da483fdc29970cd
MD5 hash:
9d96e673e490aef0bd7ad2ba19b46b4c
SHA1 hash:
9fb35f96431245250e5e016567dc68f2c08e60f1
Link:
https://www.unpac.me/results/bb01e1d1-bf99-4af8-8327-0d316cb7ac06/
SH256 hash:
d7fa76de14835e8ce183201a1fca17ec63fc124e4e519f5aa5bbc09c9a835e9d
MD5 hash:
127e03902016b788993a34a13c1948f3
SHA1 hash:
c2416f0f6d1e729effd127300a5b3da7f3569086
Link:
https://www.unpac.me/results/bb01e1d1-bf99-4af8-8327-0d316cb7ac06/
SH256 hash:
0d9cc168e5eea6b17708b85ee29cbda579cdf536f29788eb54f23aa8e420065f
MD5 hash:
5a7cf1ea0f9f7bf406868c24169020fd
SHA1 hash:
5a79d34e1d040ec831ddac0a8d883fbcd548943e
Link:
https://www.unpac.me/results/bb01e1d1-bf99-4af8-8327-0d316cb7ac06/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/3901/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (NX_COMPAT)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (Unrestricted:true)high

Comments