MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d19dbc6b0c0792df8f420c14ef25130052a81d481d38340a40194862ff0095cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectWise


Vendor detections: 15


Intelligence 15 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d19dbc6b0c0792df8f420c14ef25130052a81d481d38340a40194862ff0095cd
SHA3-384 hash: 7322413b26cfe1dbdbbf5ff22930794cb64d13700e5737f381b81ea46a19b38ff031b26dcae2e2f88905a6f5227335f9
SHA1 hash: 8513ae78b78f157fdd8800f2eda654c75332cd4b
MD5 hash: 321132051c3add66f0cdae4b8cf4c332
humanhash: texas-aspen-purple-steak
File name:statsment.exe
Download: download sample
Signature ConnectWise
Create hunting rule
File size:5'652'448 bytes
First seen:2024-12-13 02:11:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9771ee6344923fa220489ab01239bdfd (243 x ConnectWise)
ssdeep 49152:IDex5xKkEJkGYYpT0+TFiH7efP0x58IJL+md3rHgDNMKLo8SsxG/XcW32gqkAfoc:c4s6efPQ53JLbd3LINMLaGUW39f0
Threatray 374 similar samples on MalwareBazaar
TLSH T1D046E111B3D995B9C0BF063CD87A52699A74BC048722C7AF57D4BD292D32BC05E323B6
TrID 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter malwarology
Tags:ConnectWise exe signed

Code Signing Certificate

Organisation:Connectwise, LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-17T00:00:00Z
Valid to:2025-08-15T23:59:59Z
Serial number: 0b9360051bccf66642998998d5ba97ce
Intelligence: 444 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 82b4e7924d5bed84fb16ddf8391936eb301479cec707dc14e23bc22b8cdeae28
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
malwarology
hxxps[://]scure2glbcubnk[.]es/Windows/statsment.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
491
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
statsment.exe
Verdict:
Malicious activity
Analysis date:
2024-12-13 02:14:35 UTC
Tags:
remote screenconnect
Link:
https://app.any.run/tasks/3d545b5c-0081-4eb3-a2c9-e5a7753a5f82

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.29065.SC.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Siggen26.37800.12014.29258.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=675b994589dbe216234deedd
Tags:
connectwise phishing
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Launching a process
Creating a file
Creating a window
Searching for synchronization primitives
Loading a suspicious library
Launching a service
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a service
Creating a process from a recently created file
Searching for the window
DNS request
Moving a file to the Windows subdirectory
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Possible injection to a system process
Enabling autorun with the shell\open\command registry branches
Enabling autorun
Enabling autorun for a service
Unauthorized injection to a recently created process
Verdict:
Malicious
Labled as:
RiskWare[RemoteAdmin]/ConnectWise
Link:
https://www.hybrid-analysis.com/sample/d19dbc6b0c0792df8f420c14ef25130052a81d481d38340a40194862ff0095cd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ConnectWise
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/aa51cdb3-fbb7-439b-b82a-8465c8d3170a
Result
Threat name:
ScreenConnect Tool
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1574188
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to hide user accounts
Creates files in the system32 config directory
Detected potential unwanted application
Enables network access during safeboot for specific services
Modifies security policies related information
Multi AV Scanner detection for submitted file
Possible COM Object hijacking
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Remote Access Tool - ScreenConnect Suspicious Execution
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1574188 Sample: statsment.exe Startdate: 13/12/2024 Architecture: WINDOWS Score: 48 55 yell64u.top 2->55 61 Multi AV Scanner detection for submitted file 2->61 63 .NET source code contains potential unpacker 2->63 65 .NET source code references suspicious native API functions 2->65 67 5 other signatures 2->67 8 msiexec.exe 94 51 2->8         started        12 ScreenConnect.ClientService.exe 2 5 2->12         started        15 statsment.exe 5 2->15         started        signatures3 process4 dnsIp5 35 ScreenConnect.Wind...dentialProvider.dll, PE32+ 8->35 dropped 37 C:\...\ScreenConnect.WindowsClient.exe, PE32 8->37 dropped 39 C:\...\ScreenConnect.ClientService.exe, PE32 8->39 dropped 43 10 other files (1 malicious) 8->43 dropped 73 Enables network access during safeboot for specific services 8->73 75 Modifies security policies related information 8->75 17 msiexec.exe 8->17         started        19 msiexec.exe 1 8->19         started        21 msiexec.exe 8->21         started        57 yell64u.top 85.239.34.190, 49731, 8880 RAINBOW-HKRainbownetworklimitedHK Russian Federation 12->57 77 Reads the Security eventlog 12->77 79 Reads the System eventlog 12->79 23 ScreenConnect.WindowsClient.exe 3 12->23         started        26 ScreenConnect.WindowsClient.exe 2 12->26         started        41 C:\Users\user\AppData\...\statsment.exe.log, ASCII 15->41 dropped 81 Contains functionality to hide user accounts 15->81 28 msiexec.exe 6 15->28         started        file6 signatures7 process8 file9 31 rundll32.exe 11 17->31         started        69 Creates files in the system32 config directory 23->69 71 Contains functionality to hide user accounts 23->71 45 C:\Users\user\AppData\Local\...\MSICAFF.tmp, PE32 28->45 dropped signatures10 process11 file12 47 C:\Users\user\...\ScreenConnect.Windows.dll, PE32 31->47 dropped 49 C:\...\ScreenConnect.InstallerActions.dll, PE32 31->49 dropped 51 C:\Users\user\...\ScreenConnect.Core.dll, PE32 31->51 dropped 53 4 other files (none is malicious) 31->53 dropped 59 Contains functionality to hide user accounts 31->59 signatures13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d19dbc6b0c0792df8f420c14ef25130052a81d481d38340a40194862ff0095cd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d19dbc6b0c0792df8f420c14ef25130052a81d481d38340a40194862ff0095cd/
Threat name:
Win32.Ransomware.ScreenConnectTool
Create hunting rule
Status:
Malicious
First seen:
2024-12-13 02:07:41 UTC
File Type:
PE (Exe)
Extracted files:
174
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2go3y2yma6jn7d2cbqko6jitabjkqhkidu4dicsadfegf7yasxgq._file
Verdict:
malicious
Label(s):
admintool_screenconnect
Create hunting rule
Similar samples:
02662ecf4b875e7ab204e212395900fcf47eb765180260b99f3517ed643bebed
ConnectWise
4db7803a3142fb22ba63631612943f91459eceb4e1ded7b88808f9cec74f87b0
ConnectWise
4e81851729d58f321bb83bdb03200f62bc5ee56e0703b2d609a3923a033d5b53
ConnectWise
64ca91a2446a8e567b24deea926bbdb34fd2dda221577787bbb62d07cbf0272d
ConnectWise
af0c898ab09223b4adb394e52928c835d144106ea382dd21418ae707687e4f76
ConnectWise
caf48e2a81a7b6acd412fef11fac9b5b4d716236ba23044bca21681b46511922
ConnectWise
error
ConnectWise
+ 364 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/241213-cmvsvsxjcn/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Boot or Logon Autostart Execution: Authentication Package
Checks computer location settings
Drops file in System32 directory
Event Triggered Execution: Component Object Model Hijacking
Enumerates connected drives
Sets service image path in registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0ac774d2-dd69-4ed5-91bf-e379c63ac98c
Unpacked files
SH256 hash:
aa8fe440519915417730ec3399f330b32c8071065fc174f0d1ec37aeca1a3a09
MD5 hash:
28e158d55a02bc3b449e9a4b845e536c
SHA1 hash:
daa848501a2d3f6dfbe0da824156dcbf7afb4d00
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/4870be56-e85a-42b3-9bfd-5eeaf4fd96cc/
Parent samples :
1f473e89717a811066269c38eb6a53a9a0ea0e5788190636b45622b74eaa4d53
6d7c89f55c50eb63071a1eb0ef8b212a8d87e42aa376fa63d433120b212b4a48
9fa76b4ab82376d9486f051b2a7f0e2f584243296f94b2b4b30ea24fae05edd3
85276b1893f8307a681f8c8b22c6d7eaa40620afcf987a7a22a4ab39f7300253
64ca91a2446a8e567b24deea926bbdb34fd2dda221577787bbb62d07cbf0272d
d19dbc6b0c0792df8f420c14ef25130052a81d481d38340a40194862ff0095cd
e1a3eb6e1ec31406443bfbe5067c1852706406a824a29c2490c8e1b73fcf0081
58ff97145ad54ff4900f10bedbecd4a926fb847b23cc0c26ad46f1a96c0a34e9
f435f6ed37b03147bc9ea44f2f291afde9a1c303452ecd3c64493a6c7504b03a
b17964f1729c74ab244e0322f3bac392063ae791380fbfa49bdf82a10e4cd7f0
SH256 hash:
abca7cf12937da14c9323c880ec490cc0e063d7a3eef2eac878cd25c84cf1660
MD5 hash:
9f823778701969823c5a01ef3ece57b7
SHA1 hash:
da733f482825ec2d91f9f1186a3f934a2ea21fa1
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
SUSP_NET_Shellcode_Loader_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4870be56-e85a-42b3-9bfd-5eeaf4fd96cc/
Parent samples :
aa1b77e4203f23734eee91f426b9167c579f3a075ddc45c42ac4714ddc56d03a
1172a51b9f3f9bb486d4cc11257facb25238351262acf297a314f6f3774dd053
cef038d63b561e927a0279b5bf7a07248b6ef80e89a5a75a4767b22eca240df3
4b29a54f59990f265e150f437518823f2e8b1e82604201c6e15301ddc09ee3df
b1668588b2c6cc2abea3af4b25949aef0afe18941b842bf338c9d8abc28907a2
415ed80ee0977b5fa793e50bea0539e157b5845af417ddd11ec1fab94409d4ad
56f2d60a446835b53f1ecb54fefebd55c0cfd8c4511a8a96f0e396ad8bc22dbb
b30acefcdf5ba41a18270ae8e79dd9ddb445a729ff67aade0abf3259592738ed
d014a441cee293d4696bfcb06d51816536312bf2f1d5ddfd224d4e6d8660f06b
9d77eb0fee359764d3362dbbafb96472cf549fe144d95b3fe9dc97d0b5828976
934a35f92555d0004e1fb78fd91f6dd33036afa329c0900969adb07305231f74
fd0198e078b123e91bf968c6457666b8d9f9b5e69eae273665994d1a4595b6aa
a337a28b1413ed787b4e313cfb04ffef6a4730cddc7543b18b6b8656e65111a0
ec0f1ec3f107b3559c97f1db4f9a1ae04481f2893c20b2e071f855309d7cc8ed
1f473e89717a811066269c38eb6a53a9a0ea0e5788190636b45622b74eaa4d53
6d7c89f55c50eb63071a1eb0ef8b212a8d87e42aa376fa63d433120b212b4a48
9fa76b4ab82376d9486f051b2a7f0e2f584243296f94b2b4b30ea24fae05edd3
85276b1893f8307a681f8c8b22c6d7eaa40620afcf987a7a22a4ab39f7300253
64ca91a2446a8e567b24deea926bbdb34fd2dda221577787bbb62d07cbf0272d
d19dbc6b0c0792df8f420c14ef25130052a81d481d38340a40194862ff0095cd
e1a3eb6e1ec31406443bfbe5067c1852706406a824a29c2490c8e1b73fcf0081
58ff97145ad54ff4900f10bedbecd4a926fb847b23cc0c26ad46f1a96c0a34e9
f435f6ed37b03147bc9ea44f2f291afde9a1c303452ecd3c64493a6c7504b03a
b17964f1729c74ab244e0322f3bac392063ae791380fbfa49bdf82a10e4cd7f0
SH256 hash:
9342c7be8036a5f8dc3895d75e3314dce961fd3bc70ee59928c67fa04f0c7e08
MD5 hash:
5419ff27205d3e5affa3fc18b811b843
SHA1 hash:
cf49072c50456381cd26cd32cb97606c5f5cfd26
Link:
https://www.unpac.me/results/4870be56-e85a-42b3-9bfd-5eeaf4fd96cc/
SH256 hash:
ad6062215032ab58369403b1221562b5e7fb5ae7d52b29b7fad69eefb2d8455b
MD5 hash:
723f2aaeeda1d2bb2f49322da349ffc9
SHA1 hash:
ac6ab994beaff69adf8a2dc480a8a628175ff6c8
Link:
https://www.unpac.me/results/4870be56-e85a-42b3-9bfd-5eeaf4fd96cc/
SH256 hash:
4d4bf19ad99827f63dd74649d8f7244fc8e29330f4d80138c6b64660c8190a53
MD5 hash:
16c4f1e36895a0fa2b4da3852085547a
SHA1 hash:
ab068a2f4ffd0509213455c79d311f169cd7cab8
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/4870be56-e85a-42b3-9bfd-5eeaf4fd96cc/
Parent samples :
1f473e89717a811066269c38eb6a53a9a0ea0e5788190636b45622b74eaa4d53
6d7c89f55c50eb63071a1eb0ef8b212a8d87e42aa376fa63d433120b212b4a48
9fa76b4ab82376d9486f051b2a7f0e2f584243296f94b2b4b30ea24fae05edd3
85276b1893f8307a681f8c8b22c6d7eaa40620afcf987a7a22a4ab39f7300253
64ca91a2446a8e567b24deea926bbdb34fd2dda221577787bbb62d07cbf0272d
d19dbc6b0c0792df8f420c14ef25130052a81d481d38340a40194862ff0095cd
e1a3eb6e1ec31406443bfbe5067c1852706406a824a29c2490c8e1b73fcf0081
58ff97145ad54ff4900f10bedbecd4a926fb847b23cc0c26ad46f1a96c0a34e9
f435f6ed37b03147bc9ea44f2f291afde9a1c303452ecd3c64493a6c7504b03a
b17964f1729c74ab244e0322f3bac392063ae791380fbfa49bdf82a10e4cd7f0
4d4bf19ad99827f63dd74649d8f7244fc8e29330f4d80138c6b64660c8190a53
SH256 hash:
19ac323ca6eae2f8145cdc2bac865b32cd5a48ad6ff199d4ca7da214b056e1dc
MD5 hash:
5fb6074b08ac4709cf2f29fa5b49023e
SHA1 hash:
8bbb78a47c08867c50572f0bd2a27171f91e0454
Link:
https://www.unpac.me/results/4870be56-e85a-42b3-9bfd-5eeaf4fd96cc/
SH256 hash:
5164d463aeafaa823a9243aac8c1089c385a9862c9b241a422314d77be79484e
MD5 hash:
4e06c9b26c08c8565262f8fda7c3df96
SHA1 hash:
6bb28fe89787286ed5b0b775e6f573fc41da8881
Link:
https://www.unpac.me/results/4870be56-e85a-42b3-9bfd-5eeaf4fd96cc/
SH256 hash:
d4803e18440d3c72fec6ba517e45cb13a5d902acc916c0ef050338bb20c720a2
MD5 hash:
81878abbb311b94b89476b9312785ba0
SHA1 hash:
290e243c5a81c66d993d5fc83df4eb7e8452cda0
Detections:
INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Link:
https://www.unpac.me/results/4870be56-e85a-42b3-9bfd-5eeaf4fd96cc/
Parent samples :
1f473e89717a811066269c38eb6a53a9a0ea0e5788190636b45622b74eaa4d53
6d7c89f55c50eb63071a1eb0ef8b212a8d87e42aa376fa63d433120b212b4a48
9fa76b4ab82376d9486f051b2a7f0e2f584243296f94b2b4b30ea24fae05edd3
85276b1893f8307a681f8c8b22c6d7eaa40620afcf987a7a22a4ab39f7300253
64ca91a2446a8e567b24deea926bbdb34fd2dda221577787bbb62d07cbf0272d
d19dbc6b0c0792df8f420c14ef25130052a81d481d38340a40194862ff0095cd
e1a3eb6e1ec31406443bfbe5067c1852706406a824a29c2490c8e1b73fcf0081
58ff97145ad54ff4900f10bedbecd4a926fb847b23cc0c26ad46f1a96c0a34e9
f435f6ed37b03147bc9ea44f2f291afde9a1c303452ecd3c64493a6c7504b03a
b17964f1729c74ab244e0322f3bac392063ae791380fbfa49bdf82a10e4cd7f0
SH256 hash:
ac7721f50829c6b569cdf6ef8d516c89f10a89165b38f9ddb608e8c7844b2108
MD5 hash:
5fe7a9b6ce2c7a379ee6a9ccff85eb51
SHA1 hash:
2506a5fe1e61def362610057ba36ebca0a181dee
Link:
https://www.unpac.me/results/4870be56-e85a-42b3-9bfd-5eeaf4fd96cc/
SH256 hash:
289a4eea79baa4141744e44d60db713e18b5f23322663c63047962f51b467614
MD5 hash:
48979a1a6d3badea8124bce04b1e01a5
SHA1 hash:
06931bd96343ce167eda796112a30ca8d9fa536a
Link:
https://www.unpac.me/results/4870be56-e85a-42b3-9bfd-5eeaf4fd96cc/
SH256 hash:
8a55c15cc76e31042e17458c479772aa95bc1b908016c85b1dc8b8e3eff23254
MD5 hash:
decb1fd20d75e6eade9289cc24605f29
SHA1 hash:
5169602d641c4f2ebd9ca0639622949e00c25566
Link:
https://www.unpac.me/results/4870be56-e85a-42b3-9bfd-5eeaf4fd96cc/
SH256 hash:
d19dbc6b0c0792df8f420c14ef25130052a81d481d38340a40194862ff0095cd
MD5 hash:
321132051c3add66f0cdae4b8cf4c332
SHA1 hash:
8513ae78b78f157fdd8800f2eda654c75332cd4b
Link:
https://www.unpac.me/results/4870be56-e85a-42b3-9bfd-5eeaf4fd96cc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d19dbc6b0c0792df8f420c14ef25130052a81d481d38340a40194862ff0095cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect). Review RMM Inventory
Rule name:INDICATOR_RMM_ConnectWise_ScreenConnect_CERT
Create hunting rule
Author:ditekSHen
Description:Detects ConnectWise Control (formerly ScreenConnect) by (default) certificate. Review RMM Inventory
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/f5034da8-b4e3-432c-b641-0723eaa10e0f
  
Delivery method
Distributed via e-mail link
  
URLhaus
https://urlhaus.abuse.ch/url/3347292/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments