MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2c3e10aaca5234fb3feecc01e5637170f1b60f02dc676fe5ea7c54f1b97b7ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2c3e10aaca5234fb3feecc01e5637170f1b60f02dc676fe5ea7c54f1b97b7ad
SHA3-384 hash: efc141acc2ec55c694185bcf4c5f2e58c57fdae7f9afa17d8e5ddb93093ebabaef21cac4512a63074987d6382b684692
SHA1 hash: 35b7cf02001365714a75861809ba59c462e253d8
MD5 hash: 48646c40120925c774754e5de36c33cc
humanhash: november-arkansas-uniform-uncle
File name:file
Download: download sample
File size:5'069'003 bytes
First seen:2024-10-14 12:55:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ff847646487d56f85778df99ff3728a (4 x RedLineStealer, 3 x Nitol, 2 x Gh0stRAT)
ssdeep 98304:O06FOznLo0+Dd6uxcr1N5njt2hlTziny/MzEm3B2+4VmDb55d:O3F6n80W6uGrth4Jz/OEG4eb1
TLSH T14E362347F283D4B1D5A601B408669B724A756C3283BAD5E76FD0396E9E303D0EB3364B
TrID 38.3% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
20.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
7.0% (.EXE) Win64 Executable (generic) (10522/11/4)
4.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
File icon (PE):PE icon
dhash icon fadadac2a2b8c4e4 (11 x Nitol, 2 x Amadey, 2 x AgentTesla)
Reporter jstrosch
Tags:exe


Avatar
jstrosch
Found at hxxp://xmsecu[.]com:8080/ocx/NewActive.exe by #subcrawl

Intelligence

File Origin
# of uploads :
1
# of downloads :
349
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NewActive.exe
Verdict:
Malicious activity
Analysis date:
2023-11-30 21:03:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5cfeea68-0210-4738-91ac-fda938c16162

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
MiscreantPunch.SingleXOR.EXE.7.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.BackDoor.IRC.Bot.4560.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=670d14e71d4ef219fa627bf5
Tags:
Powershell Dropper Extens Sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint installer lolbin microsoft_visual_cc obfuscated overlay packed shell32
Link:
https://www.filescan.io/uploads/670d14e6a3cc924e39fcb0d1/reports/d5fc5867-f770-43be-a046-22ccf30aadc1/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/d2c3e10aaca5234fb3feecc01e5637170f1b60f02dc676fe5ea7c54f1b97b7ad
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/36e71e10-5959-4251-9184-6cc0ee25a236
Result
Threat name:
n/a
Detection:
suspicious
Classification:
evad
Score:
24 / 100
Link:
https://www.joesandbox.com/analysis/1533247
Signature
PE file has a writeable .text section
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1533247 Sample: file.exe Startdate: 14/10/2024 Architecture: WINDOWS Score: 24 39 PE file has a writeable .text section 2->39 8 file.exe 4 2->8         started        process3 file4 27 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 8->27 dropped 29 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 8->29 dropped 11 irsetup.exe 7 71 8->11         started        process5 file6 31 C:\Windows31etSurveillance\uninstall.exe, PE32 11->31 dropped 33 C:\Windows33etSurveillance\lua5.1.dll, PE32 11->33 dropped 35 C:\Program Files (x86)\...\web.ocx, PE32 11->35 dropped 37 8 other files (none is malicious) 11->37 dropped 14 cmd.exe 1 11->14         started        17 regsvr32.exe 36 11->17         started        process7 signatures8 41 Uses cmd line tools excessively to alter registry or file data 14->41 19 conhost.exe 14->19         started        21 reg.exe 1 1 14->21         started        23 reg.exe 1 1 14->23         started        25 2 other processes 14->25 process9
Score:
63%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/d2c3e10aaca5234fb3feecc01e5637170f1b60f02dc676fe5ea7c54f1b97b7ad
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2c3e10aaca5234fb3feecc01e5637170f1b60f02dc676fe5ea7c54f1b97b7ad/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2lb6ccvmuuru7m765tab4vrxc4hrwyhqfxdhn7s6u7cu6g4xw6wq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery upx
Link:
https://tria.ge/reports/241014-p6cgvaweqe/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
UPX packed file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/673b087c-9a8b-4569-a69d-0df3546645c5
Unpacked files
SH256 hash:
49bebfb07574706bbaeda581d5a4787bcf504cf7ef5a10dc66d7af0d670649ab
MD5 hash:
81525420c396a44a0b37a47ce1dc171a
SHA1 hash:
09d0f05e29e90b7830c9141bdd2bc752088d00b7
Detections:
win_samsam_auto
Create hunting rule
Link:
https://www.unpac.me/results/373779f1-f922-480d-b3b0-a39f996de21f/
SH256 hash:
2c6ae0d34f7faed40f34fa24c9855cbdc8ea03b83713233ccfc9621619d3aa55
MD5 hash:
bfdf7bd4dd8e7487e3e8a46f40c674a9
SHA1 hash:
069fc416c44406f71b57a1f764d9086bbd3e9f57
Link:
https://www.unpac.me/results/373779f1-f922-480d-b3b0-a39f996de21f/
SH256 hash:
1bf5cb77d079855e45f5aee9390b40dd65f1a1b1125702765f7f6b888f394726
MD5 hash:
92ecdd0c7df58be54bb63e1167b7515c
SHA1 hash:
e5c1dfafcd50022fb5d8147580b56c84ab03c2cc
Link:
https://www.unpac.me/results/373779f1-f922-480d-b3b0-a39f996de21f/
SH256 hash:
daaaac66dc6a98a3283f606ec85afe2cfccceae0a601c96e34565662899ba062
MD5 hash:
b3f39e348716e86e3f00e31c2bf63020
SHA1 hash:
86806b26c332c2c272d36691cf72d267bb816be6
Link:
https://www.unpac.me/results/373779f1-f922-480d-b3b0-a39f996de21f/
SH256 hash:
020a3e0813eec90b6245d77b830ee9aa473f5f86deeaacada1dc5a84abe28317
MD5 hash:
897ffd63f1f570f9654177a1d1d2f991
SHA1 hash:
102d67b8f79bf088b0567f0ddb414c142a5af2f3
Link:
https://www.unpac.me/results/373779f1-f922-480d-b3b0-a39f996de21f/
SH256 hash:
f14f35f95c1f0ea6e2d52d9f54016013b77abd5e170861b5585191fbc17adcff
MD5 hash:
9439bbc6c6fea58d47794af6ccd6d422
SHA1 hash:
21b3a633e1ce997e44bb72d590de318194ad5bf8
Link:
https://www.unpac.me/results/373779f1-f922-480d-b3b0-a39f996de21f/
SH256 hash:
a5ed52c9a3ac7704d3b6999e7c7622224ce307a7ffa9134bb5919f821769e821
MD5 hash:
168792361e4761e6f095d6cf49b5394e
SHA1 hash:
1173b27d15cca93a981e56b747f610ad7929ef94
Link:
https://www.unpac.me/results/373779f1-f922-480d-b3b0-a39f996de21f/
SH256 hash:
d2c3e10aaca5234fb3feecc01e5637170f1b60f02dc676fe5ea7c54f1b97b7ad
MD5 hash:
48646c40120925c774754e5de36c33cc
SHA1 hash:
35b7cf02001365714a75861809ba59c462e253d8
Detections:
SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Link:
https://www.unpac.me/results/373779f1-f922-480d-b3b0-a39f996de21f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2c3e10aaca5234fb3feecc01e5637170f1b60f02dc676fe5ea7c54f1b97b7ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d2c3e10aaca5234fb3feecc01e5637170f1b60f02dc676fe5ea7c54f1b97b7ad

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3225160/
  
URLhaus
https://urlhaus.abuse.ch/url/3225162/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::RemoveDirectoryA
KERNEL32.dll::GetTempPathA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments