MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4f545691c8441b5bcb86535b1d0fd16dc06786eb4080087588cd4d0f388d5ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4f545691c8441b5bcb86535b1d0fd16dc06786eb4080087588cd4d0f388d5ca
SHA3-384 hash: 7af61cd7084554313f2152d7decd178af81346da8c9f76806387e5e22a5f2337ff490271d8585d907ceb77b74686d848
SHA1 hash: 7b6ee77b31561d5d1ce924c28f8e6853dcbf59f1
MD5 hash: 33b9d824c3bcaa9edde14b2eee238d35
humanhash: idaho-thirteen-winter-purple
File name:installer.exe
Download: download sample
File size:6'656'000 bytes
First seen:2023-04-04 15:58:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ba5546933531fafa869b1f86a4e2a959 (10 x DCRat, 3 x RedLineStealer, 2 x RemcosRAT)
ssdeep 196608:jozKCnCsXDjDyfeNJm3AqkdJolpPgToab:MzKcCEDd/m3paJ83ab
Threatray 175 similar samples on MalwareBazaar
TLSH T1C966338A97E109EDEC67A13EDD568907DAA13C2B0354C38B02A5175B6F375B21C3BF12
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 182b4d5d84f0f0b2 (9 x Formbook, 8 x AgentTesla, 6 x RemcosRAT)
Reporter sans_isc
Tags:backdoor efile.com exe


Avatar
sans_isc
JavaScript on efile.com sent victims to a fake error page asking them to download this "browser update". This file was offered to Firefox users. A similar file (update.exe) was offered to Chrome users.

Intelligence

File Origin
# of uploads :
1
# of downloads :
316
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
installer-firefox.exe
Verdict:
No threats detected
Analysis date:
2023-04-04 08:35:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cfda5263-0143-45ed-817c-95868803c4b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380095/
Detection(s):
Sanesecurity.Rogue.0hr.20230040-1314.BadEfile.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.FileRepMalware.29467.15994.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/76530/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/642c4947a238e54ef507c8d7/reports/c9f93680-5adf-4151-82ae-bad5f6a6d51d/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d4f545691c8441b5bcb86535b1d0fd16dc06786eb4080087588cd4d0f388d5ca
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/343bba2d-1d3b-4e75-8b3f-c4b36936b3b7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1208199
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 841112 Sample: installer.exe Startdate: 04/04/2023 Architecture: WINDOWS Score: 48 10 Multi AV Scanner detection for submitted file 2->10 6 installer.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4f545691c8441b5bcb86535b1d0fd16dc06786eb4080087588cd4d0f388d5ca/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2t2uk2i4qra3lpfymu23duh5c3oam6dowqeabb2yrtknb44i2xfa._file
Verdict:
unknown
Similar samples:
2f0bb4d74005cf2460f4e5f0ef95390ef017fd154b00ada7492b266ca589ba3e
405c9f6e9b379914b66eedba3ba0fca6437ebbd4874c066c5cf6b32ea10c079d
6da5530eff5617af7c73aa5c1211971702a8ba5dffb67d76aad7c889185b2f46
bec2656a4413d2cb9d64f99d3b72472989197434a637ed136858ed782b293a50
c1d9c1b93de05134e25a25b3ac103a132643b7f1de0a728eba6829d9a659d708
cd9a9c0e29c7e07591ad87e28d052b312b93c239fdabab55cbbf9afebd0ba3f0
e0b5142a0af8f9cf06f8e7cb073828711c38a9c47a906d820300d79a7dbce186
eb1bc9a5f5c530c8a4d271f626906fe986e5622fe4c635aceb77e95898978654
+ 165 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/230404-te21msgd72/
Unpacked files
SH256 hash:
d4f545691c8441b5bcb86535b1d0fd16dc06786eb4080087588cd4d0f388d5ca
MD5 hash:
33b9d824c3bcaa9edde14b2eee238d35
SHA1 hash:
7b6ee77b31561d5d1ce924c28f8e6853dcbf59f1
Link:
https://www.unpac.me/results/82b4974d-51ff-4c7f-972f-55eb675f1a8d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d4f545691c8441b5bcb86535b1d0fd16dc06786eb4080087588cd4d0f388d5ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d4f545691c8441b5bcb86535b1d0fd16dc06786eb4080087588cd4d0f388d5ca

(this sample)

  
Link
https://isc.sans.edu/diary/Analyzing%20the%20efile.com%20Malware%20%22efail%22/29712
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/380095/

Comments