MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d53bf41616a88bda36fcc57594529271ac4abf4a568cac98af802592145d0396. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d53bf41616a88bda36fcc57594529271ac4abf4a568cac98af802592145d0396
SHA3-384 hash: 112a1925c695a631d67e2a7a594c53ec1e0beb892201f6285277685e2c11c0f4d7bd8ed7c1bd66898cc52c3cf68924a5
SHA1 hash: 486ee4ab017093d6e5916242fc1850c88d3f0bfa
MD5 hash: 8a886bf8b3fe0dcb20aeca62ee005310
humanhash: twenty-hotel-yellow-fillet
File name:SecuriteInfo.com.Trojan.MulDrop27.1047.540.14781
Download: download sample
File size:2'654'792 bytes
First seen:2024-04-28 09:31:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ae9e38912ff6bd742a1b9e5c003576a (10 x DCRat, 7 x RedLineStealer, 4 x AsyncRAT)
ssdeep 49152:eILChUWDtNbT8Ad8GLLG+c1V3FDfm1VPtiQnGgyQ9OvdC:eZUIPH58iy+WvjmXPRnGgyQ9J
TLSH T105C52301B6C285B2E9E319321E688F21A1BDBD602F71C5CBE3A4591CDE226D0D7357B7
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter SecuriteInfoCom
Tags:exe signed

Code Signing Certificate

Organisation:Bitsum LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-07T00:00:00Z
Valid to:2025-03-08T23:59:59Z
Serial number: 0b494d7df02097107b9065025133fe92
Intelligence: 27 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: b309179e6516e33d374264683b0751db5f23b09e625ff0b6a4163df28051d08c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d53bf41616a88bda36fcc57594529271ac4abf4a568cac98af802592145d0396.exe
Verdict:
Malicious activity
Analysis date:
2024-04-28 09:53:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1ccf2555-5bd2-4194-87c8-2504f2ca27fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Malware.Dropper
Link:
https://www.hybrid-analysis.com/sample/d53bf41616a88bda36fcc57594529271ac4abf4a568cac98af802592145d0396
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d0fab68c-bba3-488d-9123-8eecded94f9d
Result
Threat name:
n/a
Detection:
clean
Classification:
evad
Score:
9 / 100
Link:
https://www.joesandbox.com/analysis/1432854
Behaviour
Behavior Graph:
n/a
Score:
51%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/d53bf41616a88bda36fcc57594529271ac4abf4a568cac98af802592145d0396
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d53bf41616a88bda36fcc57594529271ac4abf4a568cac98af802592145d0396/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2u57ifqwvcf5unx4yv2ziuusogwevp2kk2gkzgfpqaszefc5aola._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240428-lhl5lacf83/
Behaviour
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unpacked files
SH256 hash:
fac77702d0ebec24d6b4c643313ca45372b42aa01e500097c51b136b05fab828
MD5 hash:
2c877432fd4d19795bbcad79c3d530b7
SHA1 hash:
8cc9e843b3194563f58306deb60176ca5aa0cb3b
Link:
https://www.unpac.me/results/636eee2e-fb4d-426d-a2af-2ddc0c3cc2df/
SH256 hash:
f03edc17bdfa9c9bf0f527ef069182cc0d15a19005690d4cf93f7874dfdc794a
MD5 hash:
0836d604af652fbdabf28e2df2a4f442
SHA1 hash:
07de70c3aa2c5ea56c06f9d1ceae5c06cdbe2017
Link:
https://www.unpac.me/results/636eee2e-fb4d-426d-a2af-2ddc0c3cc2df/
SH256 hash:
ed1173af2e69b7d7da839999aee341067a1429d71db4e9970bc9672bac82ceb3
MD5 hash:
46f0731e9a59d9823d666da337584b81
SHA1 hash:
29b08de4084285ec4f4abdac0d75abd3a8cbdab6
Link:
https://www.unpac.me/results/636eee2e-fb4d-426d-a2af-2ddc0c3cc2df/
SH256 hash:
eb9feb55536c409d40537de8f4664b68c21189f4eb676b43627917afa451ae28
MD5 hash:
b4c1b52a097dc2d5255bf8d9f75352be
SHA1 hash:
8544c549274ad54294fdb28c1491ee11d76c4555
Link:
https://www.unpac.me/results/636eee2e-fb4d-426d-a2af-2ddc0c3cc2df/
SH256 hash:
dbbd50bb8aeac0bdcb2fecdd6835c26c7d879ab3dc82dda9e27a8061e33d6c9b
MD5 hash:
e95579ec573e6b348066fb5df321c46e
SHA1 hash:
a1c9712b5841b32d312a510c268834f2203958e9
Link:
https://www.unpac.me/results/636eee2e-fb4d-426d-a2af-2ddc0c3cc2df/
SH256 hash:
d3b1ca90e72489025879ebc3ebdcdc7ec39346bb9c2d853e2b9fb4b4936f01fb
MD5 hash:
d85d1a5ac34217bddc9142ffd0f103b9
SHA1 hash:
5d5a84b98ae8f08494ded3b68c09f8e970de718d
Link:
https://www.unpac.me/results/636eee2e-fb4d-426d-a2af-2ddc0c3cc2df/
SH256 hash:
c75ba447c159bb5a5cd40f631b14b797b77aa7ec39e2615e0d9f99033aefa328
MD5 hash:
5166e5eb1bc22806afd050689860e6a3
SHA1 hash:
33bb6470fa52e0e32825d496961438727e1ea069
Link:
https://www.unpac.me/results/636eee2e-fb4d-426d-a2af-2ddc0c3cc2df/
SH256 hash:
89c1e70ac0e8cc41d9bc19fc1b07cf805a158a6fdb0ee34a0bf11c3102e92ce6
MD5 hash:
670a5f60b17a96e83193b4d8f4e1a213
SHA1 hash:
e0400e3abb673b59a2a95413c3886fa8cae5ee14
Link:
https://www.unpac.me/results/636eee2e-fb4d-426d-a2af-2ddc0c3cc2df/
SH256 hash:
741cd718bf826208883a64535960d212b35e277cac54d7e791dbe1e0e690eb5d
MD5 hash:
be6703db0b7556a9ac80e66df2827b4c
SHA1 hash:
88f661bc7cca6789bd20525bd9d2c6bce6e512b0
Link:
https://www.unpac.me/results/636eee2e-fb4d-426d-a2af-2ddc0c3cc2df/
SH256 hash:
71fe600e4f644c41ba1492689fad583563dbc8200e4320c28bcdfa4f5dc728f5
MD5 hash:
35dcba2f98d72336e040d0087483fb0a
SHA1 hash:
1aa6daceea991bbb742afa1a07e805e19c2fb9c3
Link:
https://www.unpac.me/results/636eee2e-fb4d-426d-a2af-2ddc0c3cc2df/
SH256 hash:
6d65e653d361cddeda9a23930a4c5fb1e30eb32a4fddfb91815a1c36afefe3a2
MD5 hash:
159c564a08020085e519f8b084604417
SHA1 hash:
3cb0e23681aa39541f314fd04589aeeadf4efb81
Link:
https://www.unpac.me/results/636eee2e-fb4d-426d-a2af-2ddc0c3cc2df/
SH256 hash:
59b76ed76ce503215ed4457a31c53c47670ed3754a5ffd857c3f350955510da4
MD5 hash:
3b9cc979b312225b26f904b5f7956792
SHA1 hash:
5fee17c948979ed80c587e6de0c41153652451f0
Link:
https://www.unpac.me/results/636eee2e-fb4d-426d-a2af-2ddc0c3cc2df/
SH256 hash:
587bb37ce3f2d4d32de1607648c819aba9c6a3219bc64f92d144dd7c847e6e9b
MD5 hash:
25ff9dbba89ba48e273c7e5fc64b092d
SHA1 hash:
f4a41f7260e61cd031adf29fb530e00f5f0c7fc3
Link:
https://www.unpac.me/results/636eee2e-fb4d-426d-a2af-2ddc0c3cc2df/
SH256 hash:
3844135eaa74665ab2f467de343d6007b7ee17f086f00785cdd84c62fa418082
MD5 hash:
fa116fb88fa16f5a466ed0892955a735
SHA1 hash:
e94f15e6074ba1e637179b9d6e3d1a4e41c48fb8
Link:
https://www.unpac.me/results/636eee2e-fb4d-426d-a2af-2ddc0c3cc2df/
SH256 hash:
16096ab0d2214d634e8992576aa3f43a860643c4c10cfeb1baa5d6540e38554e
MD5 hash:
2ad1e6608e0c931a5de148c8b3bbc24c
SHA1 hash:
3853734d78be393ee33746c9f443b6dd0dd93e92
Link:
https://www.unpac.me/results/636eee2e-fb4d-426d-a2af-2ddc0c3cc2df/
SH256 hash:
08f62d1527d8c2d8427b10481621d9c80ae647ccafef46b424c16cb645e204a0
MD5 hash:
b4500d368c6fc96fd84e593b996cc37c
SHA1 hash:
c248deb4ab092daee9729b5f4511aec0e70a6b1a
Link:
https://www.unpac.me/results/636eee2e-fb4d-426d-a2af-2ddc0c3cc2df/
SH256 hash:
06ca5383ea879ff2ec38c168f5dc9dc60969a03af26325d0e0420c9b1db885ea
MD5 hash:
2f8b1b0f0a02938254de6441e5e09762
SHA1 hash:
baf18d49260247c673e6f19c438bc584ec78e60a
Link:
https://www.unpac.me/results/636eee2e-fb4d-426d-a2af-2ddc0c3cc2df/
SH256 hash:
d53bf41616a88bda36fcc57594529271ac4abf4a568cac98af802592145d0396
MD5 hash:
8a886bf8b3fe0dcb20aeca62ee005310
SHA1 hash:
486ee4ab017093d6e5916242fc1850c88d3f0bfa
Link:
https://www.unpac.me/results/636eee2e-fb4d-426d-a2af-2ddc0c3cc2df/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d53bf41616a88bda36fcc57594529271ac4abf4a568cac98af802592145d0396

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments