MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5628dd0e0710c14d9241a3eb0871dfa4fccf0888f6503d8b9a794cb5e8e6d71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5628dd0e0710c14d9241a3eb0871dfa4fccf0888f6503d8b9a794cb5e8e6d71
SHA3-384 hash: 57b18dc2b574253cdc7a51780a3c4187a61b1b3f532acbcc128681d87613d25af30b7d5ed73e23e00035966446001e29
SHA1 hash: 7bc926cf52aa4c390cb7d6ac5756a9b95f6e8fb2
MD5 hash: a4590450863f13aa67198ec0fe52453e
humanhash: india-arkansas-skylark-mississippi
File name:SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617
Download: download sample
File size:69'484'987 bytes
First seen:2024-08-04 14:21:40 UTC
Last seen:2024-08-04 15:15:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:GrziNx5qUJsrnLn3ttl5lWSehqFfIxi+blIowRjnMUlS/tf/7:5x5qUJsrL3t5lWTjigwRjnBQ/9/7
TLSH T1FCE733D09FE8B517C3CC29FE58C4D7F23D9AD7A195B7D062A26524A3F68305D8A40C8B
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
dhash icon f2ceaeaeb2968eaa (68 x RedLineStealer, 21 x AgentTesla, 18 x AveMariaRAT)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
310
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617
Verdict:
Malicious activity
Analysis date:
2024-08-04 14:29:38 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/58d04a12-54b0-44e1-a49c-8987d926c499

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66af8e99037b02d0daed8d41
Tags:
Discovery Execution Generic Network Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
DNS request
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Reading critical registry keys
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Connection attempt
Sending a custom TCP request
Changing a file
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/66af8e902d2273a01ebe4b71/reports/a3cf9239-c1eb-4612-9961-324cb1f025dc/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/d5628dd0e0710c14d9241a3eb0871dfa4fccf0888f6503d8b9a794cb5e8e6d71
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1487580
Signature
AI detected suspicious sample
Drops large PE files
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1487580 Sample: SecuriteInfo.com.HEUR.Troja... Startdate: 04/08/2024 Architecture: WINDOWS Score: 60 57 www.setekshome.com 2->57 59 ws-eu.pusher.com 2->59 61 6 other IPs or domains 2->61 73 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->73 75 AI detected suspicious sample 2->75 9 SecuriteInfo.com.HEUR.Trojan.Script.Generic.5591.10617.exe 179 2->9         started        signatures3 process4 file5 43 C:\Users\user\AppData\Local\...\defender.exe, PE32+ 9->43 dropped 45 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 9->45 dropped 47 C:\Users\user\AppData\Local\...\System.dll, PE32 9->47 dropped 49 12 other files (none is malicious) 9->49 dropped 77 Drops large PE files 9->77 13 defender.exe 58 9->13         started        signatures6 process7 dnsIp8 67 setekshome.com 185.111.234.27, 443, 49712, 49713 TR-FBSTR Turkey 13->67 69 clientstats1-dummy-server-lb-398743415.us-east-1.elb.amazonaws.com 3.222.214.216, 443, 49732 AMAZON-AESUS United States 13->69 71 3 other IPs or domains 13->71 51 C:\Users\user\AppData\Local\...\webdata.db, SQLite 13->51 dropped 53 C:\Users\user\AppData\Local\...\passwords.db, SQLite 13->53 dropped 55 31dd1108-f1cf-4a57...8839a99b19.tmp.node, PE32+ 13->55 dropped 79 Tries to harvest and steal browser information (history, passwords, etc) 13->79 18 defender.exe 7 13->18         started        21 cmd.exe 1 13->21         started        23 cmd.exe 1 13->23         started        25 5 other processes 13->25 file9 signatures10 process11 dnsIp12 63 chrome.cloudflare-dns.com 162.159.61.3, 443, 49722 CLOUDFLARENETUS United States 18->63 65 172.64.41.3, 443, 49723 CLOUDFLARENETUS United States 18->65 27 powershell.exe 15 21->27         started        29 conhost.exe 21->29         started        31 powershell.exe 15 23->31         started        33 conhost.exe 23->33         started        35 tasklist.exe 1 25->35         started        37 tasklist.exe 1 25->37         started        39 conhost.exe 25->39         started        41 conhost.exe 25->41         started        process13
Score:
66%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/d5628dd0e0710c14d9241a3eb0871dfa4fccf0888f6503d8b9a794cb5e8e6d71
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2vri3uhaoegbjwjedi7lbby57jh4z4eir5sqhwfzu6kmwxuonvyq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  9/10
Tags:
credential_access discovery spyware stealer
Link:
https://tria.ge/reports/240804-rpks1a1gma/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
An obfuscated cmd.exe command-line is typically used to evade detection.
Enumerates processes with tasklist
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Credentials from Password Stores: Credentials from Web Browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/02d2c931-84de-4a7b-8d8f-6eae2a09c1e4
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d5628dd0e0710c14d9241a3eb0871dfa4fccf0888f6503d8b9a794cb5e8e6d71

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3088222/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments