MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d94f63eedb883ab2522c75588c0649522c5446f5656c991bcd9f6938a0a96802. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 17 File information Comments

SHA256 hash:	d94f63eedb883ab2522c75588c0649522c5446f5656c991bcd9f6938a0a96802
SHA3-384 hash:	41df1f083fb052446aa005202ea25a6b4d0257b2e77585eec7105429138c6a026f37702fc70ef7ac7b5c3e51aaf2e438
SHA1 hash:	db957a4da7e3379a30ae7d69103990bd89a7a1e0
MD5 hash:	0eef59fa1aed10b91b7c7307779d6a18
humanhash:	saturn-seven-equal-hydrogen
File name:	SecuriteInfo.com.FileRepMalware.13084.12273
Download:	download sample
File size:	16'499'080 bytes
First seen:	2024-08-16 03:18:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1da59de0049ae54983368df17b8da055
ssdeep	196608:vaouFM0L3LV8/yR2n4m0k1EnLmKt8ENMREUUVnf9kaivVWBIO:vaouFM0L327tOnLqeM3if9k
Threatray	1 similar samples on MalwareBazaar
TLSH	T12DF6C012FBA38EF2DCD2007095BEBB7A892A9C34073446D35761796DA8722D1153B3DE
TrID	49.9% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win32 Executable (generic) (4504/4/1) 9.6% (.EXE) OS/2 Executable (generic) (2029/13) 9.5% (.EXE) Generic Win/DOS Executable (2002/3) 9.4% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	e1c48e3b91745185
Reporter	SecuriteInfoCom
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

448

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.FileRepMalware.13084.12273

Verdict:

Malicious activity

Analysis date:

2024-08-16 03:20:46 UTC

Tags:

netreactor crypto-regex

Link:

https://app.any.run/tasks/c4c6a2ba-dd1e-4e7c-b139-644bd940ee13

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.FileRepMalware.13084.12273.UNOFFICIAL

Verdict:

Malicious

Score:

98.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66bec52aaa5b40be0aa0444c

Tags:

Stealth

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm crypto epmicrosoft_visual_cc evasive eventvwr expand explorer fingerprint keylogger lolbin microsoft_visual_cc overlay packed regedit remote rundll32 shell32

Link:

https://www.filescan.io/uploads/66bec52932f6d05ff3cdca17/reports/3a35f7fb-c607-4417-99aa-50c81d17cf1d/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/d94f63eedb883ab2522c75588c0649522c5446f5656c991bcd9f6938a0a96802

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/84514c08-61ea-496d-b814-2e9d5ad601fc

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1493667

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Score:

51%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/d94f63eedb883ab2522c75588c0649522c5446f5656c991bcd9f6938a0a96802

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d94f63eedb883ab2522c75588c0649522c5446f5656c991bcd9f6938a0a96802/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3fhwh3w3ra5leurmovmiybsjkiwfirxvmvwjsg6nt5utrifjnaba._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery

Link:

https://tria.ge/reports/240816-dt6pdawgmj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Suspicious use of NtCreateUserProcessOtherParentProcess

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/acf22cf4-c845-4365-a9da-797ec289c49c

Unpacked files

SH256 hash:

4eac5d100f4b7189f616564fa11585b7d429435fdb2f072c9677e8195254b295

MD5 hash:

694c12697765c919e98285d7ff0b5de5

SHA1 hash:

c3a779ec6246e1370193cf6bc762f596fcdad3a4

Link:

https://www.unpac.me/results/7184291e-1546-45fa-96f5-b90a58587d80/

SH256 hash:

19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372

MD5 hash:

4e29f75c0c51b9dec76955f0382d9541

SHA1 hash:

4899aa8e3f57339cbaec8faab777897a76fe1c3a

Link:

https://www.unpac.me/results/7184291e-1546-45fa-96f5-b90a58587d80/

SH256 hash:

78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677

MD5 hash:

f9d2985aa1c41cca281321fffb5ed424

SHA1 hash:

3a7a58d2dcae2762882357ae34d372744b1dbb9d

Link:

https://www.unpac.me/results/7184291e-1546-45fa-96f5-b90a58587d80/

SH256 hash:

20772dc90205a7a6768d761dec8579b07c75228f0e156e37ef0948bfd4afbf6d

MD5 hash:

7b140a5dc7d82570ef8c51d06461880b

SHA1 hash:

33cf5ee72c07d88ca953a7c05c4b83e482dcb825

Link:

https://www.unpac.me/results/7184291e-1546-45fa-96f5-b90a58587d80/

SH256 hash:

5ca46368cd7eaa4dab5558a6e17a3c358f590fe70f33df27e69a230fed4602fd

MD5 hash:

896f33594b9f364e50bdaf8119442938

SHA1 hash:

279361fa7ee6567f3bbe177ee484d828786910d1

Link:

https://www.unpac.me/results/7184291e-1546-45fa-96f5-b90a58587d80/

SH256 hash:

0b76996f94f3bad1cc00f09bb5850340f772fd841d9b0d4c96aad4b76d54b50c

MD5 hash:

cdfa40ebefc841f1a94249616541bbd3

SHA1 hash:

8465eccd0d7d698e5bce03516fafd407c7152731

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/7184291e-1546-45fa-96f5-b90a58587d80/

SH256 hash:

d94f63eedb883ab2522c75588c0649522c5446f5656c991bcd9f6938a0a96802

MD5 hash:

0eef59fa1aed10b91b7c7307779d6a18

SHA1 hash:

db957a4da7e3379a30ae7d69103990bd89a7a1e0

Link:

https://www.unpac.me/results/7184291e-1546-45fa-96f5-b90a58587d80/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d94f63eedb88/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d94f63eedb883ab2522c75588c0649522c5446f5656c991bcd9f6938a0a96802

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	adonunix2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	AD on UNIX

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

Rule name:	with_urls Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the presence of an or several urls
Reference:	http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CreateStreamOnHGlobal
GDI_PLUS_API	Interfaces with Graphics	gdiplus.dll::GdiplusStartup gdiplus.dll::GdiplusShutdown gdiplus.dll::GdipDeleteGraphics gdiplus.dll::GdipDeleteBrush gdiplus.dll::GdipAlloc gdiplus.dll::GdipCreateFromHDC
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::PlaySoundW GDI32.dll::StretchDIBits
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteA SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::CreateFiberEx KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryExA KERNEL32.dll::LoadLibraryA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::ReadConsoleA KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::SetConsoleMode KERNEL32.dll::SetStdHandle
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileA KERNEL32.dll::CreateFileMappingA KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileA KERNEL32.dll::DeleteFileW
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::GetUserNameW
WIN_CRYPT_API	Uses Windows Crypt API	CRYPT32.dll::CertDuplicateCertificateContext CRYPT32.dll::CertEnumCertificatesInStore CRYPT32.dll::CertFindCertificateInStore CRYPT32.dll::CertFreeCertificateContext CRYPT32.dll::CertGetCertificateContextProperty CRYPT32.dll::CertOpenStore
WIN_NETWORK_API	Supports Windows Networking	MPR.dll::WNetEnumResourceA MPR.dll::WNetOpenEnumA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegQueryValueExA ADVAPI32.dll::RegSetValueExW ADVAPI32.dll::RegSetValueExA
WIN_SOCK_API	Uses Network to send and receive data	WS2_32.dll::WSAIoctl
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuA USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExA USER32.dll::FindWindowA USER32.dll::OpenClipboard

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample