MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbc32537a29f5eba5406aa3f2ae409eb52ea904e76c19a74bfb480a8c8c63d69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Generic


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbc32537a29f5eba5406aa3f2ae409eb52ea904e76c19a74bfb480a8c8c63d69
SHA3-384 hash: a6e2a30114fafb50b3785f0f0f74a11120b7ac9ec6cc1c90eb219f11cae9c372a9691714e32ba874f182e9317f009c6d
SHA1 hash: 40a82d88b06e6be8ba82fab34b4a29305466202a
MD5 hash: dbb69ee00786bed3e12a04518e0f469a
humanhash: stairway-venus-enemy-lima
File name:SecuriteInfo.com.Adware.Elemental.22.28512.27778
Download: download sample
Signature Adware.Generic
Create hunting rule
File size:2'182'176 bytes
First seen:2024-03-29 18:17:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (262 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:Y7FUDowAyrTVE3U5F/E3dwMzD3mseUwgjvKwX901alI4qKxKic6QL3E2vVsjECUG:YBuZrEU8FTleUTKae2KIy029s4C1eH92
TLSH T14CA5DF3FF268A13EC5AA1B3205B39310997BBA51A81A8C1F47FC344DCF765601E3B656
TrID 39.3% (.EXE) Inno Setup installer (107240/4/30)
21.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
15.7% (.EXE) InstallShield setup (43053/19/16)
15.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter SecuriteInfoCom
Tags:Adware.Generic exe signed

Code Signing Certificate

Organisation:OOO NBZ
Issuer:GlobalSign GCC R45 CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2023-09-22T13:18:31Z
Valid to:2024-12-03T13:05:00Z
Serial number: 01181b5dc7ef7467c6035c60
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: a0c6e99eca1e36fbcee4434a33a8862414be13c68e7464dae8cb84914eef564e
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
356
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dbc32537a29f5eba5406aa3f2ae409eb52ea904e76c19a74bfb480a8c8c63d69.exe
Verdict:
Malicious activity
Analysis date:
2024-03-29 18:18:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9039e71f-f487-41a2-92ba-3b1d30d6a75a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Connecting to a non-recommended domain
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/660705dc582adaab043b9890/reports/49452603-dfc8-4797-9467-a1eb1c80795f/overview
Verdict:
Malicious
Labled as:
Program_Win32_Wacapew_C_ml
Link:
https://www.hybrid-analysis.com/sample/dbc32537a29f5eba5406aa3f2ae409eb52ea904e76c19a74bfb480a8c8c63d69
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/aa111f45-afa0-4c87-823f-0567136d84cb
Result
Threat name:
n/a
Detection:
suspicious
Classification:
rans.spyw.evad
Score:
38 / 100
Link:
https://www.joesandbox.com/analysis/1417615
Signature
Contains functionality to register a low level keyboard hook
Found direct / indirect Syscall (likely to bypass EDR)
Installs a global event hook (focus changed)
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Writes many files with high entropy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1417615 Sample: SecuriteInfo.com.Adware.Ele... Startdate: 29/03/2024 Architecture: WINDOWS Score: 38 142 Multi AV Scanner detection for submitted file 2->142 144 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 2->144 146 Contains functionality to register a low level keyboard hook 2->146 148 2 other signatures 2->148 12 SecuriteInfo.com.Adware.Elemental.22.28512.27778.exe 2 2->12         started        15 launcher.exe 2->15         started        process3 file4 104 SecuriteInfo.com.A....22.28512.27778.tmp, PE32 12->104 dropped 17 SecuriteInfo.com.Adware.Elemental.22.28512.27778.tmp 3 19 12->17         started        106 C:\Users\user\AppData\Local\...\installer.exe, PE32+ 15->106 dropped 21 installer.exe 15->21         started        process5 dnsIp6 126 107.167.110.211 OPERASOFTWAREUS United States 17->126 128 44.217.103.196 AMAZON-AESUS United States 17->128 130 88.208.5.115 ADVANCEDHOSTERS-ASNL Netherlands 17->130 66 C:\Users\user\AppData\Local\...\is-CR25G.tmp, PE32 17->66 dropped 68 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 17->68 dropped 70 C:\Users\user\AppData\Local\...\OperaLib.dll, PE32 17->70 dropped 72 C:\Users\user\...\OperaGXSetup.exe (copy), PE32 17->72 dropped 23 OperaGXSetup.exe 47 17->23         started        74 Opera_installer_2403291836581706692.dll, PE32+ 21->74 dropped file7 process8 dnsIp9 132 107.167.110.218 OPERASOFTWAREUS United States 23->132 134 107.167.125.189 OPERASOFTWAREUS United States 23->134 136 6 other IPs or domains 23->136 88 C:\Users\user\AppData\Local\...\opera_package, PE32 23->88 dropped 90 Opera_GX_107.0.504...toupdate_x64[1].exe, PE32 23->90 dropped 92 Opera_installer_2403291835508755424.dll, PE32 23->92 dropped 94 4 other files (none is malicious) 23->94 dropped 152 Writes many files with high entropy 23->152 28 OperaGXSetup.exe 1 181 23->28         started        31 Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe 5 23->31         started        33 OperaGXSetup.exe 5 23->33         started        35 2 other processes 23->35 file10 signatures11 process12 file13 108 C:\Users\user\AppData\Local\...\installer.exe, PE32+ 28->108 dropped 110 C:\Users\user\AppData\...\assistant_package, PE32 28->110 dropped 112 C:\Users\user\...\gx-classic-light.zip, Zip 28->112 dropped 124 25 other files (4 malicious) 28->124 dropped 37 installer.exe 32 28->37         started        41 OperaGXSetup.exe 4 28->41         started        114 C:\Users\user\AppData\Local\...\mojo_core.dll, PE32 31->114 dropped 116 C:\Users\user\...\browser_assistant.exe, PE32 31->116 dropped 118 C:\Users\user\...\assistant_installer.exe, PE32 31->118 dropped 120 Opera_installer_2403291835511345172.dll, PE32 33->120 dropped 122 Opera_installer_2403291835514565980.dll, PE32 35->122 dropped 43 assistant_installer.exe 2 35->43         started        process14 file15 78 C:\Users\user\AppData\Local\...\opera.exe, PE32+ 37->78 dropped 80 Opera_installer_2403291836453876324.dll, PE32+ 37->80 dropped 82 C:\Users\user\AppData\Local\...\launcher.exe, PE32+ 37->82 dropped 84 C:\...\launcher.exe.1711737406.old (copy), PE32+ 37->84 dropped 150 Installs a global event hook (focus changed) 37->150 45 explorer.exe 37->45 injected 47 rrcsBizXUHISSeck.exe 37->47 injected 50 launcher.exe 37->50         started        52 15 other processes 37->52 86 Opera_installer_2403291835520002656.dll, PE32 41->86 dropped signatures16 process17 file18 55 opera.exe 45->55         started        156 Found direct / indirect Syscall (likely to bypass EDR) 47->156 60 opera.exe 50->60         started        62 opera_gx_splash.exe 50->62         started        76 Opera_installer_2403291836456646936.dll, PE32+ 52->76 dropped signatures19 process20 dnsIp21 138 192.168.2.4 unknown unknown 55->138 140 239.255.255.250 unknown Reserved 55->140 96 C:\Users\user\...\gx-classic-light.zip, Zip 55->96 dropped 98 C:\Users\user\AppData\...\gx-classic-dark.zip, Zip 55->98 dropped 100 C:\Users\user\...\gx-1-classic-light.zip, Zip 55->100 dropped 102 18 other malicious files 55->102 dropped 154 Tries to harvest and steal browser information (history, passwords, etc) 55->154 64 opera_crashreporter.exe 60->64         started        file22 signatures23 process24
Score:
87%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dbc32537a29f5eba5406aa3f2ae409eb52ea904e76c19a74bfb480a8c8c63d69
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dbc32537a29f5eba5406aa3f2ae409eb52ea904e76c19a74bfb480a8c8c63d69/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-03-27 19:19:25 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3pbskn5ct5pluvagvi7svzaj5njovecoo3azu5f7wsakrsgghvuq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240329-wxlgqaef5t/
Behaviour
Modifies system certificate store
Script User-Agent
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
24361c7c16014c8de711f26b07bd736eae5cf5ef16dd8f6ebdd361fcb4c3ca7a
MD5 hash:
3a8086fcc1f55f84a709ffac33164c0a
SHA1 hash:
1f358666a9e98dd3573612c502c6238f168dc8b7
Link:
https://www.unpac.me/results/90107c45-1b8c-4201-a8a8-28be35f30f69/
SH256 hash:
6c211e3b1862510c3e93af571982194a21a9b86ac1a1f4bd14f62d0ed3a17dc6
MD5 hash:
668d5368def8b65631c43eecbd50ea48
SHA1 hash:
3623c2d9748ed22dc3e450daf77b51bc22d4ffd3
Link:
https://www.unpac.me/results/90107c45-1b8c-4201-a8a8-28be35f30f69/
SH256 hash:
dbc32537a29f5eba5406aa3f2ae409eb52ea904e76c19a74bfb480a8c8c63d69
MD5 hash:
dbb69ee00786bed3e12a04518e0f469a
SHA1 hash:
40a82d88b06e6be8ba82fab34b4a29305466202a
Link:
https://www.unpac.me/results/90107c45-1b8c-4201-a8a8-28be35f30f69/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dbc32537a29f5eba5406aa3f2ae409eb52ea904e76c19a74bfb480a8c8c63d69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoW
kernel32.dll::GetDiskFreeSpaceW
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments