MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcb3c205596c3223fc3c0aca27d02558c01df9d6d1bf6aaf9405722df8066762. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	dcb3c205596c3223fc3c0aca27d02558c01df9d6d1bf6aaf9405722df8066762
SHA3-384 hash:	f049ed65959e53f17746e371728f8ca642ccbe6558f8c039e8199f222d140bcd49617ca8567da66473a6213c558560bd
SHA1 hash:	70af809f0008b0d6e0cd377f460bdf72daaef6f1
MD5 hash:	ffec47e80d7c34891618ba7fda557ae7
humanhash:	mirror-mike-happy-double
File name:	SecuriteInfo.com.Trojan.InstallCore.1418.4659.26408
Download:	download sample
File size:	2'473'291 bytes
First seen:	2024-03-20 12:29:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'464 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep	49152:L2cjZxXfAS7T/TnojFU5542Z0i8v2CXL/RcJ3DbzmQdF0jj0blHnSq:CuTojFU5Hqi8vxL/RcJ31dKQxf
Threatray	18 similar samples on MalwareBazaar
TLSH	T190B53362C74592BDC1036A38CA0284079669FE773C7CA24A78AD4FDF47E51FE852670B
TrID	76.2% (.EXE) Inno Setup installer (107240/4/30) 10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

332

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

dcb3c205596c3223fc3c0aca27d02558c01df9d6d1bf6aaf9405722df8066762.exe

Verdict:

Malicious activity

Analysis date:

2024-03-20 12:32:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2669c462-975b-4647-8798-677751f4ff36

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.InstallCore.1418.4659.26408.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Launching a process

Moving a file to the Program Files subdirectory

Replacing files

Sending an HTTP GET request

Forced system process termination

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

fingerprint installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/65fad6d11d6034c3c02c4b6a/reports/1587f55a-d61f-4f4f-88bd-72562af64d5e/overview

Verdict:

Suspicious

Labled as:

Downloader.Agent

Link:

https://www.hybrid-analysis.com/sample/dcb3c205596c3223fc3c0aca27d02558c01df9d6d1bf6aaf9405722df8066762

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/6b34ad4a-560e-457a-b069-09b7f0a0a54e

Result

Threat name:

n/a

Detection:

clean

Classification:

spyw

Score:

17 / 100

Link:

https://www.joesandbox.com/analysis/1412377

Signature

Contains functionality to register a low level keyboard hook

Behaviour

Behavior Graph:

n/a

Score:

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/dcb3c205596c3223fc3c0aca27d02558c01df9d6d1bf6aaf9405722df8066762

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dcb3c205596c3223fc3c0aca27d02558c01df9d6d1bf6aaf9405722df8066762/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3sz4ebkznqzch7b4blfcpubfldab36ow2g7wvl4uavzc36agm5ra._file

Verdict:

unknown

0fc579b9a570f408f3ce2b6c3d580f580027bd315daddcf8aafeb3c452ca4d58

4138d92e4af5e1c1b49d654c8a55c5c759261e2d4108c6ef6b4308f9ba8b0355

52de83987941b92875cecdd1661cc2757eae4f02ef564fd2e147d06eb9d8ab44

575901f83294547395d2a53d741ecc756906c62a0d7e942890a23c833e0593de

6367425a2a76a759b2007ae18f0d6f22c6a07a67fbeae5b7f72fa2c588b4470b

94e024435cc8cafb2705bf98e9551feaa5d2ab426fcbcef9efde59fe9ccb9e53

9d0b806a676f4b1da097db14f0989bc155f74daf0aa3d523ec4164f954fa417d

9f6de85e6ac6ca0e2a0e1912f3d950c3765425d076e87627c9a58b033747c5af

b7772e6959c773d04203373a3adcff3bc81b667726cf4f7155c9135331b21760

+ 8 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/240320-ppf4psge86/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Executes dropped EXE

Loads dropped DLL

Unpacked files

SH256 hash:

dcb3c205596c3223fc3c0aca27d02558c01df9d6d1bf6aaf9405722df8066762

MD5 hash:

ffec47e80d7c34891618ba7fda557ae7

SHA1 hash:

70af809f0008b0d6e0cd377f460bdf72daaef6f1

Link:

https://www.unpac.me/results/9bb10498-53ae-4734-961a-95712e42ebe2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.53

Link:

https://yomi.yoroi.company/submissions/dcb3c205596c3223fc3c0aca27d02558c01df9d6d1bf6aaf9405722df8066762

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessA advapi32.dll::OpenProcessToken kernel32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryA kernel32.dll::CreateFileA kernel32.dll::DeleteFileA kernel32.dll::GetWindowsDirectoryA kernel32.dll::GetFileAttributesA kernel32.dll::RemoveDirectoryA
WIN_BASE_USER_API	Retrieves Account Information	advapi32.dll::LookupPrivilegeValueA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample