MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e44fd281ff4ac842d66917e5f7bf43d7cf6b94afce95df2c8ee238e61cfbd0cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e44fd281ff4ac842d66917e5f7bf43d7cf6b94afce95df2c8ee238e61cfbd0cd
SHA3-384 hash: 5fcbb776faaf30f41a49c116d0d248ebe17c4eb4d91adbf4ad527a6a27391f92492bfb452732fc0410ef58576fb25c89
SHA1 hash: 548f3257137e57e402ed0390b8eb50d09081e93c
MD5 hash: e2c5dd4a9023987ffc5d3b555548b8af
humanhash: sink-monkey-earth-fix
File name:Installer Setup 9.7.0.exe
Download: download sample
File size:84'420'686 bytes
First seen:2024-07-22 22:16:11 UTC
Last seen:2024-07-22 23:43:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:g3b+n6BKUh/1MzwKV0mxFee1STuEWSzPGZq5xGGmG6qcK2V7XQrOptItrjYp2:g3Sn6sUhIwE0O1STuEWSCZqfGGdTsQrn
Threatray 298 similar samples on MalwareBazaar
TLSH T16F0833439129E02FDCFA2D7B171A7DFE69D0B80122A00F0D721E558A0FE9149D779BE9
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
dhash icon c4dadadad2f492c2 (25 x GuLoader, 14 x RemcosRAT, 7 x AgentTesla)
Reporter cydave
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
479
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e44fd281ff4ac842d66917e5f7bf43d7cf6b94afce95df2c8ee238e61cfbd0cd.exe
Verdict:
Malicious activity
Analysis date:
2024-07-23 18:29:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a886da50-655a-4555-a00a-068a50755b03

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=669eda65b302ab76f4484f24
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a window
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Creating a file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Searching for synchronization primitives
Unauthorized injection to a recently created process
Moving a file to the %AppData% subdirectory
Changing a file
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/669eda62cbb32227b6aa5c3a/reports/95669441-5979-49aa-b9ae-e3b289116724/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/e44fd281ff4ac842d66917e5f7bf43d7cf6b94afce95df2c8ee238e61cfbd0cd
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1478723
Signature
Drops large PE files
Malicious sample detected (through community Yara rule)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1478723 Sample: Installer Setup 9.7.0.exe Startdate: 23/07/2024 Architecture: WINDOWS Score: 52 38 swapinclick.com 2->38 40 chrome.cloudflare-dns.com 2->40 46 Malicious sample detected (through community Yara rule) 2->46 48 Drops large PE files 2->48 8 Installer Setup 9.7.0.exe 12 196 2->8         started        11 Installer.exe 42 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 8->30 dropped 32 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->32 dropped 34 C:\Users\user\AppData\Local\...\System.dll, PE32 8->34 dropped 36 15 other files (none is malicious) 8->36 dropped 13 cmd.exe 1 8->13         started        15 Installer.exe 11->15         started        18 Installer.exe 1 11->18         started        20 explorer.exe 24 2 11->20 injected 22 2 other processes 11->22 process6 dnsIp7 24 conhost.exe 13->24         started        26 tasklist.exe 1 13->26         started        28 find.exe 1 13->28         started        42 swapinclick.com 195.35.49.154, 443, 49732, 49733 MTSRU Germany 15->42 44 chrome.cloudflare-dns.com 162.159.61.3, 443, 49734, 49735 CLOUDFLARENETUS United States 15->44 process8
Score:
9%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/e44fd281ff4ac842d66917e5f7bf43d7cf6b94afce95df2c8ee238e61cfbd0cd
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4rh5fap7jleefvtjc7s7pp2d27hwxffpz2k56leo4i4omhh32dgq._file
Verdict:
unknown
Similar samples:
07138f2e2d420199d28d3617143489fcb1eace0254ef6634eeb08734817b9fec
1a7d1373265847ad8469a5df8553ff02083382c92ea203647e47748c0d6d0344
2f72367bd43d9c3405c880334c577d8a282cd2a5018bc76c67783a326eb754aa
555d0020f21f464dbf6e2a43ed8c0cfc024a189953d19e712a65d61dc224dab5
6b2e51f4c3cadfd3441d843a96ebb56c50cb132ced3083bbf2f0ac760aca121c
77059c39f5152130db212f0bf24244e0501a8663b75d9ed78e3e406c0b1736a1
7ab82c1ffa37f1538594cc5ad56f6dd047baf2c30bfcce614f1ad28b56196d35
fd5bc7be5d95a9fb3a0187a82c1ed19637744c3fd1a8111801f4718c9f786e47
+ 288 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/240722-17dl3ssamq/
Behaviour
Enumerates processes with tasklist
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2f05f4f1-b584-46ec-a794-4f37b0172e3d
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://github.com/Hua0208/Hua0208new/releases/download/Hua0208new/Installer.Setup.9.7.0.rar

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments