MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7258b68c24a165c0c61f1fe16a15dd642cf118eae9a4405d3d3cee174d1c72e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7258b68c24a165c0c61f1fe16a15dd642cf118eae9a4405d3d3cee174d1c72e
SHA3-384 hash: 714de9257d262c76d8e7b707bbaf097c4585c3a5fa843fe448d4906830e0568276b272bee9c89b37f6f78e734f8aad4e
SHA1 hash: fdb6fd3763d3d00cfba81df3761e2f96a495aecd
MD5 hash: cfea95e7f479426904a6f16b8c62072c
humanhash: twenty-hot-island-india
File name:cfea95e7f479426904a6f16b8c62072c
Download: download sample
File size:5'994'440 bytes
First seen:2024-01-12 16:35:36 UTC
Last seen:2024-01-12 18:19:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 36aca8edddb161c588fcf5afdc1ad9fa (2 x ValleyRAT, 1 x PrivateLoader, 1 x RedLineStealer)
ssdeep 98304:DazvMgOJRWT7tRyYsQdTEDdoJr7dJDqpbhU4H+u1JNAGcX4pD04Wj:DazvMgOJRWT7ukTE5oNQX1pD04Wj
Threatray 91 similar samples on MalwareBazaar
TLSH T1F9569D20B14EDE6ED56241F0093CDAAA911DAD2A0F6190D7B2DC7D6F2BB04C37636E17
TrID 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 150518a2a3b2a382
Reporter zbetcheckin
Tags:32 exe signed

Code Signing Certificate

Organisation:CodeSigningCert
Issuer:CodeSigningCert
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-28T11:15:47Z
Valid to:2025-02-28T11:25:47Z
Serial number: 12e79e88324ccea94e0358ccb4a75075
Intelligence: 14 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0c21b06b3ede50f24284ddb567b4370193279f3e59a9a1bb602d9a9c230b4d28
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
340
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://eu-west-1.protection.sophos.com/?d=dropbox.com&u=aHR0cHM6Ly93d3cuZHJvcGJveC5jb20vc2NsL2ZpLzVmZ2RqcXAxaXU4NmZ5ZGR4eW5icS9GYXR0dXJhLTUzODcyMy5leGU_cmxrZXk9NTM0aHdhMDdsd3Fma2M3MTk0eG9iOWwzMyZkbD0x&i=NjUwODJhZTVlMDVkNmYyNDlkNTNjYmVh&t=akJXR0p6WDhpaDY1TDNINkdrWnhxVHFFaWI2UU9uWDhIT0tPUU0xdE9WST0=&h=33071ef604cd4110b89a7a7a3d194204&s=AVNPUEhUT0NFTkNSWVBUSVZcCVgOy9Qf1eBGnmcUcJGLzH43Ysjh3QDYInk2lLgN6gf3-gFlU86lihWYW5_4TPY
Verdict:
Malicious activity
Analysis date:
2024-01-12 15:40:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/18e79af0-fc60-4dcd-a762-7dad312a97cf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/470571/
Detection(s):
SecuriteInfo.com.HEUR.Trojan.BAT.Agent.gen.12531.8076.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Searching for the window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Creating a file in the %temp% directory
Launching a process
Modifying a system file
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Possible injection to a system process
Launching a tool to kill processes
Launching the process to change the firewall settings
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control fingerprint lolbin msiexec overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/65a16a7c3c61cd5b424f4d8e/reports/29952710-988a-4b47-965d-dea7d5b0a3a4/overview
Verdict:
Suspicious
Labled as:
Adware.WebCompanion
Link:
https://www.hybrid-analysis.com/sample/e7258b68c24a165c0c61f1fe16a15dd642cf118eae9a4405d3d3cee174d1c72e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/184f4fea-c459-4a64-83b1-cb2bdd09f144
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1373903
Signature
Contains functionalty to change the wallpaper
Modifies the windows firewall
Snort IDS alert for network traffic
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1373903 Sample: 1tuL3R5svT.exe Startdate: 12/01/2024 Architecture: WINDOWS Score: 64 74 www.example.com 2->74 76 drk-host.ooguy.com 2->76 92 Snort IDS alert for network traffic 2->92 12 viewer.exe 1 2->12         started        14 1tuL3R5svT.exe 73 2->14         started        signatures3 process4 dnsIp5 18 cmd.exe 3 3 12->18         started        84 www.example.com 93.184.216.34, 49705, 80 EDGECASTUS European Union 14->84 66 C:\Users\user\AppData\...\vnchooks.dll, PE32 14->66 dropped 68 C:\Users\user\AppData\Roaming\...\viewer.exe, PE32 14->68 dropped 70 C:\Users\user\AppData\...\taskhost.exe, PE32 14->70 dropped 72 6 other files (none is malicious) 14->72 dropped 21 msiexec.exe 2 14->21         started        file6 process7 signatures8 86 Uses cmd line tools excessively to alter registry or file data 18->86 88 Uses netsh to modify the Windows network and firewall settings 18->88 90 Modifies the windows firewall 18->90 23 viewer.exe 1 18->23         started        25 cmd.exe 1 18->25         started        28 Acrobat.exe 8 63 18->28         started        30 11 other processes 18->30 process9 signatures10 32 cmd.exe 1 23->32         started        98 Uses cmd line tools excessively to alter registry or file data 25->98 34 reg.exe 1 25->34         started        36 AcroCEF.exe 28->36         started        process11 process12 38 cmd.exe 32->38         started        40 cmd.exe 32->40         started        43 viewer.exe 32->43         started        48 10 other processes 32->48 45 AcroCEF.exe 36->45         started        dnsIp13 50 taskhost.exe 38->50         started        54 mode.com 38->54         started        56 netsh.exe 38->56         started        62 3 other processes 38->62 96 Uses cmd line tools excessively to alter registry or file data 40->96 58 reg.exe 40->58         started        60 cmd.exe 43->60         started        82 23.50.124.134, 443, 49726 AKAMAI-ASUS United States 45->82 signatures14 process15 dnsIp16 78 drk-host.ooguy.com 213.109.192.241, 49728, 49729, 49730 UA-LINK-ASUA unknown 50->78 80 127.0.0.1 unknown unknown 50->80 94 Contains functionalty to change the wallpaper 50->94 64 conhost.exe 60->64         started        signatures17 process18
Score:
7%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/e7258b68c24a165c0c61f1fe16a15dd642cf118eae9a4405d3d3cee174d1c72e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7258b68c24a165c0c61f1fe16a15dd642cf118eae9a4405d3d3cee174d1c72e/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=44syw2gcjilfyddb6h7bnik52zbm6emov2neibot2phoc5gry4xa._file
Verdict:
unknown
Similar samples:
0a26a8670ec52d242cad7ac818bae83d38f4e15309334964249886e882192548
216f1c0ba684a52b81799798c2e7afdc9e41338961588753946e44ac45f1d20f
28ee91abd2a0efefab3b2e95ffe2ffaecd7ca0cf2a5bc5bf56b6810ba32eafb4
5428dbedf8e4476b2ba746ddbcde0b1104da52a4be9f64e4be0e95102fcc7f12
556b51b8c2e2516235372629d158d6a10e11e4fcbb8e4fa67a3f5a5a54846f08
791fb3ec6331533601c6b84581dd86977cbf6b1222819f4bd8f60d21ae3379ea
7f6a22cc0e0b5ee908e631cfd8b4d0a4613109b97c5df7cf91f755099330fc5c
85bdf691ddbeebf9a11faa642fc7767507014483a7d43ede19406bfe46b8969f
b11f117050ba7d475909659b8b5364ca134942bddfc08dbabe3d4c013c1a137c
df2853a1bc08e8f9ee97a33a001e84597e85d5834c540d846dce4d4f8183bddd
+ 81 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion
Link:
https://tria.ge/reports/240112-t4c3tabgaj/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Disables Windows logging functionality
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Blocklisted process makes network request
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
Unpacked files
SH256 hash:
8d7e7ad16b411e68e816ee062b1505f73b333f3b6d3f52df6aedf844e6371568
MD5 hash:
b713ba15987ba9bd361345be25ad1aca
SHA1 hash:
eff6f14091d43973d8b020c43ad555601935e177
Link:
https://www.unpac.me/results/49c7aa40-8f62-4acd-a95d-99bc0e763e58/
SH256 hash:
1426e38b7713d30da34862e8cc8dc18e1e80765de330c84181a8c0b05f60b848
MD5 hash:
84a6a89a302f6481dba272127de450c0
SHA1 hash:
6dc6c49ca86b1aa38f591e2ade95f986eef11b2a
Link:
https://www.unpac.me/results/49c7aa40-8f62-4acd-a95d-99bc0e763e58/
SH256 hash:
e7258b68c24a165c0c61f1fe16a15dd642cf118eae9a4405d3d3cee174d1c72e
MD5 hash:
cfea95e7f479426904a6f16b8c62072c
SHA1 hash:
fdb6fd3763d3d00cfba81df3761e2f96a495aecd
Link:
https://www.unpac.me/results/49c7aa40-8f62-4acd-a95d-99bc0e763e58/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7258b68c24a165c0c61f1fe16a15dd642cf118eae9a4405d3d3cee174d1c72e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e7258b68c24a165c0c61f1fe16a15dd642cf118eae9a4405d3d3cee174d1c72e

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/470571/

Comments


Avatar
zbet commented on 2024-01-12 16:35:37 UTC

url : hxxps://eu-west-1.protection.sophos.com?d=dropbox.com&u=aHR0cHM6Ly93d3cuZHJvcGJveC5jb20vc2NsL2ZpLzVmZ2RqcXAxaXU4NmZ5ZGR4eW5icS9GYXR0dXJhLTUzODcyMy5leGU_cmxrZXk9NTM0aHdhMDdsd3Fma2M3MTk0eG9iOWwzMyZkbD0x&i=NjUwODJhZTVlMDVkNmYyNDlkNTNjYmVh&t=akJXR0p6WDhpaDY1TDNINkdrWnhxVHFFaWI2UU9uWDhIT0tPUU0xdE9WST0=&h=33071ef604cd4110b89a7a7a3d194204&s=AVNPUEhUT0NFTkNSWVBUSVZcCVgOy9Qf1eBGnmcUcJGLzH43Ysjh3QDYInk2lLgN6gf3-gFlU86lihWYW5_4TPY/