MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eaf9193ce95f3e19383f23b2a789aa84e7f7e1e768149571d0fb6a49f885eea3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 14

Intelligence 14 IOCs YARA 6 File information Comments

SHA256 hash:	eaf9193ce95f3e19383f23b2a789aa84e7f7e1e768149571d0fb6a49f885eea3
SHA3-384 hash:	b2046e6c044d2521a969213932d50b81fc4f5d7ae9b2c3af7e82dbe832e4945ae61569123f9d4cd3ed76e611f3cd579a
SHA1 hash:	4a45ee20aa2944321db5790d8d36da06c2ccfb21
MD5 hash:	5267044f9c886d522f5573e4163e8b84
humanhash:	oregon-music-missouri-east
File name:	LSWD61093I7H50N.exe
Download:	download sample
File size:	1'310'351 bytes
First seen:	2024-07-16 06:05:32 UTC
Last seen:	2024-07-24 18:00:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	99ee65c2db82c04251a5c24f214c8892 (34 x Formbook, 11 x RemcosRAT, 4 x SnakeKeylogger)
ssdeep	24576:y6nVMk+HIj90cmvFMN8O6sKTUywjJTzwWGpzQ0YEPIFaTs0bydWy2UE43YP0b8LO:xVz7tWqKwrjRwW4z5gF6lPW2LukuOE
TLSH	T1F2551212B7C59072C0722A324A9597906A7DBC705F6186EF33D03F6EAA315D2D631FA3
TrID	76.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 16.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 3.0% (.EXE) Win64 Executable (generic) (10523/12/4) 1.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.2% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	797979b969e8d8e0 (2 x RemcosRAT, 1 x AgentTesla, 1 x Formbook)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

361

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

eaf9193ce95f3e19383f23b2a789aa84e7f7e1e768149571d0fb6a49f885eea3.exe

Verdict:

Malicious activity

Analysis date:

2024-07-16 06:17:35 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/cd351666-9005-4336-b26d-b14efaab8247

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.AutoIt.1161.14321.7935.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66960dcccadc6250d05565f4win10vpnfull_triage

Tags:

Encryption Execution Generic Network Other Static Stealth Autoit

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% subdirectories

Enabling the 'hidden' option for files in the %temp% directory

Creating a process from a recently created file

Running batch commands

Creating a process with a hidden window

Launching a process

Sending a UDP request

Creating a file

Adding an access-denied ACE

Launching the default Windows debugger (dwwin.exe)

Forced shutdown of a system process

Unauthorized injection to a system process

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/eaf9193ce95f3e19383f23b2a789aa84e7f7e1e768149571d0fb6a49f885eea3

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/fcb9e777-8d1e-43e0-bb3d-d7a9855c2b82

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1474015

Signature

AI detected suspicious sample

Found API chain indicative of sandbox detection

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses ipconfig to lookup or modify the Windows network settings

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected AntiVM autoit script

Yara detected Autoit Injector

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/eaf9193ce95f3e19383f23b2a789aa84e7f7e1e768149571d0fb6a49f885eea3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/eaf9193ce95f3e19383f23b2a789aa84e7f7e1e768149571d0fb6a49f885eea3/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2024-07-09 08:16:42 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5l4rsphjl47bsob7eozkpcnkqtt7pyphnakjk4oq7nvet6ef52rq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/240716-gtqvps1crb/

Behaviour

Gathers network information

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/21234bd9-bf40-4a80-8202-5d354a546da2

Unpacked files

SH256 hash:

7972c56b8e4436f6a0ead86511625ff84a605389a447417485fccbe064b3c211

MD5 hash:

31db1d81c80c66640b773c535cdfa762

SHA1 hash:

9cfffe3e21ab746e18db1447bf339d1af2118570

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/6d3c4694-9ea7-4c94-ae65-4e5c971e6379/

Parent samples :

6a57e08efff02a424c354fbc084c1e4a276cfea72d7a1c928a5fa03da05936b9
cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0
889098c1cda089237f79b8b545c9b434f872793785817293962442e53d9e2d1c
eaf9193ce95f3e19383f23b2a789aa84e7f7e1e768149571d0fb6a49f885eea3
089c427ce0cf50c38600eb31732d2124fb058981011a01adb58fc00df0c831b0
d60df4333857d715edee8797d08e4b0a91df3215391046f7a001ddcb6860b60d
7e3e934402c751f953a3f4a3c6c5591142e9902185bdab102e09be1f9095c0d1
9eedd7551fb43bd6f2c943b872401b872bf40378eb9bcea89dddfdada6890d69
5772d8ef6cfb846163c13d03211610c277a424242fb64bb74479a9c77db8b1bc
096b49b1a090bed6734ac03fc3aff67bd249a0040aa9bdbd4f0d8bbcdde760bf
aea5996c0548f996a16292b8795ff877b82d67ad9dbb308c19ebbaca9b452df4

SH256 hash:

eaf9193ce95f3e19383f23b2a789aa84e7f7e1e768149571d0fb6a49f885eea3

MD5 hash:

5267044f9c886d522f5573e4163e8b84

SHA1 hash:

4a45ee20aa2944321db5790d8d36da06c2ccfb21

Link:

https://www.unpac.me/results/6d3c4694-9ea7-4c94-ae65-4e5c971e6379/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/eaf9193ce95f3e19383f23b2a789aa84e7f7e1e768149571d0fb6a49f885eea3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SelfExtractingRAR Create hunting rule
Author:	Xavier Mertens
Description:	Detects an SFX archive with automatic script execution

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
GDI_PLUS_API	Interfaces with Graphics	gdiplus.dll::GdiplusStartup gdiplus.dll::GdiplusShutdown gdiplus.dll::GdipAlloc
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::AllocConsole KERNEL32.dll::AttachConsole KERNEL32.dll::WriteConsoleW KERNEL32.dll::FreeConsole KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileMappingW KERNEL32.dll::DeleteFileW KERNEL32.dll::MoveFileW KERNEL32.dll::MoveFileExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample