MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd
SHA3-384 hash: 0fde11266e5d24edbc921af85f614af145e6464efc9f3672c89ce6a18244b99c282b9ae47c6fa746ee829391dc6c8c96
SHA1 hash: 766af67dd9d609c1cbf56578f25b0a3bacc580e2
MD5 hash: 655c33920fd920dc86fe9c572f1bbaba
humanhash: nuts-lion-stream-yellow
File name:google_setup_S2105150849_.exe
Download: download sample
File size:16'817'696 bytes
First seen:2024-04-27 14:16:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 57e98d9a5a72c8d7ad8fb7a6a58b3daf (60 x GuLoader, 20 x AZORult, 12 x RemcosRAT)
ssdeep 393216:fuIjTX0c+rk9t2+arEhxiLFbHO1mmailtTZ0h6xZ:fuIjYcgPdHcmmaGtTZ0hC
Threatray 3 similar samples on MalwareBazaar
TLSH T1FB0733B4CB23F0D4E2CD67722A249B752B4D871F124813AF93747F471AC4A5A3AB2356
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0d2d8c488acb4ec (1 x CryptBot)
Reporter NDA0E
Tags:chrome.ruyu1.top exe FakeGoogleUpdate signed

Code Signing Certificate

Organisation:Shandong Gooxion Software Co.,Ltd.
Issuer:DigiCert Assured ID Code Signing CA-1
Algorithm:sha1WithRSAEncryption
Valid from:2019-09-04T00:00:00Z
Valid to:2022-08-11T12:00:00Z
Serial number: 0f2dcc39185a9c0b9a4e984bba9b8ee3
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: ddd5900c01d7f873cd9eac85dbc4931a1c6776e4618d8515e09d098143834825
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
NDA0E
Distributed via: chrome.ruyu1.top

https://chrome.ruyu1.top/ (Fake Google Update) > Download > https://chrome.ruyu1.top/assets/download/google_setup_S2105150849_.exe

Possible C2: 125.122.13.129:13003

Intelligence

File Origin
# of uploads :
1
# of downloads :
348
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://chrome.ruyu1.top/assets/download/google_setup_S2105150849_.exe
Verdict:
Malicious activity
Analysis date:
2024-04-27 14:06:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a7a15d7e-1003-4b0b-b8c6-8fd14ec8c1fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/662d08a851edb67852f9d4cf/reports/88a62d28-9e1c-4809-b0b8-04b63c585b12/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/01737c7a-9eca-421f-97df-c7612feee712
Result
Threat name:
n/a
Detection:
suspicious
Classification:
evad
Score:
36 / 100
Link:
https://www.joesandbox.com/analysis/1432601
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
May modify the system service descriptor table (often done to hook functions)
Behaviour
Behavior Graph:
Download SVG
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5rfjlcvxh6rdhnf3ls5pndvdjbryjgl5kn2ax6u4gmd44fiklhoq._file
Verdict:
unknown
Similar samples:
b4bbdadeb876d22140beabe77e143cd74871461c0823f9f9ba79b41106386d26
dc838d8895ef1b1248c11c8241504556492713dcbe583c11039c8077b13ba042
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Link:
https://tria.ge/reports/240427-rk6vnscf8y/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Loads dropped DLL
Unpacked files
SH256 hash:
f0e6fcfeca3589bede387ef7ac1b81b66431bea1056a01bbf5e2994604f9a820
MD5 hash:
0111926fadd2f0dc566eab9d32609688
SHA1 hash:
d27bcf9a8898a45203a4bfdb686e8c656c818161
Link:
https://www.unpac.me/results/852098a7-24d4-42e6-bb7f-8dd0a08cc927/
SH256 hash:
8b15eb72e80f1971bdd0f2fef3e70ba23574368505075d5869108144b0023b62
MD5 hash:
334c32302a77d86169a7b1b4cd306258
SHA1 hash:
05fb478c81c6a27e49a72f07e0ed23d6855f4036
Link:
https://www.unpac.me/results/852098a7-24d4-42e6-bb7f-8dd0a08cc927/
SH256 hash:
3cdf3e24c87666ed5c582b8b028c01ee6ac16d5a9b8d8d684ae67605376786ea
MD5 hash:
ab101f38562c8545a641e95172c354b4
SHA1 hash:
ec47ac5449f6ee4b14f6dd7ddde841a3e723e567
Link:
https://www.unpac.me/results/852098a7-24d4-42e6-bb7f-8dd0a08cc927/
SH256 hash:
1d51a05b3a2821ab54eca1ee42b0d37042ddf5c4be49e2658422199c173c99db
MD5 hash:
e844427a16b779a8db18aac23dddfc18
SHA1 hash:
b75fe6370792c9490c312f5528a0432690eeaac8
Link:
https://www.unpac.me/results/852098a7-24d4-42e6-bb7f-8dd0a08cc927/
SH256 hash:
b1d327e748c7bed2276a375dede6a6b430442b50f3c2ce912f6c8ba3cff20488
MD5 hash:
a1524dbac3a1087214583fca99e809a9
SHA1 hash:
792723c68022d13f232e588108278ddbd16f000c
Link:
https://www.unpac.me/results/852098a7-24d4-42e6-bb7f-8dd0a08cc927/
SH256 hash:
294a861b5d96582dfea9352c8900771432a43134cb1866725c88d632dba3166b
MD5 hash:
0f6b18d25f8df9f7292f537f3f25ac85
SHA1 hash:
3ec3f05acac84f0ae3babc1901a0bd90aee6aa5c
Link:
https://www.unpac.me/results/852098a7-24d4-42e6-bb7f-8dd0a08cc927/
SH256 hash:
0a49b8981bb902e1cfcbde996a5e7f9103e3c2407696fe231ba8efd867675ebc
MD5 hash:
7c3193912ef4648147ca044d1c38b3fc
SHA1 hash:
259f7b342260c2cdb0c3957f74757693cab44a38
Link:
https://www.unpac.me/results/852098a7-24d4-42e6-bb7f-8dd0a08cc927/
SH256 hash:
e4bc29d5ab712e271e03815753f9425248af4f55516b31814cbe378537ddf001
MD5 hash:
ae88317cd9d27c31d786a9ec3c5606b5
SHA1 hash:
a08375645ebbdadcaa147612bad341a5a5c9cc34
Link:
https://www.unpac.me/results/852098a7-24d4-42e6-bb7f-8dd0a08cc927/
SH256 hash:
bcc0171a06d856569f43007d23c27fc4f54f098ad231d3e4ee4fdbe3cd4bf85f
MD5 hash:
04760a888a3fa6a55a48093c7d7b2795
SHA1 hash:
6d2f4c0dc582885d3fea21700ad8013a1d0eb52d
Link:
https://www.unpac.me/results/852098a7-24d4-42e6-bb7f-8dd0a08cc927/
SH256 hash:
b56052c5a6037badd469626ee8f57f04a5ec5056a732802b7f02ef328c3c2f1d
MD5 hash:
42d6766509cfe037ea45efab0f06bd3a
SHA1 hash:
fcb6307f9f24762d484828e2f576b406405b3453
Link:
https://www.unpac.me/results/852098a7-24d4-42e6-bb7f-8dd0a08cc927/
SH256 hash:
a076c5707b4ae82d3a62f7300023a2a933dbf3cc3f83b4bb8edc6867105be013
MD5 hash:
355152cca9e9493de9fde0fde7c5d21f
SHA1 hash:
a1687ce7793a38e82db3eeeafacb439c44aa78a5
Link:
https://www.unpac.me/results/852098a7-24d4-42e6-bb7f-8dd0a08cc927/
SH256 hash:
4c18ab54e1322ce5032219b326d18bc46af4b4ec1bb34c93fbcf2b1dcc0b9206
MD5 hash:
9ceff7a1cb8df994e224d14819689253
SHA1 hash:
b667b0c04ebbce3d5fdb109e75f95335fc96e373
Link:
https://www.unpac.me/results/852098a7-24d4-42e6-bb7f-8dd0a08cc927/
SH256 hash:
496134cf94370bf1df575829439888dcefed18c4c1a4c0274572eff27c5278b6
MD5 hash:
34f31522fadb94d074024065f60a2619
SHA1 hash:
5c299590038a8add456e610295e560b940e7c706
Link:
https://www.unpac.me/results/852098a7-24d4-42e6-bb7f-8dd0a08cc927/
SH256 hash:
759736635180858a79de7e07bbbafad7c850daa373487f5a9bf00d843620b23e
MD5 hash:
6c9b9474e9b2ea2b11764cba29e2b3b0
SHA1 hash:
a4a867131605a33ba92f1de4601f84166f2feb5b
Link:
https://www.unpac.me/results/852098a7-24d4-42e6-bb7f-8dd0a08cc927/
SH256 hash:
ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd
MD5 hash:
655c33920fd920dc86fe9c572f1bbaba
SHA1 hash:
766af67dd9d609c1cbf56578f25b0a3bacc580e2
Link:
https://www.unpac.me/results/852098a7-24d4-42e6-bb7f-8dd0a08cc927/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ec4a958ab73f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:NSIS_April_2024
Create hunting rule
Author:NDA0N
Description:Detects NSIS installers
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ec4a958ab73fa233b4bb5cbaf68ea3486384997d53740bfa9c3307ce150a59dd

(this sample)

anyrun
any.run
https://app.any.run/tasks/a7a15d7e-1003-4b0b-b8c6-8fd14ec8c1fa
  
Link
https://opentip.kaspersky.com/EC4A958AB73FA233B4BB5CBAF68EA3486384997D53740BFA9C3307CE150A59DD/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::SetFileSecurityA
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
SHELL32.dll::SHFileOperationA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDiskFreeSpaceA
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileExA
KERNEL32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments