MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efb0478e5a3bfab377cc684c2520a09a386539b83531e4bf8342c0249bf86b8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efb0478e5a3bfab377cc684c2520a09a386539b83531e4bf8342c0249bf86b8d
SHA3-384 hash: 4680d6757883cc7cdd4dc15e296d0af09fe4e6c65cd332451a02fbec83084dc76ecaba0d91321b737b6ef446570c97ed
SHA1 hash: 5340ba96f7b7829c193e1f859bf623a3b33d92e7
MD5 hash: 31db52071ad0d7b358618bfa3308c748
humanhash: sad-nuts-march-nuts
File name:SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.25563.30223
Download: download sample
File size:3'362'616 bytes
First seen:2024-05-16 01:24:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (28 x Gh0stRAT, 21 x ParallaxRAT, 15 x NetSupport)
ssdeep 49152:Tqe3f6RzCCzX4PubyDrFW1nK++4Re5XnIfha7ojna738jqVX5rIJwI2J5PiH7nBE:OSiRzC2X4PsyvDUoR8jgJLTiH7BUD
TLSH T18FF5F13FB268A53ED5AE0B3285B39310497B7E65B91A8C2E07F0391CDF365601E3B615
TrID 46.7% (.EXE) Inno Setup installer (107240/4/30)
25.0% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
18.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.5% (.EXE) Win64 Executable (generic) (10523/12/4)
1.9% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon f8d4a24969e3c6e0 (1 x Formbook, 1 x LummaStealer)
Reporter SecuriteInfoCom
Tags:exe signed

Code Signing Certificate

Organisation:ONELAUNCH TECHNOLOGIES INC.
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2023-06-16T00:00:00Z
Valid to:2025-09-10T23:59:59Z
Serial number: 08eb9739b29536226513191ec7264032
Intelligence: 6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 9ef74106802ed78fc995f2b01aeaecebc1a60a7479a257f405d3520d19eaacff
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
471
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
efb0478e5a3bfab377cc684c2520a09a386539b83531e4bf8342c0249bf86b8d.exe
Verdict:
Malicious activity
Analysis date:
2024-05-16 01:26:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/823ce33e-2753-487e-8882-032e049553df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.not-a-virus.HEUR.WebToolbar.Win32.Olaunch.gen.25563.30223.UNOFFICIAL
Create hunting rule

Gathering data
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/6645606e81ea6b1eef41f52f/reports/40f9c97e-61a4-4052-8279-2433832e9a45/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/efb0478e5a3bfab377cc684c2520a09a386539b83531e4bf8342c0249bf86b8d
Malware family:
OneLaunch
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8c0040cc-0a8a-40fe-93ab-f09eef91ac20
Result
Threat name:
n/a
Detection:
suspicious
Classification:
spyw.evad
Score:
30 / 100
Link:
https://www.joesandbox.com/analysis/1442253
Signature
Creates multiple autostart registry keys
Installs a global keyboard hook
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1442253 Sample: OneLaunch - Package Finder_... Startdate: 15/05/2024 Architecture: WINDOWS Score: 30 125 Uses schtasks.exe or at.exe to add and modify task schedules 2->125 12 OneLaunch - Package Finder_k3v7q.exe 2 2->12         started        15 chromium.exe 2->15         started        17 OneLaunchUpdaterProxy.exe 2->17         started        19 2 other processes 2->19 process3 file4 95 C:\...\OneLaunch - Package Finder_k3v7q.tmp, PE32 12->95 dropped 21 OneLaunch - Package Finder_k3v7q.tmp 3 25 12->21         started        25 chromium.exe 15->25         started        27 OneLaunch.exe 17->27         started        process5 dnsIp6 99 104.26.12.224 CLOUDFLARENETUS United States 21->99 101 172.67.68.170 CLOUDFLARENETUS United States 21->101 103 2 other IPs or domains 21->103 79 C:\Users\user\AppData\Local\...\is-8OABI.tmp, PE32 21->79 dropped 81 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->81 dropped 83 C:\Users\user\AppData\...\Win32Library.dll, PE32 21->83 dropped 85 2 other files (none is malicious) 21->85 dropped 29 OneLaunch - Package Finder_k3v7q.exe 2 21->29         started        file7 process8 file9 97 C:\...\OneLaunch - Package Finder_k3v7q.tmp, PE32 29->97 dropped 32 OneLaunch - Package Finder_k3v7q.tmp 3 14 29->32         started        process10 file11 71 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 32->71 dropped 73 C:\Users\user\AppData\...\Win32Library.dll, PE32 32->73 dropped 75 C:\Users\...\OneLaunch Setup_k3v7q.exe (copy), PE32 32->75 dropped 35 OneLaunch Setup_k3v7q.exe 2 32->35         started        process12 file13 77 C:\Users\user\...\OneLaunch Setup_k3v7q.tmp, PE32 35->77 dropped 38 OneLaunch Setup_k3v7q.tmp 63 328 35->38         started        process14 file15 87 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 38->87 dropped 89 C:\Users\user\AppData\...\Win32Library.dll, PE32 38->89 dropped 91 C:\Users\user\AppData\...\unins000.exe (copy), PE32 38->91 dropped 93 243 other files (none is malicious) 38->93 dropped 41 OneLaunch.exe 38->41         started        45 chromium.exe 38->45         started        47 taskkill.exe 38->47         started        49 9 other processes 38->49 process16 dnsIp17 113 104.244.42.193 TWITTERUS United States 41->113 115 47.246.24.210 TAOBAOZhejiangTaobaoNetworkCoLtdCN United States 41->115 123 63 other IPs or domains 41->123 129 Creates multiple autostart registry keys 41->129 131 Tries to delay execution (extensive OutputDebugStringW loop) 41->131 133 Installs a global keyboard hook 41->133 51 onelaunchtray.exe 41->51         started        117 104.18.23.62 CLOUDFLARENETUS United States 45->117 119 192.168.2.16 unknown unknown 45->119 121 239.255.255.250 unknown Reserved 45->121 135 Tries to harvest and steal browser information (history, passwords, etc) 45->135 53 chromium.exe 45->53         started        57 chromium.exe 45->57         started        67 5 other processes 45->67 59 conhost.exe 47->59         started        61 conhost.exe 49->61         started        63 conhost.exe 49->63         started        65 conhost.exe 49->65         started        69 6 other processes 49->69 signatures18 process19 dnsIp20 105 52.88.99.215 AMAZON-02US United States 53->105 127 Tries to harvest and steal browser information (history, passwords, etc) 53->127 107 142.250.217.163 GOOGLEUS United States 57->107 109 142.250.217.200 GOOGLEUS United States 57->109 111 25 other IPs or domains 57->111 signatures21
Score:
34%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/efb0478e5a3bfab377cc684c2520a09a386539b83531e4bf8342c0249bf86b8d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efb0478e5a3bfab377cc684c2520a09a386539b83531e4bf8342c0249bf86b8d/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=56yepds2hp5lg56mnbgckifati4gkonyguy6jp4dilacjg7ynogq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/240516-bsyahaeb94/
Behaviour
Modifies system certificate store
Script User-Agent
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Downloads MZ/PE file
Legitimate hosting services abused for malware hosting/C2
Unpacked files
SH256 hash:
827c737ff85eb22f1f07495793b4c372c9ee0ac03db05edf15a40b3ab331a237
MD5 hash:
7ce5475a76915568977b6393a9710383
SHA1 hash:
ecf79a94214aec836325d2f7784ec37eefb004ed
Link:
https://www.unpac.me/results/8e065d2e-e49e-4124-9396-f1eea69e3f23/
SH256 hash:
a92fb9d140269c148a8397c399d3b21f9ec945d60c5457c3a652582ea71bb4e8
MD5 hash:
b5d17d930cfcb1a01d71fff7b743aa20
SHA1 hash:
acbbe32c169b2180dbe7b3ab582311599ff1afa6
Link:
https://www.unpac.me/results/8e065d2e-e49e-4124-9396-f1eea69e3f23/
SH256 hash:
efb0478e5a3bfab377cc684c2520a09a386539b83531e4bf8342c0249bf86b8d
MD5 hash:
31db52071ad0d7b358618bfa3308c748
SHA1 hash:
5340ba96f7b7829c193e1f859bf623a3b33d92e7
Link:
https://www.unpac.me/results/8e065d2e-e49e-4124-9396-f1eea69e3f23/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/efb0478e5a3bfab377cc684c2520a09a386539b83531e4bf8342c0249bf86b8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoW
kernel32.dll::GetDiskFreeSpaceW
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments