MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0380fcead378582fadeeddf805919af44febcd9386eb60b609477e8cfe04dc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Eorezo


Vendor detections: 5


Intelligence 5 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0380fcead378582fadeeddf805919af44febcd9386eb60b609477e8cfe04dc8
SHA3-384 hash: fbf99e134b23b43f3717c4571459eb9d019d516bea5d954fab64a5922840adef3ca1032b8ebe4767d006aa7629ed5701
SHA1 hash: a77c78390e46529208c4739890e9040ad730fe37
MD5 hash: abfe894d1c2813aa6f822733cebaf9f3
humanhash: mountain-lima-don-september
File name:abfe894d1c2813aa6f822733cebaf9f3.exe
Download: download sample
Signature Adware.Eorezo
Create hunting rule
File size:76'468 bytes
First seen:2021-03-22 17:38:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 1536:KpgpHzb9dZVX9fHMvG0D3XJJ4Romu/deQcIGlf2mBi3na:IgXdZt9P6D3XJJ4557Ohna
TLSH 4173E007B5C0C9B7C9A70772097BD3BAE7B7CA9802502B931B947F7F2D211638C1A295
Reporter abuse_ch
Tags:Adware.Eorezo exe


Avatar
abuse_ch
Adware.Eorezo C2:
http://juhjuh.com/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://juhjuh.com/ https://threatfox.abuse.ch/ioc/4395/

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/126070/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.evad
Score:
40 / 100
Link:
https://www.joesandbox.com/analysis/649157
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Modifies Internet Explorer zone settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 373545 Sample: XFtxEOd9S4.exe Startdate: 23/03/2021 Architecture: WINDOWS Score: 40 102 wsgeoip.lavasoft.com 2->102 104 webcompanion.com 2->104 106 4 other IPs or domains 2->106 142 Multi AV Scanner detection for domain / URL 2->142 144 Multi AV Scanner detection for submitted file 2->144 10 XFtxEOd9S4.exe 39 2->10         started        14 XFtxEOd9S4.exe 37 2->14         started        16 XFtxEOd9S4.exe 36 2->16         started        18 12 other processes 2->18 signatures3 process4 dnsIp5 108 www.ickyud.pw 109.232.226.206, 49720, 49723, 49730 GLOBALLAYERNL Netherlands 10->108 110 webcompanion.com 104.17.178.102, 49731, 49734, 49737 CLOUDFLARENETUS United States 10->110 120 3 other IPs or domains 10->120 76 C:\Users\user\AppData\Local\...\setup_2.exe, PE32 10->76 dropped 78 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 10->78 dropped 80 C:\Users\user\AppData\Local\...\inetc.dll, PE32 10->80 dropped 88 2 other files (none is malicious) 10->88 dropped 21 setup_2.exe 36 10->21         started        112 783f9760-0045-4ae4-b218-69ecc15a3933.s3.us-east-2.amazonaws.com 14->112 82 C:\Users\user\AppData\Local\...\setup_2.exe, PE32 14->82 dropped 84 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 14->84 dropped 86 C:\Users\user\AppData\Local\...\inetc.dll, PE32 14->86 dropped 90 2 other files (none is malicious) 14->90 dropped 24 setup_2.exe 14->24         started        114 52.219.96.48, 443, 49736 AMAZON-02US United States 16->114 116 783f9760-0045-4ae4-b218-69ecc15a3933.s3.us-east-2.amazonaws.com 16->116 92 5 other files (none is malicious) 16->92 dropped 26 setup_2.exe 16->26         started        118 127.0.0.1 unknown unknown 18->118 140 Changes security center settings (notifications, updates, antivirus, firewall) 18->140 28 MpCmdRun.exe 18->28         started        file6 signatures7 process8 file9 58 C:\Users\user\...\WebCompanionInstaller.exe, PE32 21->58 dropped 60 C:\Users\...\WebCompanionInstaller.exe.config, XML 21->60 dropped 70 12 other files (none is malicious) 21->70 dropped 30 WebCompanionInstaller.exe 33 113 21->30         started        62 C:\...\WebCompanionInstaller.resources.dll, PE32 24->62 dropped 72 12 other files (none is malicious) 24->72 dropped 35 WebCompanionInstaller.exe 24->35         started        64 C:\...\WebCompanionInstaller.resources.dll, PE32 26->64 dropped 66 C:\...\WebCompanionInstaller.resources.dll, PE32 26->66 dropped 68 C:\...\WebCompanionInstaller.resources.dll, PE32 26->68 dropped 74 10 other files (none is malicious) 26->74 dropped 37 WebCompanionInstaller.exe 26->37         started        39 conhost.exe 28->39         started        process10 dnsIp11 122 wc-update-service.lavasoft.com 64.18.87.82, 49743, 80 MTOCA Canada 30->122 124 flow.lavasoft.com 104.18.88.101, 49739, 49740, 80 CLOUDFLARENETUS United States 30->124 94 C:\...\WebCompanion.resources.dll, PE32 30->94 dropped 96 C:\...\WebCompanionInstaller.resources.dll, PE32 30->96 dropped 98 C:\Program Files (x86)\...\SQLite.Interop.dll, PE32 30->98 dropped 100 66 other files (none is malicious) 30->100 dropped 132 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 30->132 134 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 30->134 136 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 30->136 138 Modifies Internet Explorer zone settings 30->138 41 cmd.exe 30->41         started        44 sc.exe 30->44         started        46 sc.exe 30->46         started        48 sc.exe 30->48         started        126 wc-partners.lavasoft.com 64.18.87.81, 49749, 49751, 80 MTOCA Canada 35->126 128 wcdownloadercdn.lavasoft.com 104.18.87.101, 49741, 49750, 49752 CLOUDFLARENETUS United States 37->128 130 wcdownloader.lavasoft.com 37->130 file12 signatures13 process14 signatures15 146 Uses netsh to modify the Windows network and firewall settings 41->146 50 conhost.exe 41->50         started        52 conhost.exe 44->52         started        54 conhost.exe 46->54         started        56 conhost.exe 48->56         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0380fcead378582fadeeddf805919af44febcd9386eb60b609477e8cfe04dc8/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-03-16 22:06:00 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6a4a7tvng6cyf6w65xpyawizv5cp5pgzhbxlmc3asr36rt7ajxea._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210322-dzxrhgyb2n/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Enumerates physical storage devices
Loads dropped DLL
Unpacked files
SH256 hash:
89e24e4124b607f3f98e4df508c4ddd2701d8f7fcf1dc6e2aba11d56c97c0c5a
MD5 hash:
cab75d596adf6bac4ba6a8374dd71de9
SHA1 hash:
fb90d4f13331d0c9275fa815937a4ff22ead6fa3
Link:
https://www.unpac.me/results/c1c01bc2-d348-4f4c-acad-e0db5bf53549/
SH256 hash:
f0380fcead378582fadeeddf805919af44febcd9386eb60b609477e8cfe04dc8
MD5 hash:
abfe894d1c2813aa6f822733cebaf9f3
SHA1 hash:
a77c78390e46529208c4739890e9040ad730fe37
Link:
https://www.unpac.me/results/c1c01bc2-d348-4f4c-acad-e0db5bf53549/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0380fcead378582fadeeddf805919af44febcd9386eb60b609477e8cfe04dc8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/126070/

Comments