MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f142f2fefbbd174fbc0d3d6cbe4cb5caa48389dfce9ee63f10d82b503e705468. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f142f2fefbbd174fbc0d3d6cbe4cb5caa48389dfce9ee63f10d82b503e705468
SHA3-384 hash: 107b37ea145dbaccb45ad838bda3bc3be04cc1d76aad66780c98f697e59f89a207165d04f03a8282db7fc3ccec77ae44
SHA1 hash: bb3972cfb6adc178d8fd17dde519d15a6471e4b9
MD5 hash: 4c428e14cf5fc2c5e54ba377389c8253
humanhash: october-july-wisconsin-september
File name:4c428e14cf5fc2c5e54ba377389c8253
Download: download sample
File size:6'062'592 bytes
First seen:2024-10-25 06:08:17 UTC
Last seen:2024-10-25 06:22:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f86f1d8dc6f11a3ff46c688154b1d7e2
ssdeep 98304:gpWXpGEOHr+mg3awzDSS/GLjqdRK47nr+ktzLy7Mb7hMUwcIesBw1W:gpWPKrtOawXTu/qdRJrSkt3Tb7hMUNIk
TLSH T1DF5623BE624C371CC01F84748023AD45B1F7523E4AEA95AAB2DBFF90779B421D606F46
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter zbetcheckin
Tags:64 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
421
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4c428e14cf5fc2c5e54ba377389c8253
Verdict:
Malicious activity
Analysis date:
2024-10-25 06:11:48 UTC
Tags:
opendir loader vmprotect
Link:
https://app.any.run/tasks/c616c91b-e044-4eea-a17a-d73eb9c675e7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.2294.8731.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=671b3600b39b9c1aa745f0df
Tags:
Downloader Vmprotect Dropper
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin packed packed packed packer_detected shell32 vmprotect
Link:
https://www.filescan.io/uploads/671b3600c8b28f3df2433610/reports/9bef2a85-4b2f-4820-a3f5-d6b7b99cc5ea/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f142f2fefbbd174fbc0d3d6cbe4cb5caa48389dfce9ee63f10d82b503e705468
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e8cacf3d-79ed-4ccf-93c9-bae80bcf984b
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1541826
Signature
Accesses win32k, likely to find offsets for exploits
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected VMProtect packer
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sample is not signed and drops a device driver
Tries to detect debuggers (CloseHandle check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1541826 Sample: lUAc7lqa56.exe Startdate: 25/10/2024 Architecture: WINDOWS Score: 100 53 keyauth.win 2->53 61 Antivirus detection for dropped file 2->61 63 Antivirus / Scanner detection for submitted sample 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 5 other signatures 2->67 9 lUAc7lqa56.exe 17 2->9         started        signatures3 process4 dnsIp5 55 185.101.104.122, 49730, 80 HOSTCLEAN-SRLRO Romania 9->55 57 keyauth.win 104.26.0.5, 443, 49737 CLOUDFLARENETUS United States 9->57 59 127.0.0.1 unknown unknown 9->59 45 C:\Windows\driverfo.sys, PE32+ 9->45 dropped 47 C:\Windows\Vulnerability.exe, PE32+ 9->47 dropped 49 C:\Users\user\AppData\...\driverfo[1].sys, PE32+ 9->49 dropped 51 C:\Users\user\...\Vulnerability[1].exe, PE32+ 9->51 dropped 77 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->77 79 Sample is not signed and drops a device driver 9->79 81 Tries to evade analysis by execution special instruction (VM detection) 9->81 83 4 other signatures 9->83 14 cmd.exe 1 9->14         started        17 cmd.exe 1 9->17         started        19 cmd.exe 1 9->19         started        21 3 other processes 9->21 file6 signatures7 process8 signatures9 85 Drops executables to the windows directory (C:\Windows) and starts them 14->85 23 Vulnerability.exe 2 18 14->23         started        27 certutil.exe 3 1 17->27         started        29 find.exe 1 17->29         started        31 find.exe 1 17->31         started        33 cmd.exe 1 19->33         started        process10 file11 43 C:\Users\user\AppData\Local\Temp\nULoYBmSWb, PE32+ 23->43 dropped 69 Antivirus detection for dropped file 23->69 71 Multi AV Scanner detection for dropped file 23->71 73 Accesses win32k, likely to find offsets for exploits 23->73 75 Machine Learning detection for dropped file 23->75 35 conhost.exe 23->35         started        37 WerFault.exe 2 27->37         started        39 conhost.exe 33->39         started        41 timeout.exe 1 33->41         started        signatures12 process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f142f2fefbbd174fbc0d3d6cbe4cb5caa48389dfce9ee63f10d82b503e705468
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f142f2fefbbd174fbc0d3d6cbe4cb5caa48389dfce9ee63f10d82b503e705468/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-10-24 16:10:19 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
12 of 38 (31.58%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6fbpf7x3xulu7panhvwl4tfvzksihco7z2pompyq3avvaptqkrua._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence vmprotect
Link:
https://tria.ge/reports/241025-gwfshswglj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Executes dropped EXE
VMProtect packed file
Downloads MZ/PE file
Sets service image path in registry
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2efc2432-096c-412c-b694-2424201ea89d
Unpacked files
SH256 hash:
f142f2fefbbd174fbc0d3d6cbe4cb5caa48389dfce9ee63f10d82b503e705468
MD5 hash:
4c428e14cf5fc2c5e54ba377389c8253
SHA1 hash:
bb3972cfb6adc178d8fd17dde519d15a6471e4b9
Link:
https://www.unpac.me/results/729e5fb3-8f72-48dd-a855-a340b69e5149/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f142f2fefbbd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f142f2fefbbd174fbc0d3d6cbe4cb5caa48389dfce9ee63f10d82b503e705468

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe f142f2fefbbd174fbc0d3d6cbe4cb5caa48389dfce9ee63f10d82b503e705468

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3252571/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
RPC_APICan Execute Remote ProceduresRPCRT4.dll::RpcStringFreeA
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLDownloadToFileA
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::OpenProcessToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
WIN_CRYPT_APIUses Windows Crypt APICRYPT32.dll::CertFreeCertificateChainEngine

Comments


Avatar
zbet commented on 2024-10-25 06:08:18 UTC

url : hxxp://185.101.104.122/fortpriv5.exe