MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f22452a13635e4651b51c1491312a74891ca1dcd1b5072cbb978c06dc0a560ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Generic


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f22452a13635e4651b51c1491312a74891ca1dcd1b5072cbb978c06dc0a560ca
SHA3-384 hash: 19f44a393ae2ca037092c6ef1fdec9f998acda31437fda36908485a0c566886ad9961cf76fb34b56ebd17bf3d4f9c3ef
SHA1 hash: 13ef47d5b5be444392127967345c88f7d0670ea8
MD5 hash: 3a1844a86f804c69f5d61676b5499681
humanhash: oregon-connecticut-lima-oklahoma
File name:run_206fc.exe
Download: download sample
Signature Adware.Generic
Create hunting rule
File size:1'931'242 bytes
First seen:2023-08-08 16:24:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (262 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/pQ6kq+w9cf1TGKic6QL3E2vVsjECUAQT45deRV9Rf:sBuZrEUp1zo1qKIy029s4C1eH95
Threatray 5 similar samples on MalwareBazaar
TLSH T1A395CF3FF268A13EC56A1B3245B38310997BBA61B81A8C1E47FC344DCF765601E3B656
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter xr1pper
Tags:Adware.Generic exe Troja

Intelligence

File Origin
# of uploads :
1
# of downloads :
388
Origin country :
EG EG
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
run_206fc.exe
Verdict:
No threats detected
Analysis date:
2023-08-08 16:28:09 UTC
Tags:
installer
Link:
https://app.any.run/tasks/8b9357da-5260-444c-9bcb-bcea1421b4e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/441434/
Detection(s):
SecuriteInfo.com.Generic.Adware.Campaignz.A.3DFC5162.28668.15721.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/64d26c61ab41059bd4c8da6c/reports/ff02e135-1232-467b-8c42-4a7f12803411/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/f22452a13635e4651b51c1491312a74891ca1dcd1b5072cbb978c06dc0a560ca
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ce24039b-e02d-4784-b247-8376cb8b575e
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad.spre
Score:
54 / 100
Link:
https://www.joesandbox.com/analysis/1287968
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Infects executable files (exe, dll, sys, html)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1287968 Sample: run_206fc.exe Startdate: 08/08/2023 Architecture: WINDOWS Score: 54 209 wcdownloadercdn.lavasoft.com 2->209 211 wc-update-service.lavasoft.com 2->211 213 2 other IPs or domains 2->213 251 Snort IDS alert for network traffic 2->251 253 Antivirus detection for URL or domain 2->253 255 Antivirus detection for dropped file 2->255 257 4 other signatures 2->257 15 msiexec.exe 2->15         started        19 run_206fc.exe 2 2->19         started        21 Windows Updater.exe 2->21         started        24 4 other processes 2->24 signatures3 process4 dnsIp5 179 C:\Windows\System32\vcruntime140_1.dll, PE32+ 15->179 dropped 181 C:\Windows\System32\vcruntime140.dll, PE32+ 15->181 dropped 183 C:\Windows\System32\vcomp140.dll, PE32+ 15->183 dropped 189 62 other malicious files 15->189 dropped 247 Infects executable files (exe, dll, sys, html) 15->247 26 msiexec.exe 15->26         started        31 msiexec.exe 15->31         started        33 msiexec.exe 15->33         started        35 msiexec.exe 15->35         started        185 C:\Users\user\AppData\Local\...\run_206fc.tmp, PE32 19->185 dropped 37 run_206fc.tmp 23 19 19->37         started        215 allroadslimit.com 21->215 187 C:\Windows\Temp\...\Windows Updater.exe, PE32 21->187 dropped 39 Windows Updater.exe 21->39         started        217 win-peer-pbm-ecs-lb-495161369.ca-central-1.elb.amazonaws.com 52.60.194.232, 443, 49700 AMAZON-02US United States 24->217 219 updater.digitalpulsedata.com 24->219 221 2 other IPs or domains 24->221 41 VC_redist.x64.exe 24->41         started        43 tasklist.exe 24->43         started        file6 signatures7 process8 dnsIp9 229 pstbbk.com 157.230.96.32 DIGITALOCEAN-ASNUS United States 26->229 231 collect.installeranalytics.com 54.160.207.153 AMAZON-AESUS United States 26->231 135 C:\Users\user\AppData\Local\...\shiBF60.tmp, PE32 26->135 dropped 137 C:\Users\user\AppData\Local\...\shiBE94.tmp, PE32 26->137 dropped 259 Query firmware table information (likely to detect VMs) 26->259 45 taskkill.exe 26->45         started        233 192.168.2.1 unknown unknown 31->233 139 C:\Users\user\AppData\Local\...\shiB166.tmp, PE32 31->139 dropped 141 C:\Users\user\AppData\Local\...\shiB0AA.tmp, PE32 31->141 dropped 143 C:\Windows\Temp\shi5C0.tmp, PE32 33->143 dropped 145 C:\Windows\Temp\shi4C5.tmp, PE32 33->145 dropped 235 sistersshame.xyz 104.21.25.118, 49691, 80 CLOUDFLARENETUS United States 37->235 237 woolcalendar.online 188.114.97.7, 49690, 80 CLOUDFLARENETUS European Union 37->237 147 C:\Users\user\AppData\...\setup.exe (copy), PE32 37->147 dropped 149 4 other files (3 malicious) 37->149 dropped 261 Performs DNS queries to domains with low reputation 37->261 47 setup.exe 2 37->47         started        239 dl.likeasurfer.com 104.21.32.100 CLOUDFLARENETUS United States 39->239 151 4 other malicious files 39->151 dropped 50 v113.exe 39->50         started        52 VC_redist.x64.exe 41->52         started        54 conhost.exe 43->54         started        file10 signatures11 process12 file13 56 conhost.exe 45->56         started        191 C:\Users\user\AppData\Local\...\setup.tmp, PE32 47->191 dropped 58 setup.tmp 3 26 47->58         started        193 C:\Windows\Temp\shi1E7.tmp, PE32+ 50->193 dropped 195 C:\Windows\Temp\MSI43B.tmp, PE32 50->195 dropped 197 C:\Windows\Temp\MSI311.tmp, PE32 50->197 dropped 201 2 other malicious files 50->201 dropped 63 msiexec.exe 50->63         started        199 C:\Users\user\AppData\Local\...\wixstdba.dll, PE32 52->199 dropped process14 dnsIp15 241 d1sv1mvf97shge.cloudfront.net 18.165.185.63 MIT-GATEWAYSUS United States 58->241 243 webcompanion.com 104.18.212.25 CLOUDFLARENETUS United States 58->243 245 5 other IPs or domains 58->245 153 C:\Users\user\AppData\Local\Temp\...\s3.exe, PE32 58->153 dropped 155 C:\Users\user\AppData\Local\Temp\...\s2.exe, PE32 58->155 dropped 157 C:\Users\user\AppData\Local\Temp\...\s1.exe, PE32 58->157 dropped 159 3 other files (2 malicious) 58->159 dropped 263 Performs DNS queries to domains with low reputation 58->263 65 s3.exe 58->65         started        69 s0.exe 2 58->69         started        71 s2.exe 58->71         started        73 s1.exe 58->73         started        file16 signatures17 process18 dnsIp19 111 C:\...\WebCompanionInstaller.resources.dll, PE32 65->111 dropped 113 C:\...\WebCompanionInstaller.resources.dll, PE32 65->113 dropped 125 11 other malicious files 65->125 dropped 249 Multi AV Scanner detection for dropped file 65->249 115 C:\Users\user\AppData\Local\Temp\...\s0.tmp, PE32 69->115 dropped 76 s0.tmp 31 22 69->76         started        117 C:\Users\user\AppData\Local\Temp\...\s2.tmp, PE32 71->117 dropped 80 s2.tmp 71->80         started        225 52.71.211.199 AMAZON-AESUS United States 73->225 227 collect.installeranalytics.com 73->227 119 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 73->119 dropped 121 C:\Users\user\AppData\...\Windows Updater.exe, PE32 73->121 dropped 123 C:\Users\user\AppData\Local\...\shiAE59.tmp, PE32+ 73->123 dropped 127 3 other malicious files 73->127 dropped 83 msiexec.exe 73->83         started        file20 signatures21 process22 dnsIp23 161 C:\Users\user\AppData\...\unins000.exe (copy), PE32 76->161 dropped 163 C:\Users\user\AppData\...\is-Q348N.tmp, PE32+ 76->163 dropped 165 C:\Users\user\AppData\...\is-DHT37.tmp, PE32 76->165 dropped 175 4 other files (3 malicious) 76->175 dropped 265 Uses schtasks.exe or at.exe to add and modify task schedules 76->265 85 DigitalPulseService.exe 76->85         started        88 _setup64.tmp 1 76->88         started        90 schtasks.exe 1 76->90         started        92 schtasks.exe 1 76->92         started        203 api.joinmassive.com 13.224.103.16 AMAZON-02US United States 80->203 205 13.224.103.95 AMAZON-02US United States 80->205 207 aka.ms 104.83.112.120 AKAMAI-ASUS United States 80->207 167 C:\Users\user\...\vc_redist.x64.exe (copy), PE32 80->167 dropped 169 C:\Users\user\AppData\Local\...\is-TQJIT.tmp, PE32 80->169 dropped 171 C:\Users\user\AppData\...\PEInjector.dll, PE32 80->171 dropped 173 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 80->173 dropped 94 vc_redist.x64.exe 80->94         started        file24 signatures25 process26 dnsIp27 223 bapp.digitalpulsedata.com 3.98.219.138, 443, 49699 AMAZON-02US United States 85->223 97 conhost.exe 88->97         started        99 conhost.exe 90->99         started        101 conhost.exe 92->101         started        177 C:\Windows\Temp\...\vc_redist.x64.exe, PE32 94->177 dropped 103 vc_redist.x64.exe 94->103         started        file28 process29 file30 129 C:\Windows\Temp\...\VC_redist.x64.exe, PE32 103->129 dropped 131 C:\Windows\Temp\...\wixstdba.dll, PE32 103->131 dropped 106 VC_redist.x64.exe 103->106         started        process31 file32 133 C:\ProgramData\...\VC_redist.x64.exe, PE32 106->133 dropped 109 VC_redist.x64.exe 106->109         started        process33
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f22452a13635e4651b51c1491312a74891ca1dcd1b5072cbb978c06dc0a560ca/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-08-08 16:25:08 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
7 of 38 (18.42%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6isffijwgxsgkg2ryfergevhjci4uhondnihfs5zpdag3qffmdfa._file
Verdict:
unknown
Similar samples:
82e3523dc7d162e55eaa4f69c2dba9555592661eadcc6807898da7196e57289a
Adware.Generic
8fc055b97e29323ef0f570ef76b2bacdceb4f8d1b8a2eb62bb974f0abf03e5c0
Adware.Generic
aad7a088f309c1e0671f327db2428a470c14d08d5f6489fcb628071d2361b6a7
Adware.Generic
c4db7d1e957d2225520705672e86d4ee9d14cb8df62248c26d5442fd414d48a2
Adware.Generic
fe1b82d8fada96c0ebe4429000c600ff88c19a55340a9f6a68d93bd15419b224
Adware.Generic
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230808-twypjsfe2z/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
899f4bc134860bd4ead33fc3972632274adcbf9b6cb9fd83b97a854a34d71151
MD5 hash:
aa30c3b6171954c603ee2ca1a7296627
SHA1 hash:
4a9b7b50d0c76ef4427bb79bfe90e947c697a6d9
Link:
https://www.unpac.me/results/710f5162-c501-4fc3-a405-0444deee745a/
SH256 hash:
f22452a13635e4651b51c1491312a74891ca1dcd1b5072cbb978c06dc0a560ca
MD5 hash:
3a1844a86f804c69f5d61676b5499681
SHA1 hash:
13ef47d5b5be444392127967345c88f7d0670ea8
Link:
https://www.unpac.me/results/710f5162-c501-4fc3-a405-0444deee745a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f22452a13635/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f22452a13635e4651b51c1491312a74891ca1dcd1b5072cbb978c06dc0a560ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Adware.Generic

Executable exe f22452a13635e4651b51c1491312a74891ca1dcd1b5072cbb978c06dc0a560ca

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/441434/

Comments