MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2cb4fd774b8ddbff0c2d975a88f1cf46ef9adee8feaaf7c0a837f1435728da8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Adware.Generic

Vendor detections: 15

Intelligence 15 IOCs YARA 6 File information Comments

SHA256 hash:	f2cb4fd774b8ddbff0c2d975a88f1cf46ef9adee8feaaf7c0a837f1435728da8
SHA3-384 hash:	6d937958819905458abf244233c09ea00f42b2c289009e2c97fc6bfbd5f024df2eb81c62732d367abb20844e84ce14c8
SHA1 hash:	f4e2bd6a423fb735901cc1f63e71c924cb4a7b30
MD5 hash:	cd608c39e713f225707b85d9c126373a
humanhash:	avocado-fruit-illinois-magnesium
File name:	SecuriteInfo.com.Win32.Malware-gen.25465.6872
Download:	download sample
Signature	Adware.Generic Create hunting rule
File size:	16'689'472 bytes
First seen:	2024-08-03 20:17:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e569e6f445d32ba23766ad67d1e3787f (259 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep	393216:P4AtzE6QZW97RtnSqwZXwWmOlx7RtnSqwZ3:PpMuR9SHZgWmuhR9SHZ3
Threatray	1'128 similar samples on MalwareBazaar
TLSH	T1F9F601B6E157F33BEB7D06B3653281005523EA977416481B8A922C09CF262FB1B2FD75
TrID	44.2% (.EXE) Inno Setup installer (107240/4/30) 23.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 17.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 5.3% (.SCR) Windows screen saver (13097/50/3) 4.3% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):
dhash icon	f0ccecd458d4d4f0 (1 x Adware.Generic)
Reporter	SecuriteInfoCom
Tags:	Adware.Generic exe

Intelligence

File Origin

# of uploads :

# of downloads :

480

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

af23c349efcf3595bffd59c6104cd6d1f2026b0a300d85fb2fe0e0248448bf5f

Verdict:

Malicious activity

Analysis date:

2024-08-02 09:13:11 UTC

Tags:

installer lumma stealer netreactor crypto-regex

Link:

https://app.any.run/tasks/c93fdaf7-5d5b-478f-b052-2e04e7724be9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66ae9080037b02d0daed5e5f

Tags:

Redcap

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Launching a process

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

embarcadero_delphi fingerprint installer lolbin overlay packed redcap setupapi shell32

Link:

https://www.filescan.io/uploads/66ae908b78d5c73fb1cbe99e/reports/b325bafb-5692-4b78-89de-cb0ec8600026/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/f2cb4fd774b8ddbff0c2d975a88f1cf46ef9adee8feaaf7c0a837f1435728da8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/bef825ab-ed38-4ceb-9eb3-54a965be2303

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1487335

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Creates a thread in another existing process (thread injection)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Score:

34%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/f2cb4fd774b8ddbff0c2d975a88f1cf46ef9adee8feaaf7c0a837f1435728da8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f2cb4fd774b8ddbff0c2d975a88f1cf46ef9adee8feaaf7c0a837f1435728da8/

Threat name:

Win32.Trojan.Donut

Status:

Malicious

First seen:

2024-08-01 03:27:36 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6lfu7v3uxdo374gc3f22rdy46rxptlpor7vk67akqn7rinlsrwua._file

Verdict:

malicious

Adware.Generic

53bcea75646e0a3ff08fea4990c0e3458eb5b518bfdd907444485499803ba25d

Adware.Generic

71e762ecac0d40f0f0dd22638eba76ad746059678409cd94aaaea8719aa42fc7

Adware.Generic

9f2c70239fe518552ee44423564b075a85e0fc1e7bd80dc233bcc1f882ffceb9

Adware.Generic

b39010f72fe4fdd3c6fc1d8387fb4391e804694a3749c1beeeebcebb86b0b257

Adware.Generic

f2cb4fd774b8ddbff0c2d975a88f1cf46ef9adee8feaaf7c0a837f1435728da8

Adware.Generic

+ 1'118 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/240803-y29ffsyepa/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/49bdeefc-9240-4a39-8274-403ee48c396a

Unpacked files

SH256 hash:

6fed732ebcf3ddc993cfb7e513ca947466a043d6e6c50275a26ee1fec77e8bfb

MD5 hash:

f706f42e4a3df7f53875452f7c35bbac

SHA1 hash:

e48cb59bb801a0d5b632efdfec683dee7c382b1b

Link:

https://www.unpac.me/results/b4b8e6bf-b4d2-4b4b-9bfc-f1022d2fa9a6/

SH256 hash:

60b3d15eecda0143ce8f25f2fee065c28c0a621b513f3e1c54e31874e9ca5a30

MD5 hash:

fc6adbfa31b1818cd34be9e436cfa3ba

SHA1 hash:

bbc6bbb8b3499ef50f5bbbfab81b30d6d0eaef86

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/b4b8e6bf-b4d2-4b4b-9bfc-f1022d2fa9a6/

SH256 hash:

f2cb4fd774b8ddbff0c2d975a88f1cf46ef9adee8feaaf7c0a837f1435728da8

MD5 hash:

cd608c39e713f225707b85d9c126373a

SHA1 hash:

f4e2bd6a423fb735901cc1f63e71c924cb4a7b30

Link:

https://www.unpac.me/results/b4b8e6bf-b4d2-4b4b-9bfc-f1022d2fa9a6/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f2cb4fd774b8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f2cb4fd774b8ddbff0c2d975a88f1cf46ef9adee8feaaf7c0a837f1435728da8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	advapi32.dll::ConvertSidToStringSidW advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges advapi32.dll::GetTokenInformation
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessW advapi32.dll::OpenProcessToken kernel32.dll::CloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryA kernel32.dll::LoadLibraryExW kernel32.dll::LoadLibraryW kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoW kernel32.dll::GetDiskFreeSpaceW
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryW kernel32.dll::CreateFileW kernel32.dll::DeleteFileW kernel32.dll::GetWindowsDirectoryW kernel32.dll::GetSystemDirectoryW kernel32.dll::GetFileAttributesW
WIN_BASE_USER_API	Retrieves Account Information	advapi32.dll::LookupPrivilegeValueW
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExW advapi32.dll::RegQueryValueExW
WIN_USER_API	Performs GUI Actions	user32.dll::PeekMessageW user32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample