MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4d0995a2fe461ce29b3fb7b4a8479b92a47396d245fe627ba56881877dcbe25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4d0995a2fe461ce29b3fb7b4a8479b92a47396d245fe627ba56881877dcbe25
SHA3-384 hash: e1888772f8a33f876788c311b77f7f62705e7b2e49cf1379f0fb0c9db7e62f84f34f07957a2eac69e143f568678e87bf
SHA1 hash: 930d91f69499a6d2abc057716cc0d152a4828840
MD5 hash: 044741b1e7376ba4293de08c219c8d4d
humanhash: march-berlin-march-four
File name:Counter Strike2 CHEAT.exe
Download: download sample
File size:74'215'459 bytes
First seen:2023-11-09 21:15:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:14/4rzOchPTEXJ8uWBIgYA+FldhnMwZhZeSVygoOFKIms4lRZU7cZ+H7:CkqcdTEXJFoN3qXhJ7cSYNtIERo3H7
Threatray 46 similar samples on MalwareBazaar
TLSH T1ABF7332D1A428BDFD791D6FEE36D7306F0AC0A601DD438997A0C755D09C88A60FBB35A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 14f2f119b9b5a4a4
Reporter Anonymous
Tags:electron exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
SE SE
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
DNS request
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Unauthorized injection to a recently created process
Sending an HTTP GET request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/654d4c19993fbf888b6cdd63/reports/3e47bfb4-4277-4165-8f8d-2143bb15a829/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f4d0995a2fe461ce29b3fb7b4a8479b92a47396d245fe627ba56881877dcbe25
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
phis.spyw.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1340010
Signature
Overwrites Mozilla Firefox settings
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1340010 Sample: Counter_Strike2_CHEAT.exe Startdate: 09/11/2023 Architecture: WINDOWS Score: 60 65 www.google.com 2->65 67 raw.githubusercontent.com 2->67 69 3 other IPs or domains 2->69 79 Uses cmd line tools excessively to alter registry or file data 2->79 10 Counter_Strike2_CHEAT.exe 207 2->10         started        signatures3 process4 file5 49 C:\Users\user\...\Counter Strike2 CHEAT.exe, PE32+ 10->49 dropped 51 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 10->51 dropped 53 C:\Users\user\AppData\Local\...\System.dll, PE32 10->53 dropped 55 13 other files (none is malicious) 10->55 dropped 13 Counter Strike2 CHEAT.exe 43 10->13         started        process6 dnsIp7 73 api.gofile.io 51.38.43.18, 443, 49751 OVHFR France 13->73 75 www.google.com 142.251.33.68, 49736, 80 GOOGLEUS United States 13->75 77 2 other IPs or domains 13->77 57 C:\Users\user\AppData\...\places.sqlite_tmp, SQLite 13->57 dropped 59 C:\Users\user\AppData\...\cookies.sqlite_tmp, SQLite 13->59 dropped 61 C:\Users\user\AppData\Local\...\Web Data_tmp, SQLite 13->61 dropped 63 5 other files (3 malicious) 13->63 dropped 85 Uses cmd line tools excessively to alter registry or file data 13->85 87 Overwrites Mozilla Firefox settings 13->87 89 Tries to harvest and steal browser information (history, passwords, etc) 13->89 18 cmd.exe 1 13->18         started        20 cmd.exe 1 13->20         started        23 cmd.exe 13->23         started        25 34 other processes 13->25 file8 signatures9 process10 dnsIp11 28 WMIC.exe 1 18->28         started        31 conhost.exe 18->31         started        81 Suspicious powershell command line found 20->81 33 tasklist.exe 1 20->33         started        35 conhost.exe 20->35         started        43 2 other processes 23->43 71 chrome.cloudflare-dns.com 172.64.41.3, 443, 49742 CLOUDFLARENETUS United States 25->71 37 conhost.exe 25->37         started        39 conhost.exe 25->39         started        41 conhost.exe 25->41         started        45 56 other processes 25->45 signatures12 process13 signatures14 83 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 28->83 47 Conhost.exe 37->47         started        process15
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f4d0995a2fe461ce29b3fb7b4a8479b92a47396d245fe627ba56881877dcbe25
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6tijswrp4rq44knt7n5uvbdzxeveoolnerp6mj52k2ebq564xysq._file
Verdict:
unknown
Similar samples:
10da02d97bac2bd149bd1f3937a4739d8193e93b6142d888f528e4c5fa2b426b
1b7e07ca51f111803466a9d888eb8c42b0508329ff31e529f2d747f785e11c5f
2b7fda9022313bcf0d6bc31aa1058ccfcbbb925fd24529b43e7ec29f46fc3c70
52636749d75f870099f5e84af6225309980ae7c2fe5e190c9685b960d9577b86
866ad0e1f44d12677e3cd565d47283d6229df46e23387c1ed482abe145ce080d
9a724dd1c38c698ac3be3e0e5bc128b0875e9f4ed6226ae73c85eba661d6a65a
ce17af59a2414b2dd199529a1c0e47d9bdd9b7f01c793b0e7dacaf27b12abca3
ceb8949a84d139477c8531d556f9b1dedad152e51c5caec0b95af239cd890131
fb888cb52b9acd732b3a8cd1e0928cdd86dbc4a8de01f1d48e41fce153e3b0c4
+ 36 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231109-z4gc5aea7v/
Behaviour
Collects information from the system
Detects videocard installed
Enumerates processes with tasklist
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f4d0995a2fe4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments