MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5f3e5658f8ec6c1e7ffa7e7d6df06d04af1f3a5941206ce23b8be979c60ccb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5f3e5658f8ec6c1e7ffa7e7d6df06d04af1f3a5941206ce23b8be979c60ccb1
SHA3-384 hash: 591bf1ddf1a72ddfcad31786b02a0ef9dc649780ea4e25440f511722b97e0fcda9147dc6deee19e1abd5c3edb71e04a5
SHA1 hash: 48c85b4a7b730c9b552a680d302082b27a1f5e65
MD5 hash: 3a865351c5e1814ca842128c437f618f
humanhash: magnesium-may-oklahoma-diet
File name:SecuriteInfo.com.decompression.bomb.26946.18097
Download: download sample
File size:193'777 bytes
First seen:2024-05-22 01:26:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 3072:In77v00hEoDEtauzmJS2KY+3C+orGuVlyavCtXya2MNUa8b32tvhOEA1RJCir86n:I740I4S2KYaC+GlnPCtC2Ua8T2t0EyLp
TLSH T15114010863F0C163E4F70F3157B587A75BB6F5122A385B4337812B8D386AAA5CD2D780
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon f0c4828aba9ac071
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
332
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f5f3e5658f8ec6c1e7ffa7e7d6df06d04af1f3a5941206ce23b8be979c60ccb1.exe
Verdict:
Suspicious activity
Analysis date:
2024-05-22 01:26:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/967721ba-e5da-4ffd-97f8-768064e79cf1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.decompression.bomb.26946.18097.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=664d4a3625570c503d850183win7simulatehigh_evasion
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/664d49f8cc3f31c6c20745b8/reports/36369614-ee7b-4f2b-b523-37eaadd68fde/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f5f3e5658f8ec6c1e7ffa7e7d6df06d04af1f3a5941206ce23b8be979c60ccb1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d4bb0212-dc32-461c-abc0-ebf209782edd
Result
Threat name:
n/a
Detection:
clean
Classification:
n/a
Score:
3 / 100
Link:
https://www.joesandbox.com/analysis/1445460
Behaviour
Behavior Graph:
n/a
Score:
1%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/f5f3e5658f8ec6c1e7ffa7e7d6df06d04af1f3a5941206ce23b8be979c60ccb1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5f3e5658f8ec6c1e7ffa7e7d6df06d04af1f3a5941206ce23b8be979c60ccb1/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6xz6kzmpr3dmdz77u7t5nxyg2bfpd45fsqjantrdxc7jphdazsyq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240522-bt5qzagb6v/
Behaviour
Enumerates physical storage devices
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/540ba52f-0238-438b-875c-d5731795dd9e
Unpacked files
SH256 hash:
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
MD5 hash:
c6a6e03f77c313b267498515488c5740
SHA1 hash:
3d49fc2784b9450962ed6b82b46e9c3c957d7c15
Link:
https://www.unpac.me/results/6d222f26-db36-44cf-9a03-a1e6fb42391e/
SH256 hash:
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
MD5 hash:
0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 hash:
48df0911f0484cbe2a8cdd5362140b63c41ee457
Link:
https://www.unpac.me/results/6d222f26-db36-44cf-9a03-a1e6fb42391e/
SH256 hash:
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
MD5 hash:
adb29e6b186daa765dc750128649b63d
SHA1 hash:
160cbdc4cb0ac2c142d361df138c537aa7e708c9
Detections:
INDICATOR_TOOL_UAC_NSISUAC
Create hunting rule
Link:
https://www.unpac.me/results/6d222f26-db36-44cf-9a03-a1e6fb42391e/
Parent samples :
f5f3e5658f8ec6c1e7ffa7e7d6df06d04af1f3a5941206ce23b8be979c60ccb1
6e22c0f2732195063cb4984c6520c3b85e1236e967f8bb05b3c1b35139d2917b
713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94
dbde8a4bd71bb1fbc0511cdb657dfeffdaedc513aa425f856043532a7cba6fce
ac142a8087949b5ad4e3a503ca37609845112c4f7e0cd1376669c9d5c8f5cdf2
15d4dbafb6fb1770507db7769b2df6f3857da0ad3203a71c5f82a99688dac2b3
b96862087581adb9ecfb9615a46eedb29d13c606e708b7b532ce6ed3217925a4
4f2e6dc8e4d8e0dfcc44a28d34c10653bd833abb8832e47e609d255f246c67f0
df61dc2d24f2e475e0a8971c5d21c1c48e9505be67714aafb4afd670aad297e3
60b1aa37a4ac40d5c5adf2de28782976934731408b6c2e89511e1bc5947d5bbd
f7ae58f22cbdeb69318f6cb3ff3757a9888e8731febd66e85ee9938f874705c9
fbfe2108631e3ccaa8db2f5c4439009c7a5a53136481b422236eefe2e48b690f
340b93c76e6f489982a23d2e04df0ad05a03c3d744ecb5badc3c041eca945af2
34a5c9c0106b37687fbdd51a60a026d06e7301ec40b1f7fb49384d8fe748e9e6
503c9fae00b047a77059de8e9ff6dddb6d2584f18ccf6480d69d395c65492ad4
SH256 hash:
1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172
MD5 hash:
466179e1c8ee8a1ff5e4427dbb6c4a01
SHA1 hash:
eb607467009074278e4bd50c7eab400e95ae48f7
Link:
https://www.unpac.me/results/6d222f26-db36-44cf-9a03-a1e6fb42391e/
SH256 hash:
f5f3e5658f8ec6c1e7ffa7e7d6df06d04af1f3a5941206ce23b8be979c60ccb1
MD5 hash:
3a865351c5e1814ca842128c437f618f
SHA1 hash:
48c85b4a7b730c9b552a680d302082b27a1f5e65
Link:
https://www.unpac.me/results/6d222f26-db36-44cf-9a03-a1e6fb42391e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/f5f3e5658f8ec6c1e7ffa7e7d6df06d04af1f3a5941206ce23b8be979c60ccb1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NSIS_April_2024
Create hunting rule
Author:NDA0N
Description:Detects NSIS installers

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments