MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6c630a444e0c43883d9670bdb3632492678f519b2cbe037cf2acdbafefda032. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 11 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6c630a444e0c43883d9670bdb3632492678f519b2cbe037cf2acdbafefda032
SHA3-384 hash: b5767a4e2818cd9a300c4a4d82a3892da2ff06076497063d4aedad8871c02cd535d8fc8b8bfec372c6f8fe774c23c7d9
SHA1 hash: ea1159896fe6afb0a0174652e69922740662e28d
MD5 hash: 98a83802a6d772e16356869bb4a481e2
humanhash: yankee-nuts-burger-alaska
File name:98a83802a6d772e16356869bb4a481e2
Download: download sample
File size:23'549'952 bytes
First seen:2024-11-02 22:06:57 UTC
Last seen:2025-03-05 08:15:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ce28c460544692ee4662469e5f6a2a5 (1 x MeduzaStealer)
ssdeep 98304:2efmcp0lZQqO4KdvFCfqmcWXkc4K2zDoVTHqd83k:jfmHZX8uJcWXXODhd
TLSH T103374131BD115CCBE42D8439AF6C1DA6125374A2871A3BF306B4C4655FEBA811AFE9F0
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
File icon (PE):PE icon
dhash icon cd6e339fe75b132d
Reporter zbetcheckin
Tags:185-215-113-209 64 exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
406
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
98a83802a6d772e16356869bb4a481e2
Verdict:
No threats detected
Analysis date:
2024-11-02 22:08:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fe22e205-118f-4694-90a1-98fe0b5cdc6f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.Malware-gen.18882.5040.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6726a2da8d23d9049132e7f3
Tags:
powershell vmdetect gumen
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm packed packer_detected
Link:
https://www.filescan.io/uploads/6726a289f392b832c9d056b3/reports/63c662ac-b042-4461-b9a2-37cba8d72212/overview
Verdict:
Malicious
Labled as:
QD:Trojan.GenericQ
Link:
https://www.hybrid-analysis.com/sample/f6c630a444e0c43883d9670bdb3632492678f519b2cbe037cf2acdbafefda032
Result
Verdict:
SUSPICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1547715
Signature
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suspicious powershell command line found
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1547715 Sample: kKZbpdYLeC.exe Startdate: 02/11/2024 Architecture: WINDOWS Score: 88 26 Malicious sample detected (through community Yara rule) 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected Powershell decode and execute 2->30 32 3 other signatures 2->32 7 kKZbpdYLeC.exe 2 2->7         started        process3 dnsIp4 24 62.60.157.81, 49732, 80 IROST-ASIR Iran (ISLAMIC Republic Of) 7->24 34 Suspicious powershell command line found 7->34 11 powershell.exe 23 7->11         started        14 WMIC.exe 1 7->14         started        16 conhost.exe 7->16         started        18 reg.exe 1 7->18         started        signatures5 process6 signatures7 36 Found suspicious powershell code related to unpacking or dynamic code loading 11->36 38 Loading BitLocker PowerShell Module 11->38 20 WmiPrvSE.exe 11->20         started        22 conhost.exe 11->22         started        process8
Score:
0%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/f6c630a444e0c43883d9670bdb3632492678f519b2cbe037cf2acdbafefda032
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-10-26 02:58:00 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
18 of 38 (47.37%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=63ddbjce4dcdra6zm4f5wnrsjethr5izwlf6an6pflg3v7x5uaza._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
execution
Link:
https://tria.ge/reports/241102-11mamswpaw/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/30a5872d-b698-4965-b67f-556b9a22ff5d
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f6c630a444e0c43883d9670bdb3632492678f519b2cbe037cf2acdbafefda032

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe f6c630a444e0c43883d9670bdb3632492678f519b2cbe037cf2acdbafefda032

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3272432/
  
URLhaus
https://urlhaus.abuse.ch/url/3273403/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeBeginPeriod
WINMM.dll::timeEndPeriod
WINMM.dll::timeGetDevCaps
WINMM.dll::timeGetTime
RPC_APICan Execute Remote ProceduresRPCRT4.dll::RpcStringFreeW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::VirtualAllocExNuma
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::FlushConsoleInputBuffer
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::PeekConsoleInputA
KERNEL32.dll::ReadConsoleInputA
KERNEL32.dll::ReadConsoleInputW
KERNEL32.dll::ReadConsoleW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryExW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegCreateKeyW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegGetValueW
ADVAPI32.dll::RegLoadKeyW
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::accept
WS2_32.dll::bind
WS2_32.dll::closesocket
WS2_32.dll::connect
WS2_32.dll::freeaddrinfo
WS2_32.dll::getaddrinfo
WIN_TIME_APICan Modify TimeKERNEL32.dll::SetLocalTime
KERNEL32.dll::SetSystemTimeAdjustment
KERNEL32.dll::SetSystemTime

Comments


Avatar
zbet commented on 2024-11-02 22:06:58 UTC

url : hxxp://185.215.113.217/inc/installer.exe