MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7afac39d2754ac953bf129ee094c8b092e349cdf35f1ba23c2c76a0229f9e96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7afac39d2754ac953bf129ee094c8b092e349cdf35f1ba23c2c76a0229f9e96
SHA3-384 hash: 7a5a64a370d22e8dcc00a7167abc71594603ddfce70247a5252095b8c440fb0126295f29f09c32aeff337b3236b6975b
SHA1 hash: e057eddf9d2e319967e200a5801e4bbe6e45862a
MD5 hash: 8677376c509f0c66d1f02c6b66d7ef90
humanhash: utah-juliet-timing-kitten
File name:SecuriteInfo.com.Win64.MalwareX-gen.18256.27985
Download: download sample
File size:98'816 bytes
First seen:2024-06-21 21:24:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f56402b453896e6c8e5cdd3b6ac705fa
ssdeep 1536:xcUkaFWP1/og2gnKHNk9DsMvWhuZMTz2PdA24LhtpgcIPfuaNZ:xchd1/NKU1u+A0fuQ
TLSH T176A34B87FF86FDDBCA0B1170C97B030D1225E6CA17C525271D3E92391DAB5A48E5FA82
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 92e0b496a6cada72 (12 x RedLineStealer, 7 x RaccoonStealer, 5 x BlankGrabber)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
347
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
explortu.exe
Verdict:
Malicious activity
Analysis date:
2024-06-15 18:59:21 UTC
Tags:
amadey botnet stealer loader risepro evasion redline meta metastealer exfiltration
Link:
https://app.any.run/tasks/480c7167-3cda-4692-8d3d-dd3cacadc455

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.18256.27985.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6675efb50591661c2a1fa7d3win7simulatehigh_evasion
Tags:
Malware
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Creating a file in the system32 directory
Moving a file to the system32 directory
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/6675efb56b8dba248b43cc13/reports/b8206e1d-30b9-4b6c-b06d-40448f7063c3/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/f7afac39d2754ac953bf129ee094c8b092e349cdf35f1ba23c2c76a0229f9e96
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4e70e9fa-b26d-410c-a4ba-da6b47a44494
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1460934
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for URL or domain
Drops executables to the windows directory (C:\Windows) and starts them
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Uses powercfg.exe to modify the power settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1460934 Sample: SecuriteInfo.com.Win64.Malw... Startdate: 21/06/2024 Architecture: WINDOWS Score: 80 113 Antivirus detection for URL or domain 2->113 115 Multi AV Scanner detection for submitted file 2->115 117 AI detected suspicious sample 2->117 119 Sigma detected: Suspicious Script Execution From Temp Folder 2->119 10 winsvc.exe 70 2->10         started        14 SecuriteInfo.com.Win64.MalwareX-gen.18256.27985.exe 29 2->14         started        17 svchost.exe 2->17         started        process3 dnsIp4 85 C:\Windows\System32\winnet.exe, PE32+ 10->85 dropped 87 C:\Windows\System32\wincfg.exe, PE32+ 10->87 dropped 125 Adds a directory exclusion to Windows Defender 10->125 19 powershell.exe 23 10->19         started        22 powershell.exe 10->22         started        24 powershell.exe 10->24         started        35 14 other processes 10->35 111 104.21.44.95 CLOUDFLARENETUS United States 14->111 89 C:\Users\user\Desktop\SetupWizard.exe, PE32+ 14->89 dropped 91 C:\Users\user\AppData\Local\...\setup[7].exe, PE32+ 14->91 dropped 93 C:\Users\user\AppData\Local\...\setup[6].exe, PE32+ 14->93 dropped 95 6 other files (none is malicious) 14->95 dropped 26 SetupWizard.exe 2 14->26         started        29 SetupWizard.exe 2 14->29         started        31 SetupWizard.exe 2 14->31         started        33 SetupWizard.exe 14->33         started        file5 signatures6 process7 file8 121 Loading BitLocker PowerShell Module 19->121 37 conhost.exe 19->37         started        39 conhost.exe 22->39         started        41 conhost.exe 24->41         started        97 C:\Users\user\AppData\...\SetupWizard.exe, PE32+ 26->97 dropped 43 SetupWizard.exe 1 26->43         started        99 C:\Users\user\AppData\...\SetupWizard.exe, PE32+ 29->99 dropped 47 SetupWizard.exe 29->47         started        101 C:\Users\user\AppData\...\SetupWizard.exe, PE32+ 31->101 dropped 49 SetupWizard.exe 31->49         started        103 C:\Users\user\AppData\...\SetupWizard.exe, PE32+ 33->103 dropped 51 conhost.exe 35->51         started        53 powercfg.exe 35->53         started        55 17 other processes 35->55 signatures9 process10 file11 105 C:\Windows\system32\winsvc.exe (copy), PE32+ 43->105 dropped 107 C:\Windows\system32\.co4468.tmp (copy), PE32+ 43->107 dropped 109 C:\Windows\System32\.co4468.tmp, PE32+ 43->109 dropped 127 Drops executables to the windows directory (C:\Windows) and starts them 43->127 57 winsvc.exe 16 43->57         started        signatures12 process13 signatures14 123 Adds a directory exclusion to Windows Defender 57->123 60 powershell.exe 7 57->60         started        63 powershell.exe 7 57->63         started        65 powershell.exe 7 57->65         started        67 powershell.exe 7 57->67         started        process15 signatures16 129 Uses powercfg.exe to modify the power settings 60->129 69 conhost.exe 60->69         started        71 sc.exe 1 60->71         started        73 conhost.exe 63->73         started        75 sc.exe 1 63->75         started        77 conhost.exe 65->77         started        79 sc.exe 1 65->79         started        81 conhost.exe 67->81         started        83 sc.exe 1 67->83         started        process17
Score:
62%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/f7afac39d2754ac953bf129ee094c8b092e349cdf35f1ba23c2c76a0229f9e96
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f7afac39d2754ac953bf129ee094c8b092e349cdf35f1ba23c2c76a0229f9e96/
Threat name:
Win64.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-06-08 04:16:25 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=66x2yoosovfmsu57ckpobfgiwcjogson6nprxir4fr3kaiu7t2la._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence
Link:
https://tria.ge/reports/240621-z9l6kasakc/
Behaviour
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Embeds OpenSSL
Launches sc.exe
Drops file in System32 directory
Power Settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Unpacked files
SH256 hash:
f7afac39d2754ac953bf129ee094c8b092e349cdf35f1ba23c2c76a0229f9e96
MD5 hash:
8677376c509f0c66d1f02c6b66d7ef90
SHA1 hash:
e057eddf9d2e319967e200a5801e4bbe6e45862a
Link:
https://www.unpac.me/results/0770b090-644d-409b-ba6e-2ae636934208/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f7afac39d2754ac953bf129ee094c8b092e349cdf35f1ba23c2c76a0229f9e96

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLDownloadToFileW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle

Comments