MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7c1aa4164f0c17980bba13ab571ef20deaf60a3444266b7436f8de6bdace5be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7c1aa4164f0c17980bba13ab571ef20deaf60a3444266b7436f8de6bdace5be
SHA3-384 hash: e631c6f9c206477c4910d9169a8dfed573a127be9d6adf781ae1d6db471ebef53e247674c846cdc49e807f98ff300b4e
SHA1 hash: 55472e826f82ca5610ccb1a5dc0d0865ef08166f
MD5 hash: 6c53dc02df6b42fb589f7afd0b374557
humanhash: washington-papa-ink-august
File name:SecuriteInfo.com.Gen.Variant.Lazy.196912.13979.1771
Download: download sample
File size:2'867'555 bytes
First seen:2022-06-17 11:59:50 UTC
Last seen:2022-06-17 12:39:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (259 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 49152:tBuZrEUoCGbyKdGhw1bumdwA1RQNtiBt5X355DdN7POGjK:7kLEmKdGhSu9A7etOtB355ljK
TLSH T1B2D5F13FF268A53EC5AE1B3145B38220997BBA61681B8C1E47FC344CCF765601E3B656
TrID 49.7% (.EXE) Inno Setup installer (109740/4/30)
19.5% (.EXE) InstallShield setup (43053/19/16)
18.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/280975/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

SecuriteInfo.com.Gen.Variant.Lazy.196912.13979.1771.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/21716/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/62ac6cca7046ab63f8787647/reports/20fbe065-10ce-4fbf-8432-06f8784964ec/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BlackMist
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1cb75471-c4df-4eed-8bfe-28d2dd570684
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
42 / 100
Link:
https://www.joesandbox.com/analysis/1015162
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f7c1aa4164f0c17980bba13ab571ef20deaf60a3444266b7436f8de6bdace5be/
Threat name:
Win32.Dropper.Convagent
Create hunting rule
Status:
Malicious
First seen:
2022-06-12 01:38:59 UTC
File Type:
PE (Exe)
AV detection:
6 of 41 (14.63%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=67a2uqle6daxtaf3ue5lk4ppedpk6yfdirbgnn2dn6g6npnm4w7a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220617-n6a4caeda6/
Behaviour
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
1b17a62cc47c2c08b3fe045333fec3562ce658a8112d7bba9456a8ddda401126
MD5 hash:
2faffd368c0b1f8834129d164b10d5c0
SHA1 hash:
5b1593b15f2cbabfb34495590a786297c80ae1a5
Link:
https://www.unpac.me/results/d1cf131f-56d3-447b-9cb8-561593b16805/
SH256 hash:
a6e2bacbdf15ca15339831af3ced389a2071d930d60f91a418163f04ae2216b3
MD5 hash:
6ee65401fbe040d8f477481f46874deb
SHA1 hash:
3b8b840b2f0b22f64fcf9968fe72bed275b25263
Link:
https://www.unpac.me/results/d1cf131f-56d3-447b-9cb8-561593b16805/
SH256 hash:
c9116da2441eaeaf72e98efc3f0bbf1c3bcf34afa336423867d2b9a5b5d033a6
MD5 hash:
60aec59bc134998b91b36c58009fb865
SHA1 hash:
be8a98c6eecc42cc02c6dd3a7a1e1eef2d5d6aab
Link:
https://www.unpac.me/results/d1cf131f-56d3-447b-9cb8-561593b16805/
SH256 hash:
f7c1aa4164f0c17980bba13ab571ef20deaf60a3444266b7436f8de6bdace5be
MD5 hash:
6c53dc02df6b42fb589f7afd0b374557
SHA1 hash:
55472e826f82ca5610ccb1a5dc0d0865ef08166f
Link:
https://www.unpac.me/results/d1cf131f-56d3-447b-9cb8-561593b16805/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f7c1aa4164f0c17980bba13ab571ef20deaf60a3444266b7436f8de6bdace5be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe f7c1aa4164f0c17980bba13ab571ef20deaf60a3444266b7436f8de6bdace5be

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/280975/
  
URLhaus
https://urlhaus.abuse.ch/url/2241992/
  
Delivery method
Distributed via web download

Comments