MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f92695f29c11eed7607949e15ed40c2d6de909adbf3e04dc75b6b34f44ad07f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f92695f29c11eed7607949e15ed40c2d6de909adbf3e04dc75b6b34f44ad07f9
SHA3-384 hash: 19e86fe16fbfb795d7668fdf8ac8f467d85c1daed0553169b4dbe62fd45ba155ca0e9fc8b472564c930a9dfa55e77633
SHA1 hash: 5eed44c07b1ae8a9248da2c25c2b4c472c1a83a2
MD5 hash: c44f108197b7b0b2a1f5fe5ffe1e8743
humanhash: aspen-bravo-lima-cola
File name:file
Download: download sample
File size:1'765'316 bytes
First seen:2023-06-20 10:48:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (258 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/v4qKKjzKic6QL3E2vVsjECUAQT45deRV9R3:sBuZrEUkmKIy029s4C1eH95
Threatray 211 similar samples on MalwareBazaar
TLSH T1E885CF3FF268A13EC56E1B3245739220997BBA61B81A8C1E07FC344DCF765601E3B656
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter andretavare5
Tags:exe


Avatar
andretavare5
Sample downloaded from https://confignation.store/pub/setup.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
266
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Suspicious activity
Analysis date:
2023-06-20 10:51:31 UTC
Tags:
installer
Link:
https://app.any.run/tasks/3ba09e90-df9c-4b73-9f98-582e75675c4e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/400961/
Detection(s):
SecuriteInfo.com.Win32.Trojan.Ilgergop.UN2CAB.2405.31828.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91878/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
installer lolbin overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6491842399f0c0cb0932ec17/reports/0ae103e0-55b6-4e4d-babe-fa7faf86dfec/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f92695f29c11eed7607949e15ed40c2d6de909adbf3e04dc75b6b34f44ad07f9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/366a46da-8c6c-4845-adc9-4f3ac642049f
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1258216
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 891236 Sample: file.exe Startdate: 20/06/2023 Architecture: WINDOWS Score: 60 120 Snort IDS alert for network traffic 2->120 122 Multi AV Scanner detection for domain / URL 2->122 124 Antivirus detection for URL or domain 2->124 126 6 other signatures 2->126 12 file.exe 2 2->12         started        15 hZtFDyz.exe 2->15         started        18 powershell.exe 12 2->18         started        20 gpscript.exe 2->20         started        process3 file4 104 C:\Users\user\AppData\Local\Temp\...\file.tmp, PE32 12->104 dropped 22 file.tmp 4 22 12->22         started        106 C:\Windows\Temp\...\knGdkRl.exe, PE32 15->106 dropped 142 Antivirus detection for dropped file 15->142 144 Multi AV Scanner detection for dropped file 15->144 146 Very long command line found 15->146 26 powershell.exe 15->26         started        29 gpupdate.exe 1 18->29         started        31 conhost.exe 18->31         started        signatures5 process6 dnsIp7 110 confignation.store 162.0.229.248, 443, 49700, 49701 NAMECHEAP-NETUS Canada 22->110 112 sureconnect.online 162.254.39.25, 443, 49702, 49705 COGECO-PEER1CA United States 22->112 114 192.168.2.1 unknown unknown 22->114 96 C:\Users\user\AppData\...\installersetup2.exe, PE32 22->96 dropped 98 C:\Users\user\AppData\...\installersetup1.exe, PE32 22->98 dropped 100 C:\Users\user\AppData\...\installersetup.exe, PE32 22->100 dropped 102 2 other files (1 malicious) 22->102 dropped 33 installersetup.exe 7 22->33         started        140 Uses cmd line tools excessively to alter registry or file data 26->140 37 cmd.exe 26->37         started        39 conhost.exe 26->39         started        41 reg.exe 26->41         started        45 13 other processes 26->45 43 conhost.exe 29->43         started        file8 signatures9 process10 file11 90 C:\Users\user\AppData\Local\...\Install.exe, PE32 33->90 dropped 128 Multi AV Scanner detection for dropped file 33->128 47 Install.exe 4 33->47         started        130 Uses cmd line tools excessively to alter registry or file data 37->130 51 reg.exe 37->51         started        signatures12 process13 file14 108 C:\Users\user\AppData\Local\...\Install.exe, PE32 47->108 dropped 116 Multi AV Scanner detection for dropped file 47->116 53 Install.exe 10 47->53         started        signatures15 process16 file17 92 C:\Users\user\AppData\Local\...\hZtFDyz.exe, PE32 53->92 dropped 94 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 53->94 dropped 132 Antivirus detection for dropped file 53->132 134 Multi AV Scanner detection for dropped file 53->134 136 Uses schtasks.exe or at.exe to add and modify task schedules 53->136 138 Modifies Group Policy settings 53->138 57 forfiles.exe 1 53->57         started        59 forfiles.exe 1 53->59         started        61 schtasks.exe 1 53->61         started        63 3 other processes 53->63 signatures18 process19 process20 65 cmd.exe 1 57->65         started        68 conhost.exe 57->68         started        70 cmd.exe 1 59->70         started        72 conhost.exe 59->72         started        74 conhost.exe 61->74         started        76 conhost.exe 63->76         started        78 conhost.exe 63->78         started        80 conhost.exe 63->80         started        signatures21 118 Uses cmd line tools excessively to alter registry or file data 65->118 82 reg.exe 1 1 65->82         started        84 reg.exe 1 65->84         started        86 reg.exe 1 1 70->86         started        88 reg.exe 1 70->88         started        process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f92695f29c11eed7607949e15ed40c2d6de909adbf3e04dc75b6b34f44ad07f9/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7etjl4u4chxnoydzjhqv5vamfvw6scnnx47ajxdvw2zu6rfna74q._file
Verdict:
malicious
Similar samples:
1177adfb95bdd9a54a339005976ed4096d23fb4dd2099e91c35fc526c9a7cdbd
345a58b6a943b3a9235473232e3b07d8259a4a852b6b81c73412bef8a404a2f8
4cdace17e01f554f4fc14414d4a634136c7c3afe58d09a7eee935ebeefc17540
af7d9d69a2dfbcedc5d2e94cdb681a8ac5356131486129a4ba505a3dc6f2411e
b715f22a9e37049d09b06c26ca899c4be3c6c21386f70d6d357b3bd481ee1794
ba8e9358ed6bf5b3f2a976850ed3fdccd00ceee0f50a09008b7a957c7c8e2415
fe1b82d8fada96c0ebe4429000c600ff88c19a55340a9f6a68d93bd15419b224
+ 201 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230620-mwnq1sbe65/
Behaviour
Modifies system certificate store
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Unpacked files
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/dd5149ba-08b4-4146-89b4-7db5539ba262/
SH256 hash:
c78a3bf391bb8a99278bedd77b5b61983e3fb03f5f5da9eb832ce62cbc3ddd4e
MD5 hash:
9e37da926b7c25f6af0c8225541363c3
SHA1 hash:
8ffb71aa63461583fc6b69c11b32cc3ff3cbb5e1
Link:
https://www.unpac.me/results/dd5149ba-08b4-4146-89b4-7db5539ba262/
SH256 hash:
f92695f29c11eed7607949e15ed40c2d6de909adbf3e04dc75b6b34f44ad07f9
MD5 hash:
c44f108197b7b0b2a1f5fe5ffe1e8743
SHA1 hash:
5eed44c07b1ae8a9248da2c25c2b4c472c1a83a2
Link:
https://www.unpac.me/results/dd5149ba-08b4-4146-89b4-7db5539ba262/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f92695f29c11eed7607949e15ed40c2d6de909adbf3e04dc75b6b34f44ad07f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/400961/
  
URLhaus
https://urlhaus.abuse.ch/url/2667645/

Comments