MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f95fdca4f8709816b40f99b492f57e383ab60dee9d34cfe1aa919e0c90dd48ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Generic


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f95fdca4f8709816b40f99b492f57e383ab60dee9d34cfe1aa919e0c90dd48ba
SHA3-384 hash: dae4fa41823c295f87af5398334583c11812633b04de039a49ac0c17724035a4afd53da6fcfb05292938b0c784678264
SHA1 hash: abafd94c9b5d95329715d2b24e97e6cc37667b8b
MD5 hash: ced829a4149c928233acf1ff0c3cd780
humanhash: table-quiet-uranus-black
File name:Exodus Aim Assist.exe
Download: download sample
Signature Adware.Generic
Create hunting rule
File size:1'673'179 bytes
First seen:2023-05-29 10:49:33 UTC
Last seen:2023-05-29 11:36:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (258 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/oZbVKic6QL3E2vVsjECUAQT45deRV9Rx:sBuZrEUkbVKIy029s4C1eH9H
Threatray 11 similar samples on MalwareBazaar
TLSH T12175BF3FF268A13EC56A1B3245738320997BBA61B81A8C1E47FC344DCF765601E3B656
TrID 50.4% (.EXE) Inno Setup installer (109740/4/30)
19.7% (.EXE) InstallShield setup (43053/19/16)
19.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter pmmkowalczyk1111
Tags:Adware.Generic exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
330
Origin country :
PL PL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Exodus Aim Assist.exe
Verdict:
No threats detected
Analysis date:
2023-05-29 10:50:16 UTC
Tags:
installer
Link:
https://app.any.run/tasks/8c43ee07-6b59-43b8-9617-4b4eed400405

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/393032/
Detection(s):
SecuriteInfo.com.Win32.Trojan-gen.27845.18084.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/88483/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer lolbin overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6474835bd4975e668399d13d/reports/2477e94c-341c-4d49-bf70-f5465a5310d7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f95fdca4f8709816b40f99b492f57e383ab60dee9d34cfe1aa919e0c90dd48ba
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8d9eebda-16d4-4b09-aade-28d9ee536c5a
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1244405
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Creates multiple autostart registry keys
Modifies Internet Explorer zone settings
Multi AV Scanner detection for submitted file
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Obfuscated command line found
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
Writes a notice file (html or txt) to demand a ransom
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 877415 Sample: Exodus_Aim_Assist.exe Startdate: 29/05/2023 Architecture: WINDOWS Score: 60 116 rt.webcompanion.com 2->116 118 flow.lavasoft.com 2->118 120 acs.lavasoft.com 2->120 168 Snort IDS alert for network traffic 2->168 170 Antivirus detection for URL or domain 2->170 172 Antivirus / Scanner detection for submitted sample 2->172 174 4 other signatures 2->174 14 Exodus_Aim_Assist.exe 2 2->14         started        18 Lavasoft.WCAssistant.WinService.exe 2->18         started        21 WebCompanion.exe 2->21         started        23 2 other processes 2->23 signatures3 process4 dnsIp5 104 C:\Users\user\...xodus_Aim_Assist.tmp, PE32 14->104 dropped 184 Obfuscated command line found 14->184 25 Exodus_Aim_Assist.tmp 23 19 14->25         started        122 ocsp.entrust.net 18->122 186 Creates files in the system32 config directory 18->186 29 cmd.exe 18->29         started        124 rt.webcompanion.com 21->124 126 flow.lavasoft.com 21->126 132 2 other IPs or domains 21->132 128 rt.webcompanion.com 23->128 130 flow.lavasoft.com 23->130 134 2 other IPs or domains 23->134 file6 signatures7 process8 dnsIp9 144 pricemarket.online 188.114.96.7, 49699, 80 CLOUDFLARENETUS European Union 25->144 146 bridgecurrent.site 188.114.97.7, 49700, 80 CLOUDFLARENETUS European Union 25->146 148 acscdn.lavasoft.com 25->148 88 C:\Users\user\AppData\...\setup.exe (copy), PE32 25->88 dropped 90 C:\Users\user\AppData\Local\...\is-2C82C.tmp, PE32 25->90 dropped 92 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 25->92 dropped 94 2 other files (none is malicious) 25->94 dropped 31 setup.exe 2 25->31         started        35 netsh.exe 29->35         started        37 conhost.exe 29->37         started        file10 process11 file12 106 C:\Users\user\AppData\Local\...\setup.tmp, PE32 31->106 dropped 156 Obfuscated command line found 31->156 39 setup.tmp 3 20 31->39         started        158 Creates files in the system32 config directory 35->158 signatures13 process14 dnsIp15 136 webcompanion.com 104.18.211.25, 49701, 80 CLOUDFLARENETUS United States 39->136 82 C:\Users\user\AppData\Local\Temp\...\s0.exe, PE32 39->82 dropped 84 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 39->84 dropped 86 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 39->86 dropped 43 s0.exe 36 39->43         started        file16 process17 file18 96 C:\Users\user\...\WebCompanionInstaller.exe, PE32 43->96 dropped 98 C:\...\WebCompanionInstaller.resources.dll, PE32 43->98 dropped 100 C:\...\WebCompanionInstaller.resources.dll, PE32 43->100 dropped 102 10 other files (none is malicious) 43->102 dropped 46 WebCompanionInstaller.exe 55 282 43->46         started        process19 dnsIp20 150 wc-update-service.lavasoft.com 64.18.87.81, 49704, 80 MTOCA Canada 46->150 152 flow.lavasoft.com 104.17.8.52, 49703, 49705, 80 CLOUDFLARENETUS United States 46->152 154 4 other IPs or domains 46->154 108 C:\...\WebCompanionInstaller.exe, PE32 46->108 dropped 110 C:\Program Files (x86)\...\WebCompanion.exe, PE32 46->110 dropped 112 C:\...\Lavasoft.adblocker.dll, PE32 46->112 dropped 114 203 other files (4 malicious) 46->114 dropped 160 Writes a notice file (html or txt) to demand a ransom 46->160 162 Modifies Internet Explorer zone settings 46->162 164 Sample is not signed and drops a device driver 46->164 166 Tries to delay execution (extensive OutputDebugStringW loop) 46->166 51 rundll32.exe 46->51         started        55 WebCompanion.exe 46->55         started        58 cmd.exe 46->58         started        60 7 other processes 46->60 file21 signatures22 process23 dnsIp24 78 C:\Windows\system32\...\bddci.sys (copy), PE32+ 51->78 dropped 80 C:\Windows\System32\drivers\SET66AF.tmp, PE32+ 51->80 dropped 176 Creates multiple autostart registry keys 51->176 178 Creates an autostart registry key pointing to binary in C:\Windows 51->178 62 runonce.exe 51->62         started        138 wc-partners.lavasoft.com 64.18.87.82 MTOCA Canada 55->138 140 192.168.2.1 unknown unknown 55->140 142 4 other IPs or domains 55->142 180 Tries to harvest and steal browser information (history, passwords, etc) 55->180 182 Uses netsh to modify the Windows network and firewall settings 58->182 64 conhost.exe 58->64         started        66 sc.exe 58->66         started        68 conhost.exe 60->68         started        70 conhost.exe 60->70         started        72 conhost.exe 60->72         started        74 6 other processes 60->74 file25 signatures26 process27 process28 76 grpconv.exe 62->76         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f95fdca4f8709816b40f99b492f57e383ab60dee9d34cfe1aa919e0c90dd48ba/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-27 22:54:49 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
13 of 37 (35.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7fp5zjhyocmbnnaptg2jf5l6ha5lmdpotu2m7ynksgpazeg5jc5a._file
Verdict:
unknown
Similar samples:
1177adfb95bdd9a54a339005976ed4096d23fb4dd2099e91c35fc526c9a7cdbd
Adware.Generic
361ed549476b6ec80f9c95564cc7e3979a8e5d31f8f95eb4c71c46800f0bf327
Adware.Generic
3b40418879968636695bcf99fdf5565346c7dc1ca92622b18dd0d6a7c79e2249
Adware.Generic
539a3681579af9e5c6cfb68628557212083173acd09719c7077c00ea37f91b2f
Adware.Generic
63fe94f5903f4d969dd1e3032497a9f7ed693410a1a58a9857aaf22826bb0115
Adware.Generic
9e9e150d6ff9170caa0ffaab65332ddf4a849b0a5cee015f8a2f7b94d7e4fbf3
Adware.Generic
c4db7d1e957d2225520705672e86d4ee9d14cb8df62248c26d5442fd414d48a2
Adware.Generic
dfac601a1adf9bfb8f732721db2c08461e91c5766497e951e568dbb2a718f212
Adware.Generic
eb05e3acd443e4138a6f57216d47e1572b363e03a285fbb078904be77ef69046
Adware.Generic
fe1b82d8fada96c0ebe4429000c600ff88c19a55340a9f6a68d93bd15419b224
Adware.Generic
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230529-mw82ysbh51/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
b0e1401a7ba7b8d1c4564cc88d184ec8299c8603d8f46743b7ffc701f723e855
MD5 hash:
6dff911c505655a28aa9b89548127ab5
SHA1 hash:
ea7e30b07ed07d1d6ad64a0c234df99d63e436f0
Link:
https://www.unpac.me/results/a5090898-d2f4-49d3-9225-7457a77fa46e/
SH256 hash:
f95fdca4f8709816b40f99b492f57e383ab60dee9d34cfe1aa919e0c90dd48ba
MD5 hash:
ced829a4149c928233acf1ff0c3cd780
SHA1 hash:
abafd94c9b5d95329715d2b24e97e6cc37667b8b
Link:
https://www.unpac.me/results/a5090898-d2f4-49d3-9225-7457a77fa46e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f95fdca4f8709816b40f99b492f57e383ab60dee9d34cfe1aa919e0c90dd48ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/393032/

Comments