MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9c2cb5ab6a509d281c521042274cc1f0c832d941ffb4307717ff6c7da2b10bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9c2cb5ab6a509d281c521042274cc1f0c832d941ffb4307717ff6c7da2b10bf
SHA3-384 hash: cdb949b535e291976299a66657779d8a682c7e9af5d9655044ca59b61e8a65de2b7a5303549ef43c16125ee2271f7f08
SHA1 hash: 7d102c03044d0a8cbcc868995ef41d183f616b18
MD5 hash: a01e5cba42a62547a40881ca34568a64
humanhash: illinois-two-music-idaho
File name:SecuriteInfo.com.Adware.OpenCandy.197.19.16636
Download: download sample
File size:1'018'697 bytes
First seen:2024-02-09 03:21:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'457 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 24576:HQiGy7bDdC/hWJU68BzimpS8o5kTKxwQoRHnXjT:H9HbDg4N4+WwkwYRHnXjT
Threatray 146 similar samples on MalwareBazaar
TLSH T1812513A2AECAD839D7B25CF499A2C58ED977FE241D754811F6BE182C833DA411F08313
TrID 72.8% (.EXE) Inno Setup installer (107240/4/30)
9.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
8.9% (.SCR) Windows screen saver (13097/50/3)
3.0% (.EXE) Win32 Executable (generic) (4504/4/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon ec64cececec6cecf
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/475524/
Detection(s):
SecuriteInfo.com.Adware.OpenCandy.197.19.16636.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65c5b7998578def540714907/reports/57b7ede5-501c-4c87-b8fd-5984fa6ce861/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f9c2cb5ab6a509d281c521042274cc1f0c832d941ffb4307717ff6c7da2b10bf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c2d4d3f7-ca36-4d72-9275-d8a284312cf4
Result
Threat name:
n/a
Detection:
suspicious
Classification:
troj.evad
Score:
38 / 100
Link:
https://www.joesandbox.com/analysis/1389553
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1389553 Sample: SecuriteInfo.com.Adware.Ope... Startdate: 09/02/2024 Architecture: WINDOWS Score: 38 45 www.pxc-coding.com 2->45 47 pxc-coding.com 2->47 49 3 other IPs or domains 2->49 61 Antivirus detection for URL or domain 2->61 63 Antivirus detection for dropped file 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 2 other signatures 2->67 10 SecuriteInfo.com.Adware.OpenCandy.197.19.16636.exe 2 2->10         started        signatures3 process4 file5 31 SecuriteInfo.com.A...dy.197.19.16636.tmp, PE32 10->31 dropped 13 SecuriteInfo.com.Adware.OpenCandy.197.19.16636.tmp 26 24 10->13         started        process6 file7 33 C:\Users\user\AppData\...\OCSetupHlp.dll, PE32 13->33 dropped 35 C:\...\unins000.exe (copy), PE32 13->35 dropped 37 C:\Program Files (x86)\...\is-JAONB.tmp, PE32 13->37 dropped 39 6 other files (2 malicious) 13->39 dropped 16 DoNotSpy10.exe 24 15 13->16         started        19 rundll32.exe 1 13->19         started        process8 dnsIp9 41 www.pxc-coding.com 104.21.36.59, 443, 49716, 49717 CLOUDFLARENETUS United States 16->41 43 dl1.pxc-coding.com 172.67.186.99, 443, 49727, 49728 CLOUDFLARENETUS United States 16->43 21 chrome.exe 9 16->21         started        process10 dnsIp11 51 192.168.2.5, 443, 49703, 49705 unknown unknown 21->51 53 239.255.255.250 unknown Reserved 21->53 24 chrome.exe 21->24         started        27 chrome.exe 21->27         started        29 chrome.exe 6 21->29         started        process12 dnsIp13 55 142.250.9.106 GOOGLEUS United States 24->55 57 142.251.15.119, 443, 49801, 49809 GOOGLEUS United States 24->57 59 29 other IPs or domains 24->59
Score:
85%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f9c2cb5ab6a509d281c521042274cc1f0c832d941ffb4307717ff6c7da2b10bf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9c2cb5ab6a509d281c521042274cc1f0c832d941ffb4307717ff6c7da2b10bf/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2015-09-11 00:44:32 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
15 of 38 (39.47%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7hbmwwvwuue5faofeecce5gmd4giglmud75ugb3rp73mpwrlcc7q._file
Verdict:
unknown
Similar samples:
04b635cd65aa68c51fd4ad0a94d3f42cbd4485dd535e4c8c50166fd2addc7bef
080b7ef0046b6b9f7b805dc02b796f0bb1a24de16c08af48bd3753324eb3426f
273f433ba1cebfad830e52490a04ca744351fc46249285ff9514c6e1ceaaf99d
5207ea6aeebe970e459b0d5eb6119aa10cb940cdd962dcb3ebe2b04d23849eec
6bc44ffdf5fb9a208f27e836635852620368c30c5320163f3fcde1f9931091e7
84329c07da6678fd70b963db307487890874ec611c6a360227d2c0f8d3121344
b07be8360dd11e81f6830ae467bec71cb6058523b35947a399b7abdba985c9b5
cb56bffb224d9bcff0753d58995c25f6f944bcb075560019cd87283e3b443aa3
f9c2cb5ab6a509d281c521042274cc1f0c832d941ffb4307717ff6c7da2b10bf
+ 136 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240209-dwxt9agg57/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
156de31ea3db92689986ca5d62d1cfe51b6d3b52b508feff91c477c30a6ad9d4
MD5 hash:
7526bda0ef3471eaa720cb46bdd51c59
SHA1 hash:
970f73a8e2895718737b38b9bd20bc8fa8899365
Link:
https://www.unpac.me/results/66c00e08-56f2-4dcf-b453-726668ec8d50/
SH256 hash:
15e7929b02fa211cf4251a5feea5c79f672a1ac5a1b425a6cf101be236c043cf
MD5 hash:
4cbbdf20eba38b46f597ee8382f37060
SHA1 hash:
8f2707794b1340e95ac603de82ebbc8a72207fda
Link:
https://www.unpac.me/results/66c00e08-56f2-4dcf-b453-726668ec8d50/
SH256 hash:
48964583f5f1d480046b3423eec49f8dccb5918bcf23f126529b7ff9a777378e
MD5 hash:
9112e5a41b51e21ee618e09d4d87aa82
SHA1 hash:
4c32a1dbc1a5d29e27c1504f35f0411ec5d200ca
Detections:
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Link:
https://www.unpac.me/results/66c00e08-56f2-4dcf-b453-726668ec8d50/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/66c00e08-56f2-4dcf-b453-726668ec8d50/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/66c00e08-56f2-4dcf-b453-726668ec8d50/
SH256 hash:
cc6531d89878c2614389cec8fc7ca1d3c1e1f7d709bf5d199c2aaeb6088fc259
MD5 hash:
c83f3e788b753ba78df62daaf87aec25
SHA1 hash:
2ecda44c894d7327aba5e01260236fdddae9ed8a
Link:
https://www.unpac.me/results/66c00e08-56f2-4dcf-b453-726668ec8d50/
SH256 hash:
f9c2cb5ab6a509d281c521042274cc1f0c832d941ffb4307717ff6c7da2b10bf
MD5 hash:
a01e5cba42a62547a40881ca34568a64
SHA1 hash:
7d102c03044d0a8cbcc868995ef41d183f616b18
Link:
https://www.unpac.me/results/66c00e08-56f2-4dcf-b453-726668ec8d50/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9c2cb5ab6a509d281c521042274cc1f0c832d941ffb4307717ff6c7da2b10bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/475524/

Comments