MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb95ac6e639e2e70bccf34921bd0ab868dc1abb8917ed56b28b73e02e2c96fe1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb95ac6e639e2e70bccf34921bd0ab868dc1abb8917ed56b28b73e02e2c96fe1
SHA3-384 hash: f035ef8f5c56a936bf225484c92d117692e5429c449f95dbaa9829492571c7a09c22f458b23de98d2f17f81bf5e18e30
SHA1 hash: 1d03a0d37d9be7ce703d034abea3e754e6ebc4b2
MD5 hash: 43ca1ea4a10e992c4c48085b8e8bc69b
humanhash: avocado-diet-autumn-apart
File name:SecuriteInfo.com.Program.Unwanted.1364.7514.2623
Download: download sample
File size:44'515'280 bytes
First seen:2024-02-02 11:26:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4e96b11dc774bb826232ae325fb1370a
ssdeep 786432:/gNsw3znhr1JaOo2FsVPPt8aEWJbxteXi0DwMdubhPTS9:/isyznhrc2Fslt8aXdQS0sP7S
TLSH T167A7230B66F5412DE1B2C671ACBFCE6159657C6F5A36818BB280EE081DF0781B923737
TrID 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon d0cc197171190c40
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
362
Origin country :
FR FR
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
CAB disk evasive explorer fingerprint hook installer keylogger lolbin lolbin masquerade overlay packed rat setupapi shell32
Link:
https://www.filescan.io/uploads/65bcd190a858ab3d2107bd5b/reports/05bc8731-cf10-4276-b60b-b135048b28b6/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/fb95ac6e639e2e70bccf34921bd0ab868dc1abb8917ed56b28b73e02e2c96fe1
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
suspicious
Classification:
rans.evad
Score:
34 / 100
Link:
https://www.joesandbox.com/analysis/1385548
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
PE file has a writeable .text section
Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations
Writes many files with high entropy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1385548 Sample: SecuriteInfo.com.Program.Un... Startdate: 02/02/2024 Architecture: WINDOWS Score: 34 134 webinstaller.avanquest.com 2->134 136 tools.avanquest.com 2->136 138 3 other IPs or domains 2->138 146 PE file has a writeable .text section 2->146 148 Writes many files with high entropy 2->148 150 Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations 2->150 10 SecuriteInfo.com.Program.Unwanted.1364.7514.2623.exe 5 128 2->10         started        14 msiexec.exe 2->14         started        16 svchost.exe 1 1 2->16         started        19 6 other processes 2->19 signatures3 process4 dnsIp5 116 C:\Users\user\AppData\Local\...\setup.exe, PE32 10->116 dropped 118 C:\Users\user\AppData\Local\...\ISAdmin.exe, PE32 10->118 dropped 120 C:\Users\user\AppData\Local\...120ewUI.dll, PE32 10->120 dropped 128 20 other files (19 malicious) 10->128 dropped 160 Writes many files with high entropy 10->160 162 Contains functionality to compare user and computer (likely to detect sandboxes) 10->162 164 Contains functionality to detect sleep reduction / modifications 10->164 21 ISAdmin.exe 102 520 10->21         started        122 C:\Users\user\...\InstallAX_11_9_900_117.exe, PE32 14->122 dropped 124 C:\Windows\SysWOW64\vcomp110.dll, PE32 14->124 dropped 126 C:\Windows\SysWOW64\vccorlib110.dll, PE32 14->126 dropped 130 4 other files (none is malicious) 14->130 dropped 26 InstallAX_11_9_900_117.exe 14->26         started        28 msiexec.exe 14->28         started        132 127.0.0.1 unknown unknown 16->132 30 conhost.exe 19->30         started        file6 signatures7 process8 dnsIp9 140 tools.avanquest.com 37.59.71.204, 49731, 80 OVHFR France 21->140 142 ftp6.avanquest.com 51.79.103.210, 49732, 49736, 80 OVHFR Canada 21->142 100 C:\Users\user\AppData\...\shfolder.dll (copy), PE32 21->100 dropped 102 C:\Users\user\AppData\Local\...\shf4DA2.tmp, PE32 21->102 dropped 104 C:\Users\user\AppData\...\isrt.dll (copy), PE32 21->104 dropped 112 453 other files (441 malicious) 21->112 dropped 152 Writes many files with high entropy 21->152 32 Avanquest_Message_2.exe 21->32         started        35 vcredist_x86.exe 21->35         started        37 vcredist_x86.exe 21->37         started        46 7 other processes 21->46 106 C:\...\FlashUtil32_11_9_900_117_ActiveX.exe, PE32 26->106 dropped 108 C:\...\FlashUtil32_11_9_900_117_ActiveX.dll, PE32 26->108 dropped 110 C:\Windows\...\FlashPlayerUpdateService.exe, PE32 26->110 dropped 114 4 other malicious files 26->114 dropped 154 Creates an undocumented autostart registry key 26->154 156 Drops executables to the windows directory (C:\Windows) and starts them 26->156 39 InstallFlashPlayer.exe 26->39         started        42 FlashPlayerUpdateService.exe 26->42         started        44 cmd.exe 26->44         started        file10 signatures11 process12 file13 66 C:\Users\user\AppData\Local\...\Setup.exe, PE32 32->66 dropped 68 C:\Users\user\AppData\Local\...\French.lng, PE32 32->68 dropped 70 C:\Users\user\AppData\Local\...\FCWC9CA.001, Microsoft 32->70 dropped 72 C:\Users\user\AppData\Local\Temp\...\Data.cab, Microsoft 32->72 dropped 48 Setup.exe 32->48         started        74 C:\ProgramData\...\vcredist_x86.exe, PE32 35->74 dropped 51 vcredist_x86.exe 35->51         started        53 vcredist_x86.exe 37->53         started        76 C:\...\FlashUtil64_11_9_900_117_ActiveX.exe, PE32+ 39->76 dropped 78 C:\...\FlashUtil64_11_9_900_117_ActiveX.dll, PE32+ 39->78 dropped 80 C:\Windows\...\Flash64_11_9_900_117.ocx, PE32+ 39->80 dropped 82 2 other malicious files 39->82 dropped 158 Creates an undocumented autostart registry key 39->158 55 cmd.exe 39->55         started        57 conhost.exe 42->57         started        59 conhost.exe 44->59         started        signatures14 process15 file16 84 C:\Users\user\AppData\Roaming\...\Setup.exe, PE32 48->84 dropped 86 C:\Users\user\AppData\Roaming\...\Setup.exe, PE32 48->86 dropped 88 C:\Users\user\AppData\Local\...\IAMCu.dll, PE32 48->88 dropped 90 C:\Users\user\AppData\Local\...\AQNotif.exe, PE32 48->90 dropped 61 AQNotif.exe 48->61         started        92 C:\Users\user\AppData\...\vcredist_x86.exe, PE32 51->92 dropped 94 C:\Users\user\AppData\Local\...\wixstdba.dll, PE32 51->94 dropped 96 C:\Users\user\AppData\...\vcredist_x86.exe, PE32 53->96 dropped 98 C:\Users\user\AppData\Local\...\wixstdba.dll, PE32 53->98 dropped 64 conhost.exe 55->64         started        process17 dnsIp18 144 dhcppd6c99x6i.cloudfront.net 54.230.253.41, 49737, 49738, 49739 AMAZON-02US United States 61->144
Score:
1%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/fb95ac6e639e2e70bccf34921bd0ab868dc1abb8917ed56b28b73e02e2c96fe1
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ok2y3tdtyxhbpgpgsjbxuflq2g4dk5ysf7nk2ziw47afywjn7qq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  4/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/240202-nke56sehfn/
Behaviour
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments