MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc0eaa455a3b09a26def63c96b08b5bd855576634a91778fdcef6e3f91099199. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Generic


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc0eaa455a3b09a26def63c96b08b5bd855576634a91778fdcef6e3f91099199
SHA3-384 hash: 9006cd62a09ea96df902124e808082246d020014276a49d0cbe003970c9b40be67e73a1310299ce4ee3a22ae1f51e0eb
SHA1 hash: 0c94d659dc137875808a5278b14bf126c7aeafae
MD5 hash: 6e1ca265fe403b8a80980d0d0eb48c23
humanhash: sweet-fifteen-undress-west
File name:6e1ca265fe403b8a80980d0d0eb48c23.exe
Download: download sample
Signature Adware.Generic
Create hunting rule
File size:1'671'951 bytes
First seen:2023-12-06 18:02:43 UTC
Last seen:2023-12-06 19:18:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (260 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 24576:s7FUDowAyrTVE3U5F/iRKic6QL3E2vVsjECUAQT45deRV9R1:sBuZrEUYKIy029s4C1eH9H
TLSH T15F75BF3FF268A13EC56A1B3245B38320997BBA51B81A8C1E47FC344DCF765601E3B656
TrID 39.3% (.EXE) Inno Setup installer (107240/4/30)
21.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
15.7% (.EXE) InstallShield setup (43053/19/16)
15.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter smica83
Tags:Adware.Generic exe HUN

Intelligence

File Origin
# of uploads :
2
# of downloads :
347
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462981/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.23584.25829.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Sending a custom TCP request
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/6570b75a8b5ba47db2d4f9cc/reports/d30d10b7-7365-4351-8e49-f9c437af025a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/fc0eaa455a3b09a26def63c96b08b5bd855576634a91778fdcef6e3f91099199
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b4fc482-e4ed-462b-b344-523ec55a8b62
Result
Threat name:
NetSupport RAT, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
86 / 100
Link:
https://www.joesandbox.com/analysis/1354839
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Yara detected Generic Downloader
Yara detected LummaC Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1354839 Sample: iguufjAqnn.exe Startdate: 06/12/2023 Architecture: WINDOWS Score: 86 180 sidemark.xyz 2->180 182 send.planewool.xyz 2->182 184 15 other IPs or domains 2->184 218 Snort IDS alert for network traffic 2->218 220 Antivirus detection for URL or domain 2->220 222 Antivirus detection for dropped file 2->222 226 7 other signatures 2->226 14 msiexec.exe 2->14         started        17 iguufjAqnn.exe 2 2->17         started        19 Windows Updater.exe 2->19         started        signatures3 224 Performs DNS queries to domains with low reputation 182->224 process4 dnsIp5 150 C:\Windows\Installer\MSIF46A.tmp, PE32 14->150 dropped 152 C:\Windows\Installer\MSIF42A.tmp, PE32 14->152 dropped 154 C:\Windows\Installer\MSIF37D.tmp, PE32 14->154 dropped 160 109 other malicious files 14->160 dropped 22 msiexec.exe 14->22         started        27 msiexec.exe 14->27         started        29 msiexec.exe 14->29         started        31 msiexec.exe 14->31         started        156 C:\Users\user\AppData\...\iguufjAqnn.tmp, PE32 17->156 dropped 33 iguufjAqnn.tmp 23 18 17->33         started        186 allroadslimit.com 172.67.157.111 CLOUDFLARENETUS United States 19->186 158 C:\Windows\Temp\...\Windows Updater.exe, PE32 19->158 dropped 35 Windows Updater.exe 19->35         started        file6 process7 dnsIp8 192 pstbbk.com 157.230.96.32 DIGITALOCEAN-ASNUS United States 22->192 194 collect.installeranalytics.com 54.165.145.62 AMAZON-AESUS United States 22->194 128 2 other files (none is malicious) 22->128 dropped 232 Query firmware table information (likely to detect VMs) 22->232 37 taskkill.exe 22->37         started        130 2 other files (none is malicious) 27->130 dropped 114 C:\Windows\Temp\shiC6B2.tmp, PE32 29->114 dropped 116 C:\Windows\Temp\shiC625.tmp, PE32 29->116 dropped 196 sidemark.xyz 172.67.165.204, 49703, 80 CLOUDFLARENETUS United States 33->196 198 sparksteam.site 172.67.204.180, 49702, 80 CLOUDFLARENETUS United States 33->198 118 C:\Users\user\AppData\Local\...\is-BEQRP.tmp, PE32 33->118 dropped 120 C:\Program Files (x86)\...\is-8PJRN.tmp, PE32 33->120 dropped 122 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 33->122 dropped 39 setup.exe 2 33->39         started        200 dl.likeasurfer.com 172.67.150.192 CLOUDFLARENETUS United States 35->200 124 C:\ProgramData\AW Manager\...\v114.exe.part, PE32 35->124 dropped 126 C:\ProgramData\AW Manager\...\v113.exe.part, PE32 35->126 dropped 42 v113.exe 35->42         started        file9 signatures10 process11 file12 44 conhost.exe 37->44         started        132 C:\Users\user\AppData\Local\...\setup.tmp, PE32 39->132 dropped 46 setup.tmp 5 26 39->46         started        134 C:\Windows\Temp\MSIC5F9.tmp, PE32 42->134 dropped 136 C:\Windows\Temp\MSIC4DF.tmp, PE32 42->136 dropped 138 C:\Windows\Temp\INAC20E.tmp, PE32 42->138 dropped 140 4 other files (3 malicious) 42->140 dropped 50 msiexec.exe 42->50         started        process13 dnsIp14 212 mysoftwareusa.info 37.1.198.251 LEASEWEB-DE-FRA-10DE Ukraine 46->212 214 send.planewool.xyz 104.21.90.147, 49723, 80 CLOUDFLARENETUS United States 46->214 216 3 other IPs or domains 46->216 170 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 46->170 dropped 172 C:\Users\user\AppData\Local\Temp\...\a3.exe, PE32 46->172 dropped 174 C:\Users\user\AppData\Local\Temp\...\a1.exe, PE32 46->174 dropped 176 2 other files (1 malicious) 46->176 dropped 52 a0.exe 2 46->52         started        55 a3.exe 46->55         started        58 a1.exe 46->58         started        file15 process16 file17 96 C:\Users\user\AppData\Local\Temp\...\a0.tmp, PE32 52->96 dropped 60 a0.tmp 26 23 52->60         started        98 C:\Users\user\AppData\...\1997634040.exe, PE32 55->98 dropped 100 C:\Users\user\AppData\...\1214546557.exe, PE32 55->100 dropped 102 C:\Users\user\AppData\Local\...\promo[1].exe, PE32 55->102 dropped 104 C:\Users\user\AppData\Local\...\promo[1].exe, PE32 55->104 dropped 228 Multi AV Scanner detection for dropped file 55->228 230 Binary is likely a compiled AutoIt script file 55->230 64 1214546557.exe 55->64         started        106 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 58->106 dropped 108 C:\Users\user\AppData\...\Windows Updater.exe, PE32 58->108 dropped 110 C:\Users\user\AppData\Local\...\MSI67BC.tmp, PE32 58->110 dropped 112 3 other files (2 malicious) 58->112 dropped 67 msiexec.exe 58->67         started        signatures18 process19 dnsIp20 142 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 60->142 dropped 144 C:\Program Files (x86)\...\is-TS3AN.tmp, PE32 60->144 dropped 146 C:\Program Files (x86)\...\is-IGC78.tmp, PE32 60->146 dropped 148 5 other files (2 malicious) 60->148 dropped 236 Obfuscated command line found 60->236 69 cmd.exe 1 60->69         started        71 cmd.exe 13 60->71         started        73 cmd.exe 1 60->73         started        75 wmiprvse.exe 17 60->75         started        178 tankqueueipjsh.pw 172.67.177.113 CLOUDFLARENETUS United States 64->178 238 Query firmware table information (likely to detect VMs) 64->238 240 Tries to detect sandboxes and other dynamic analysis tools (window names) 64->240 242 Found many strings related to Crypto-Wallets (likely being stolen) 64->242 244 5 other signatures 64->244 file21 signatures22 process23 dnsIp24 78 expand.exe 21 69->78         started        81 conhost.exe 69->81         started        83 chrome.exe 71->83         started        86 conhost.exe 71->86         started        88 reg.exe 1 1 73->88         started        91 conhost.exe 73->91         started        202 myptofgrtulo.info 95.142.47.11, 1203, 49715 VDSINA-ASRU Russian Federation 75->202 204 geo.netsupportsoftware.com 172.67.68.212, 49716, 80 CLOUDFLARENETUS United States 75->204 process25 dnsIp26 162 C:\...\9d8dcb7026332e4e8549bb0f54c0b051.tmp, PE32 78->162 dropped 164 C:\...\85093115dca5ca47b4f0d1c7d0c78a8c.tmp, PE32 78->164 dropped 166 C:\...\51b7768779085647a098d6ee44cf4540.tmp, PE32 78->166 dropped 168 6 other files (5 malicious) 78->168 dropped 188 192.168.2.7, 1203, 443, 49700 unknown unknown 83->188 190 239.255.255.250 unknown Reserved 83->190 93 chrome.exe 83->93         started        234 Creates an undocumented autostart registry key 88->234 file27 signatures28 process29 dnsIp30 206 axsboe-campaign.com 172.67.213.153, 443, 49719 CLOUDFLARENETUS United States 93->206 208 img.s-msn.com 93->208 210 13 other IPs or domains 93->210
Score:
88%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fc0eaa455a3b09a26def63c96b08b5bd855576634a91778fdcef6e3f91099199
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc0eaa455a3b09a26def63c96b08b5bd855576634a91778fdcef6e3f91099199/
Threat name:
Win32.Trojan.OffLoader
Create hunting rule
Status:
Malicious
First seen:
2023-11-26 04:54:00 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7qhkurk2hme2e3ppmpewwcfvxwcvk5tdjkixpd6455xd7eijsgmq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231206-wm1hwsbd78/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
718166d78bdad2140a1d0daac032132f962f64a3085a760104abc0271df362a8
MD5 hash:
d8c4ad9fefd8613baa521d9fad2abef5
SHA1 hash:
6534a185ab321bc2330f6fc2617ffa49a91390a7
Link:
https://www.unpac.me/results/c00e7ca6-823a-45f0-8216-47bfc5affd1b/
SH256 hash:
fc0eaa455a3b09a26def63c96b08b5bd855576634a91778fdcef6e3f91099199
MD5 hash:
6e1ca265fe403b8a80980d0d0eb48c23
SHA1 hash:
0c94d659dc137875808a5278b14bf126c7aeafae
Link:
https://www.unpac.me/results/c00e7ca6-823a-45f0-8216-47bfc5affd1b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc0eaa455a3b09a26def63c96b08b5bd855576634a91778fdcef6e3f91099199

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/462981/

Comments