MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856
SHA3-384 hash: a960c9550eaa19eb3486116881f238dfca8b83a5f03af5252ea91e0c17a7f8fa34d8aa636542a71a5e95d6cbb9449560
SHA1 hash: 189ed55b5e1bef3f1f2fde5c092f70dc6779a3f6
MD5 hash: b8b966db021d7b8aaee6965b3dba4a28
humanhash: equal-mountain-equal-summer
File name:SecuriteInfo.com.W64.Bulz.AY.gen.Eldorado.23576.26484
Download: download sample
File size:5'279'480 bytes
First seen:2024-02-01 04:24:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f0ea7b7844bbc5bfa9bb32efdcea957c (65 x Sliver, 17 x CobaltStrike, 14 x Vidar)
ssdeep 49152:jA/ljznTzE1IxDcrb/T8vO90d7HjmAFd4A64nsfJg5iz81LMyGBK1wVVE3+Yezze:4TzE1IxJu48Vi2zVSzEg+eRp
Threatray 6 similar samples on MalwareBazaar
TLSH T118363B47F85551E8C1AED234CA259263BA707C891B3023D36BA0F7B82B73BD46E79354
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon f08e61b3b2b2cc71 (10 x Adware.Generic, 1 x frp)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473896/
Detection(s):
SecuriteInfo.com.W64.Bulz.AY.gen.Eldorado.23576.26484.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
91%
Tags:
expand golang lolbin overlay packed
Link:
https://www.filescan.io/uploads/65bb1d29bc91f83c8074fb4f/reports/803abb6b-715e-413e-9af3-8914f91fc869/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b6a6c9e7-c5ce-4b46-86b9-62b3dc60d8be
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1384497
Signature
Creates files in the system32 config directory
Disables security and backup related services
Early bird code injection technique detected
Enables network access during safeboot for specific services
Enables remote desktop connection
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1384497 Sample: SecuriteInfo.com.W64.Bulz.A... Startdate: 01/02/2024 Architecture: WINDOWS Score: 100 119 objects.githubusercontent.com 2->119 121 mesh.bithumb.ceo 2->121 123 3 other IPs or domains 2->123 133 Multi AV Scanner detection for submitted file 2->133 135 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 2->135 137 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 2->137 139 3 other signatures 2->139 11 tacticalrmm.exe 2->11         started        14 SecuriteInfo.com.W64.Bulz.AY.gen.Eldorado.23576.26484.exe 3 2->14         started        18 MeshAgent.exe 7 8 2->18         started        20 7 other processes 2->20 signatures3 process4 dnsIp5 107 C:\ProgramData\TacticalRMM\1558568953.py, Python 11->107 dropped 109 C:\Program Files\...\winsound.pyd, PE32+ 11->109 dropped 111 C:\Program Files\...\vcruntime140_1.dll, PE32+ 11->111 dropped 115 828 other files (none is malicious) 11->115 dropped 22 tacticalrmm.exe 11->22         started        24 MeshAgent.exe 11->24         started        129 github.com 140.82.112.3, 443, 49727, 49752 GITHUBUS United States 14->129 131 objects.githubusercontent.com 185.199.108.133, 443, 49728, 49753 FASTLYUS Netherlands 14->131 113 C:\...\tacticalagent-v2.6.1-windows-amd64.exe, PE32 14->113 dropped 159 Early bird code injection technique detected 14->159 26 tacticalagent-v2.6.1-windows-amd64.exe 2 14->26         started        29 tacticalrmm.exe 9 3 14->29         started        33 conhost.exe 14->33         started        161 Creates files in the system32 config directory 18->161 file6 signatures7 process8 dnsIp9 35 conhost.exe 22->35         started        37 conhost.exe 24->37         started        101 C:\...\tacticalagent-v2.6.1-windows-amd64.tmp, PE32 26->101 dropped 39 tacticalagent-v2.6.1-windows-amd64.tmp 23 17 26->39         started        125 icanhazip.tacticalrmm.io 104.21.46.245, 443, 49746, 49770 CLOUDFLARENETUS United States 29->125 127 mesh.bithumb.ceo 34.38.164.94, 443, 49731, 49732 ATGS-MMD-ASUS United States 29->127 103 C:\Program Files\...\meshagent.exe, PE32+ 29->103 dropped 105 C:\ProgramData\TacticalRMM\3447438002.py, Python 29->105 dropped 155 Early bird code injection technique detected 29->155 157 Enables remote desktop connection 29->157 43 meshagent.exe 10 3 29->43         started        45 cmd.exe 29->45         started        47 cmd.exe 29->47         started        49 MeshAgent.exe 29->49         started        file10 signatures11 process12 file13 91 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 39->91 dropped 93 C:\Program Files\...\unins000.exe (copy), PE32 39->93 dropped 95 C:\Program Files\...\tacticalrmm.exe (copy), PE32+ 39->95 dropped 99 2 other files (none is malicious) 39->99 dropped 147 Uses ping.exe to sleep 39->147 149 Disables security and backup related services 39->149 51 cmd.exe 1 39->51         started        54 cmd.exe 1 39->54         started        56 cmd.exe 1 39->56         started        62 5 other processes 39->62 97 C:\Program Files\Mesh Agent\MeshAgent.exe, PE32+ 43->97 dropped 151 Enables network access during safeboot for specific services 43->151 153 Uses netsh to modify the Windows network and firewall settings 45->153 58 netsh.exe 45->58         started        60 netsh.exe 47->60         started        signatures14 process15 signatures16 141 Uses ping.exe to sleep 51->141 143 Uses ping.exe to check the status of other devices and networks 51->143 64 PING.EXE 1 51->64         started        67 net.exe 1 51->67         started        69 conhost.exe 51->69         started        71 net.exe 1 54->71         started        77 2 other processes 54->77 145 Early bird code injection technique detected 56->145 79 2 other processes 56->79 73 net.exe 1 62->73         started        75 net.exe 1 62->75         started        81 8 other processes 62->81 process17 dnsIp18 117 127.0.0.1 unknown unknown 64->117 83 net1.exe 1 67->83         started        85 net1.exe 1 71->85         started        87 net1.exe 1 73->87         started        89 net1.exe 1 75->89         started        process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-02-01 04:10:17 UTC
File Type:
PE+ (Exe)
Extracted files:
11
AV detection:
5 of 24 (20.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7q46nsyk4kg42zd65w5qigs4tkrjlmw3razdffqo6csi3bxjhbla._file
Verdict:
unknown
Similar samples:
112a0ff26e12fdd7fd499eec86d2050fa12eb5d9a74ec9f5cfc820c676f88409
34d91b22ea349b6a78bd4b89af5b10a9be2487fe433526155d4460e3bfc2b85e
8d0b0169b48d4a7e1d642a24401538a08f6214a0acb9fd9819c923082a60c557
90de6b93f296541a5c245597349f2cd569472985cecbc14a1b0ccdb0951f5f13
fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery evasion persistence
Link:
https://tria.ge/reports/240201-e1yssabbe2/
Behaviour
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Runs net.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Modifies Windows Firewall
Sets service image path in registry
Stops running service(s)
Unpacked files
SH256 hash:
fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856
MD5 hash:
b8b966db021d7b8aaee6965b3dba4a28
SHA1 hash:
189ed55b5e1bef3f1f2fde5c092f70dc6779a3f6
Link:
https://www.unpac.me/results/a66e14c0-ca32-44c9-9917-17f38ad9ca60/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fc39e6cb0ae2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc39e6cb0ae28dcd647eedbb041a5c9aa295b2db883232960ef0a48d86e93856

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/473896/

Comments