MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd666a1b146ce9fcbf06035ba68eeda23c76e81fd6c532b9dd84c7132fca776d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NovaSentinel


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd666a1b146ce9fcbf06035ba68eeda23c76e81fd6c532b9dd84c7132fca776d
SHA3-384 hash: c9f9c382753464ccf61724a65f88d17f05499625a4678b809c2654519b3bd526a9b537af8ed3cf20ff36b382674cbb2d
SHA1 hash: 5fb139e729f8b36be99ecac7e374e41f01fc6ef2
MD5 hash: f31948e0367b673f931f128e540609e4
humanhash: may-massachusetts-charlie-king
File name:Mauqes.exe
Download: download sample
Signature NovaSentinel
Create hunting rule
File size:85'404'275 bytes
First seen:2024-03-29 19:17:14 UTC
Last seen:2024-03-29 21:24:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:2/WHHr96Lz5vaIa/wCqIm8ICKMbbtKUouI5AX6xI10rP/c7RpzBVD2QqZmofN7:2/8L96p/a/nqI/KMUUKi0I10rPaPtVyp
TLSH T1AB183384C38C2915C94D4B71E39E3DC2EF55131714181BB12D9B2E2AACD9EBF4EA99C3
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter e24111111111111
Tags:exe gamerforyou.com NovaSentinel www.gamerforyou.com


Avatar
e24111111154168
NovaSentinel C2: hawkish.fr

Intelligence

File Origin
# of uploads :
2
# of downloads :
415
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fd666a1b146ce9fcbf06035ba68eeda23c76e81fd6c532b9dd84c7132fca776d.exe
Verdict:
Malicious activity
Analysis date:
2024-03-29 19:19:12 UTC
Tags:
waspstealer stealer evasion generic
Link:
https://app.any.run/tasks/a2977d4c-408a-4787-aac9-46238786b0e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
DNS request
Connection attempt
Sending a custom TCP request
Launching many processes
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/660713f0ec04992a87d2ac15/reports/f80ba561-7421-4efc-aecf-ab9b283b8e8e/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/fd666a1b146ce9fcbf06035ba68eeda23c76e81fd6c532b9dd84c7132fca776d
Result
Verdict:
MALICIOUS
Result
Threat name:
NovaSentinel
Create hunting rule
Detection:
malicious
Classification:
troj.adwa
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1417621
Signature
Antivirus detection for URL or domain
Drops large PE files
Drops PE files to the startup folder
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Potential malicious VBS script found (has network functionality)
Potential malicious VBS script found (suspicious strings)
Yara detected NovaSentinel
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417621 Sample: Mauqes.exe Startdate: 29/03/2024 Architecture: WINDOWS Score: 88 71 www.google.com 2->71 73 www.facebook.com 2->73 75 9 other IPs or domains 2->75 91 Multi AV Scanner detection for domain / URL 2->91 93 Antivirus detection for URL or domain 2->93 95 Multi AV Scanner detection for dropped file 2->95 97 Yara detected NovaSentinel 2->97 10 Mauqes.exe 179 2->10         started        signatures3 process4 file5 55 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 10->55 dropped 57 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 10->57 dropped 59 C:\Users\user\AppData\Local\...\libGLESv2.dll, PE32+ 10->59 dropped 61 10 other files (5 malicious) 10->61 dropped 99 Drops large PE files 10->99 14 kaanxan7.exe 5 10->14         started        signatures6 process7 dnsIp8 77 api.gofile.io 51.178.66.33, 443, 49729 OVHFR France 14->77 79 51.38.43.18, 443, 49744 OVHFR France 14->79 81 9 other IPs or domains 14->81 63 C:\Users\user\AppData\...\kaanxan7.exe, PE32+ 14->63 dropped 65 C:\Users\user\AppData\...\kaanxan7.exe, PE32+ 14->65 dropped 67 C:\Users\user\AppData\...\kaanxan7.exe, PE32+ 14->67 dropped 69 2 other files (1 malicious) 14->69 dropped 83 Potential malicious VBS script found (suspicious strings) 14->83 85 Potential malicious VBS script found (has network functionality) 14->85 87 Drops PE files to the startup folder 14->87 89 Drops large PE files 14->89 19 cmd.exe 14->19         started        21 cmd.exe 14->21         started        23 cmd.exe 1 14->23         started        25 102 other processes 14->25 file9 signatures10 process11 process12 41 3 other processes 19->41 27 tasklist.exe 21->27         started        29 conhost.exe 21->29         started        31 WMIC.exe 1 23->31         started        33 conhost.exe 23->33         started        35 conhost.exe 25->35         started        37 conhost.exe 25->37         started        39 conhost.exe 25->39         started        43 122 other processes 25->43 process13 45 Conhost.exe 27->45         started        47 Conhost.exe 35->47         started        49 Conhost.exe 37->49         started        51 Conhost.exe 39->51         started        53 Conhost.exe 43->53         started       
Score:
77%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fd666a1b146ce9fcbf06035ba68eeda23c76e81fd6c532b9dd84c7132fca776d
Gathering data
Threat name:
Win32.Malware.Malicord
Create hunting rule
Status:
Malicious
First seen:
2024-03-29 19:18:17 UTC
File Type:
PE (Exe)
Extracted files:
216
AV detection:
3 of 38 (7.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7vtgugyuntu7zpygann2ndxnui6hn2a723ctfoo5qtdrgl6ko5wq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/240329-xzy19sfg9t/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Detects videocard installed
Enumerates processes with tasklist
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Enumerates physical storage devices
Drops autorun.inf file
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fd666a1b146c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NovaSentinel

rar 58798e9d38739365875c8ec7b8cba0ef003e033b6d6026212adb8856997c0cdf

NovaSentinel

Executable exe fd666a1b146ce9fcbf06035ba68eeda23c76e81fd6c532b9dd84c7132fca776d

(this sample)

  
Dropped by
SHA256 58798e9d38739365875c8ec7b8cba0ef003e033b6d6026212adb8856997c0cdf
  
Dropped by
MD5 590ea72f6e199562ede5c47e283e8696

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments