MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ded564af3fcfae6bb44f6e744b31d7b42266178505044fb4111ef01212d54cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ded564af3fcfae6bb44f6e744b31d7b42266178505044fb4111ef01212d54cd
SHA3-384 hash: f533678d4f021f0219eacab571968898d2233582a45d49ed80dbe82be3c23562cd94fc7af5f5608ddaf599e038e1e4f3
SHA1 hash: ba059daca5a414f9c6b0f978c9aea8f2ec631a84
MD5 hash: b8e50c50e6c44ee5f7153b1b4bb9cda5
humanhash: zulu-magazine-seven-comet
File name:Bkskvlcgkuvhyq.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:835'584 bytes
First seen:2023-04-05 18:10:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7a1f03aec8b2c813fb23d7a97335ae88 (2 x Formbook, 2 x RecordBreaker)
ssdeep 12288:AkqyglaEq3vgPIzZpurCqayn2zetLP+L2/WXwCuiklvLFB7u/GFI3dSq0j:AkCAYIzZpurCqaZ8/EwC/kFJgdS/j
Threatray 2'620 similar samples on MalwareBazaar
TLSH T1DF05AE33F2F60833E073197E5D2B5B9D982ABD1028B8ED053AE4E84D9F362917D25257
TrID 68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13097/50/3)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 64d484a2a4a4a0cc (2 x Formbook, 2 x RecordBreaker, 1 x DBatLoader)
Reporter TeamDreier
Tags:exe recordbreaker

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bkskvlcgkuvhyq.exe
Verdict:
No threats detected
Analysis date:
2023-04-05 18:15:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1a9fc0a6-3522-4127-8fe2-a02014bc2d5a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/380406/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.52306.11217.15026.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Creating a process with a hidden window
Searching for synchronization primitives
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/76694/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dealply keylogger overlay zusy
Link:
https://www.filescan.io/uploads/642db9bd2f938d3b4e06147b/reports/fbd7011f-4cca-411c-95a5-3159d9f3ecc9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1ded564af3fcfae6bb44f6e744b31d7b42266178505044fb4111ef01212d54cd
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/51099152-e2c1-4b84-b31c-6402fc1163ce
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1209208
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 842130 Sample: Bkskvlcgkuvhyq.exe Startdate: 05/04/2023 Architecture: WINDOWS Score: 100 36 www.bodypopsshop.com 2->36 50 Multi AV Scanner detection for domain / URL 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 5 other signatures 2->56 10 Bkskvlcgkuvhyq.exe 1 18 2->10         started        signatures3 process4 dnsIp5 44 web.fe.1drv.com 10->44 46 r7cgvq.ph.files.1drv.com 10->46 48 2 other IPs or domains 10->48 32 C:\Users\Public\Libraries\Bkskvlcg.exe, PE32 10->32 dropped 34 C:\Users\...\Bkskvlcg.exe:Zone.Identifier, ASCII 10->34 dropped 74 Writes to foreign memory regions 10->74 76 Allocates memory in foreign processes 10->76 78 Creates a thread in another existing process (thread injection) 10->78 80 Injects a PE file into a foreign processes 10->80 15 colorcpl.exe 2 10->15         started        file6 signatures7 process8 signatures9 88 Modifies the context of a thread in another process (thread injection) 15->88 90 Maps a DLL or memory area into another process 15->90 92 Sample uses process hollowing technique 15->92 94 Queues an APC in another process (thread injection) 15->94 18 explorer.exe 13 9 15->18 injected process10 dnsIp11 38 www.78669vip.com 202.8.123.25, 49719, 49720, 49721 SKHT-ASShenzhenKatherineHengTechnologyInformationCo China 18->38 40 www.christmatoy.com 79.98.25.1, 49716, 49717, 49718 RACKRAYUABRakrejusLT Lithuania 18->40 42 5 other IPs or domains 18->42 58 System process connects to network (likely due to code injection or exploit) 18->58 60 Uses netstat to query active network connections and open ports 18->60 22 Bkskvlcg.exe 18->22         started        25 WWAHost.exe 13 18->25         started        27 NETSTAT.EXE 18->27         started        signatures12 process13 signatures14 62 Multi AV Scanner detection for dropped file 22->62 64 Machine Learning detection for dropped file 22->64 29 iexpress.exe 22->29         started        66 Tries to steal Mail credentials (via file / registry access) 25->66 68 Tries to harvest and steal browser information (history, passwords, etc) 25->68 70 Modifies the context of a thread in another process (thread injection) 25->70 72 Maps a DLL or memory area into another process 25->72 process15 signatures16 82 Modifies the context of a thread in another process (thread injection) 29->82 84 Maps a DLL or memory area into another process 29->84 86 Sample uses process hollowing technique 29->86
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ded564af3fcfae6bb44f6e744b31d7b42266178505044fb4111ef01212d54cd/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-04-05 06:24:21 UTC
File Type:
PE (Exe)
Extracted files:
74
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dxwvmsxt7t5ono2e63tujmy5pnbcmylykbiej62bchxqcijnktgq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0fa02b6f90f13470038c0ea42455736163d382b77b536a3b2df65691b7c1a874
RecordBreaker
13c4ed220256fb2dfb95631c042d9eadf977bd2dc5e4aa0898ab99bd16d33ef7
RecordBreaker
5c09d69e1074890c0f9dd2b4cb100200179fc87de3e60f3d70a007f07d7864e1
RecordBreaker
773e21380e7b28202c6c142d4562bcfd733de46ffa3e63a1351dd2860c065a94
RecordBreaker
7b6d0544e8a91acc2ccfc8578a849e0726df02700c5909e8fed955199ac2a945
RecordBreaker
7f0d2570e95993562f659f45e635df91b3155a8c220bc1b859f1cf838bb66278
RecordBreaker
984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05
RecordBreaker
a4faadc7e9c3befad66d0e11a0365d0cb642ffdd11fc9170b02b096f658c354e
RecordBreaker
bc50bd102cef75bd5e2e54618302f10459cd18f90fbbba15ffb4d7503e7e895a
RecordBreaker
ca44673bc835c861bed89566189b4de34971760e4b93a807c9d8480654036f4d
RecordBreaker
+ 2'610 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader persistence trojan
Link:
https://tria.ge/reports/230405-wsla6agf23/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
ModiLoader, DBatLoader
Unpacked files
SH256 hash:
1ded564af3fcfae6bb44f6e744b31d7b42266178505044fb4111ef01212d54cd
MD5 hash:
b8e50c50e6c44ee5f7153b1b4bb9cda5
SHA1 hash:
ba059daca5a414f9c6b0f978c9aea8f2ec631a84
Link:
https://www.unpac.me/results/69ce70ed-11df-4a41-b2dd-1e02d7055e8e/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1ded564af3fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/1ded564af3fcfae6bb44f6e744b31d7b42266178505044fb4111ef01212d54cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RecordBreaker

Executable exe 1ded564af3fcfae6bb44f6e744b31d7b42266178505044fb4111ef01212d54cd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/380406/

Comments