MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 297ef3b685519d8dd40a3726a382977bf1452ba9ff4dcd9e5d954f795a256aba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 297ef3b685519d8dd40a3726a382977bf1452ba9ff4dcd9e5d954f795a256aba
SHA3-384 hash: 888a6a229e4ee4cd4d25435b4806ce96417a7af29de1fb912414f026fa6540053d003a40445be890c979ec9ff5de1051
SHA1 hash: 479f626a3ee3e17abcac744b11d4a5a259f3121b
MD5 hash: 41b4c75debef0f4bd06240c35693e4d8
humanhash: summer-alanine-sweet-fruit
File name:TCR2428.lnk
Download: download sample
File size:123'091 bytes
First seen:2024-04-09 06:06:22 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 3072:D4DFSgCxCHwcLd/3T/3YZtfuurhUm1KF7pH:D45wcLd/L3ktfhrro7pH
TLSH T1F9C31294C1E022F1D92EC67A367235F1D9A2F81EE0EBB6FB24595781C1462416F5433E
Reporter lowmal3
Tags:lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
DE DE
Vendor Threat Intelligence
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/297ef3b685519d8dd40a3726a382977bf1452ba9ff4dcd9e5d954f795a256aba/results/dashboard
Payload URLs
URL
File name
https://boxhubcargocontainers.com/ntracking.txt
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/6614db07f57432632ba4471c/reports/1cfb2611-5332-4852-a787-770d075f1a15/overview
Verdict:
Malicious
Labled as:
BZC.YAX.Boxter.111
Link:
https://www.hybrid-analysis.com/sample/297ef3b685519d8dd40a3726a382977bf1452ba9ff4dcd9e5d954f795a256aba
Result
Verdict:
MALICIOUS
Details
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1422765
Signature
Antivirus detection for URL or domain
Contains functionality to infect the boot sector
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files with a suspicious file extension
Encrypted powershell cmdline option found
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations
Sigma detected: Search for Antivirus process
Sigma detected: Suspicious PowerShell Parameter Substring
Snort IDS alert for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows shortcut file (LNK) starts blacklisted processes
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1422765 Sample: TCR2428.lnk Startdate: 09/04/2024 Architecture: WINDOWS Score: 100 63 yourserenahelpcustom.uk 2->63 65 IZfrnmkrkibbwxQlVwAYZ.IZfrnmkrkibbwxQlVwAYZ 2->65 67 boxhubcargocontainers.com 2->67 87 Snort IDS alert for network traffic 2->87 89 Antivirus detection for URL or domain 2->89 91 Windows shortcut file (LNK) starts blacklisted processes 2->91 93 6 other signatures 2->93 12 powershell.exe 14 34 2->12         started        17 cleanmgr.exe 2->17         started        19 cleanmgr.exe 2->19         started        signatures3 process4 dnsIp5 73 boxhubcargocontainers.com 172.67.179.190, 443, 49730, 49731 CLOUDFLARENETUS United States 12->73 59 C:\Users\user\AppData\...\application.exe, PE32 12->59 dropped 107 Suspicious execution chain found 12->107 109 Powershell drops PE file 12->109 21 application.exe 29 12->21         started        24 conhost.exe 1 12->24         started        26 WmiPrvSE.exe 12->26         started        28 rundll32.exe 17->28         started        30 rundll32.exe 19->30         started        file6 signatures7 process8 signatures9 97 Windows shortcut file (LNK) starts blacklisted processes 21->97 99 Multi AV Scanner detection for dropped file 21->99 32 cmd.exe 2 21->32         started        process10 file11 57 C:\Users\user\AppData\Local\...\Pj.pif, PE32 32->57 dropped 75 Windows shortcut file (LNK) starts blacklisted processes 32->75 77 Uses ping.exe to sleep 32->77 79 Drops PE files with a suspicious file extension 32->79 81 Uses ping.exe to check the status of other devices and networks 32->81 36 Pj.pif 32->36         started        39 PING.EXE 1 32->39         started        42 cmd.exe 2 32->42         started        44 8 other processes 32->44 signatures12 process13 dnsIp14 95 Injects a PE file into a foreign processes 36->95 46 Pj.pif 2 2 36->46         started        71 127.0.0.1 unknown unknown 39->71 signatures15 process16 file17 61 C:\Users\user\AppData\Local\...\TempCLN.dll, PE32 46->61 dropped 111 Creates an autostart registry key pointing to binary in C:\Windows 46->111 50 cleanmgr.exe 6 46->50         started        signatures18 process19 signatures20 83 Found API chain indicative of debugger detection 50->83 85 Contains functionality to infect the boot sector 50->85 53 rundll32.exe 50->53         started        process21 dnsIp22 69 yourserenahelpcustom.uk 149.248.79.62, 443, 49739, 49740 COEXTRO-01CA Canada 53->69 101 System process connects to network (likely due to code injection or exploit) 53->101 103 Found API chain indicative of debugger detection 53->103 105 Contains functionality to infect the boot sector 53->105 signatures23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/297ef3b685519d8dd40a3726a382977bf1452ba9ff4dcd9e5d954f795a256aba/
Threat name:
Shortcut.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2024-04-09 06:07:05 UTC
File Type:
Binary
Extracted files:
1
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ff7phnufkgoy3vakg4tkhauxppyukk5j75g43hs5svhxswrfnk5a._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/240409-gvbgeabg7x/
Behaviour
Enumerates processes with tasklist
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Registers COM server for autorun
Blocklisted process makes network request
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/297ef3b68551/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/297ef3b685519d8dd40a3726a382977bf1452ba9ff4dcd9e5d954f795a256aba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:High_Entropy_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file with equal or higher entropy than 6.5. Most goodware LNK files have a low entropy, lower than 6.
Rule name:Large_filesize_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file larger than 100KB. Most goodware LNK files are smaller than 100KB.
Rule name:Long_RelativePath_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Shortcut (lnk) lnk 297ef3b685519d8dd40a3726a382977bf1452ba9ff4dcd9e5d954f795a256aba

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments