MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b0422e2969647a30d739eac69c0bf70a5ae30c603c89902535ba643017fa07a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b0422e2969647a30d739eac69c0bf70a5ae30c603c89902535ba643017fa07a
SHA3-384 hash: f155103e5043192c6c5f1c42e6c6891531fc201a3775ed721bffc4b29fedce9acb2d9ea0c0c3c2af0a7efc3e085846ea
SHA1 hash: 60dff5551c9f69d8026f4e3ca7629c9507cc963a
MD5 hash: 57000fb515f21cb50b9710aca93006fe
humanhash: bulldog-colorado-pasta-floor
File name:boxer_trc_scapy_PI.exe
Download: download sample
File size:32'910'219 bytes
First seen:2022-12-20 22:18:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ba5546933531fafa869b1f86a4e2a959 (10 x DCRat, 3 x RedLineStealer, 2 x RemcosRAT)
ssdeep 786432:u1n9LFNCEDEMbLW4t9jHZUfaEa6tN3KEQnqar7qgjzZy:YnxFNC385HZUfawKEQq++gZ
Threatray 215 similar samples on MalwareBazaar
TLSH T1E47733C0D7E25DABE1920239D9F1D856EA5270BF1250413F1AE73802BD2B1ED9EBD316
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
dhash icon aebc385c4ce0e8f8 (10 x PythonStealer, 7 x RedLineStealer, 7 x DCRat)
Reporter MossSamoa
Tags:boxer_trc_scapy_PI.exe exe


Avatar
MossSamoa
boxer_trc_scapy_PI.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
boxer_trc_scapy_PI.exe
Verdict:
Malicious activity
Analysis date:
2022-12-20 22:19:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/342843e5-4a90-4978-9035-0dea83c82735

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a custom TCP request
Creating a file
Running batch commands
Creating a process with a hidden window
DNS request
Launching a process
Gathering data
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
spre
Score:
27 / 100
Link:
https://www.joesandbox.com/analysis/1138273
Signature
Performs a network lookup / discovery via ARP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 771003 Sample: boxer_trc_scapy_PI.exe Startdate: 20/12/2022 Architecture: WINDOWS Score: 27 6 boxer_trc_scapy_PI.exe 502 2->6         started        signatures3 25 Performs a network lookup / discovery via ARP 6->25 9 boxer_trc_scapy_PI.exe 7 6->9         started        13 conhost.exe 6->13         started        process4 dnsIp5 19 192.168.2.1, 8000 unknown unknown 9->19 21 www.google.com 9->21 23 2 other IPs or domains 9->23 27 Performs a network lookup / discovery via ARP 9->27 15 ARP.EXE 1 1 9->15         started        17 cmd.exe 1 9->17         started        signatures6 process7
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hmccfyuwszd2gdltt2wgtqf7ocs24mggapejsastlotegal7ub5a._file
Verdict:
unknown
Similar samples:
028eb90d9030197de2540b5376793e2d4f26209ac6aae517a9090dd576eba6fd
07ae2a00c878219dff16a32de2296ee69f23c596cde7e802a8deada12d21d982
0bc250f43d37f663c9b9655be85caec78a7b8662b262b17abc67654f60709fdd
393520554a19f1a2dc6c362b4c4eb97bd62caadc8489545c1f6fc57aae91cc58
51bf7d8f0523c3b9b7b352f4d9e7ed427325808cfaf88399965062e9457e82c4
585437888a36695c0d522c9f8aefe1de1ca2b10b54ec4e9600a9a635c4d5c94d
61b16d71a76f83cef63d079b0735cd0a1cee24f1119063e28ef1f227f2bb27c4
6cd361e9bd237d7dfed999883bacd2665e954815aeb2ba6942345e85d6568241
76f4028be569b642d396b8e8936779493280aabcc3329f9058c19e78936c113e
c5e11de6c91c453483b70bbde34bd99a5b9970a6ba4a898e42caa1f598d2d160
+ 205 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/221220-18h8ysbc27/
Behaviour
Suspicious use of WriteProcessMemory
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b0422e2969647a30d739eac69c0bf70a5ae30c603c89902535ba643017fa07a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments