MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e2913bb87a2236885d3757aa42e5c1ba6a4fce934c58ab2c94da9dc615debdb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SliverFox


Vendor detections: 12


Intelligence 12 IOCs YARA 27 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e2913bb87a2236885d3757aa42e5c1ba6a4fce934c58ab2c94da9dc615debdb
SHA3-384 hash: cd106e28aaea7d60cef4b740caf9ec088eb2ed1421dab744501d17ea9c2b2cbf33cc057b8e20ba0ac7d4cb760409d869
SHA1 hash: acce024bb43b5fc820dd98c3244c0e2eda7f8dfb
MD5 hash: 14c97123e6a5e8e13a3c71bb97108b00
humanhash: speaker-mountain-thirteen-yellow
File name:NetworkIndicator.exe
Download: download sample
Signature SliverFox
Create hunting rule
File size:75'363'552 bytes
First seen:2025-08-07 09:43:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 38eac4981f3b9c5616aa0053c4b54d38 (13 x SliverFox)
ssdeep 786432:ZROJqRB42/U0l2V2c7yP8D4e5iapP3KPPVfOKQM:CcR//42c7yUDpP0PPVfOy
TLSH T12CF79C86F753ED51E20392BE54678740A735FC644760C3C332487B286FEAB98ECB19A5
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon a9c890a4e0e46478 (13 x SliverFox)
Reporter smica83
Tags:exe SliverFox

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
gh0st
Create hunting rule
ID:
1
File name:
NetworkIndicator.exe
Verdict:
Malicious activity
Analysis date:
2025-08-07 09:46:12 UTC
Tags:
auto-sch gh0st rat
Link:
https://app.any.run/tasks/639c8386-59be-442a-8696-7459adf8c976

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6894757f1e8a59ee04e6f0dc
Tags:
shellcode cobalt small agent
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control fingerprint invalid-signature lolbin microsoft_visual_cc rundll32 signed threat
Link:
https://www.filescan.io/uploads/6894755f2fbe0788fb1b659c/reports/050e5a64-3619-48d7-8ecd-3429fc3a0150/overview
Verdict:
Malicious
Labled as:
Win64/Agent_AGeneric.FWS trojan
Link:
https://www.hybrid-analysis.com/sample/3e2913bb87a2236885d3757aa42e5c1ba6a4fce934c58ab2c94da9dc615debdb
Result
Threat name:
GhostRat, Nitol
Create hunting rule
Detection:
malicious
Classification:
evad.troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1752195
Signature
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Detected unpacking (creates a PE file in dynamic memory)
Disables security and backup related services
Drops PE files to the document folder of the user
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected GhostRat
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1752195 Sample: NetworkIndicator.exe Startdate: 07/08/2025 Architecture: WINDOWS Score: 100 88 sc-2k7t.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com 2->88 90 sc-2k7t.cn-hangzhou.oss-adns.aliyuncs.com 2->90 92 3 other IPs or domains 2->92 104 Suricata IDS alerts for network traffic 2->104 106 Malicious sample detected (through community Yara rule) 2->106 108 Antivirus detection for dropped file 2->108 110 9 other signatures 2->110 10 6hhSeX.exe 26 2->10         started        15 NetworkIndicator.exe 1 28 2->15         started        17 6hhSeX.exe 2->17         started        19 14 other processes 2->19 signatures3 process4 dnsIp5 98 sc-2k7t.cn-hangzhou.oss-adns.aliyuncs.com.gds.alibabadns.com 118.178.60.7, 443, 49726, 49727 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 10->98 78 C:\Program Files (x86)\nLNltz\nLNltz.exe, PE32 10->78 dropped 80 C:\Program Files (x86)\nLNltz\XPSPLOG.dll, PE32 10->80 dropped 124 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->124 126 Found direct / indirect Syscall (likely to bypass EDR) 10->126 21 nLNltz.exe 10->21         started        26 cmd.exe 1 10->26         started        28 cmd.exe 1 10->28         started        36 3 other processes 10->36 100 8ae6tt.oss-cn-shenzhen.aliyuncs.com 112.74.1.26, 443, 49723 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 15->100 82 C:\Windows\Temp\ranchserv.jpg, PE32+ 15->82 dropped 84 C:\Users\user\Documents\eToken.dll, PE32+ 15->84 dropped 86 C:\Users\user\Documents\6hhSeX.exe, PE32+ 15->86 dropped 128 Drops PE files to the document folder of the user 15->128 130 Tries to detect virtualization through RDTSC time measurements 15->130 132 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->132 102 127.0.0.1 unknown unknown 19->102 134 Changes security center settings (notifications, updates, antivirus, firewall) 19->134 136 Uses cmd line tools excessively to alter registry or file data 19->136 30 reg.exe 1 1 19->30         started        32 reg.exe 1 1 19->32         started        34 reg.exe 19->34         started        38 9 other processes 19->38 file6 signatures7 process8 dnsIp9 94 47.239.99.114, 49730, 8379 CHARTER-20115US United States 21->94 96 osuyet.net 8.210.41.205, 49729, 49731, 49732 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 21->96 74 C:\Program Files (x86)\D08I6\XPSPLOG.dll, PE32 21->74 dropped 76 C:\Program Files (x86)\D08I6\A8V7H4.exe, PE32 21->76 dropped 112 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->112 114 Creates an undocumented autostart registry key 21->114 116 Disables security and backup related services 21->116 40 cmd.exe 21->40         started        42 cmd.exe 21->42         started        44 cmd.exe 21->44         started        46 cmd.exe 21->46         started        118 Uses cmd line tools excessively to alter registry or file data 26->118 120 Uses schtasks.exe or at.exe to add and modify task schedules 26->120 48 conhost.exe 26->48         started        52 3 other processes 26->52 54 4 other processes 28->54 122 Adds extensions / path to Windows Defender exclusion list (Registry) 30->122 56 12 other processes 36->56 50 conhost.exe 38->50         started        file10 signatures11 process12 process13 58 conhost.exe 40->58         started        60 schtasks.exe 40->60         started        62 schtasks.exe 40->62         started        64 schtasks.exe 40->64         started        66 net.exe 42->66         started        68 conhost.exe 42->68         started        70 conhost.exe 44->70         started        process14 72 net1.exe 66->72         started       
Score:
70%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3e2913bb87a2236885d3757aa42e5c1ba6a4fce934c58ab2c94da9dc615debdb
Gathering data
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-07 09:47:24 UTC
File Type:
PE+ (Exe)
Extracted files:
114
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hyurho4huirwrbotov5kils4dotkj7hjgtcyvmwjjwu5yyk55pnq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery execution exploit persistence trojan
Link:
https://tria.ge/reports/250807-lqds7afm91/
Behaviour
Checks processor information in registry
Modifies registry class
Runs net.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Launches sc.exe
Indicator Removal: Clear Persistence
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Command and Scripting Interpreter: PowerShell
Modifies RDP port number used by Windows
Possible privilege escalation attempt
Disables service(s)
UAC bypass
Windows security bypass
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/543e68fa-ea02-460d-b113-23774d522626
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3e2913bb87a2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202409_html_FedEx_phish
Create hunting rule
Author:abuse.ch
Description:Detects potential HTML FedEx phishing forms
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:dependsonpythonailib
Create hunting rule
Author:Tim Brown
Description:Hunts for dependencies on Python AI libraries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:HUN_APT29_EnvyScout_Jul_2023_1
Create hunting rule
Author:Arkbird_SOLG
Description:Hunting rule for detect possible Envyscout malware used by the APT29 group by patterns already used in the past
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Suspicious_PowerShell_Commands_Executed_via_Rundll32
Create hunting rule
Author:assistant
Description:Detects when rundll32.exe is used to execute PowerShell commands that may indicate malicious activity
Reference:https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_powershell_via_rundll32.yml
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

SliverFox

Executable exe 3e2913bb87a2236885d3757aa42e5c1ba6a4fce934c58ab2c94da9dc615debdb

(this sample)

unknown c7d389099e5931449d2d1521fe4905fc80296702b99060684242f68148e77e64

  
Dropping
SHA256 c7d389099e5931449d2d1521fe4905fc80296702b99060684242f68148e77e64
  
Dropping
MD5 a668d42a619287993550257c593d5c03
  
Dropping
SHA256 ad1443d93dd7db8e301e137c627a549fe388b91241e2259984852b1f4cfb1b58
  
Dropping
MD5 28d3c80d6f8e7322942bd26a8b34c026

Comments