MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65be873cc23a619219eca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65be873cc23a619219eca
SHA3-384 hash: fa5cc538c8496387c5f34e3ae7709eef980d0c2b9555f501f43ef3ee10c48acc8d6d39eb2df9fc33d6677dfe9685d74f
SHA1 hash: e387173c31cbc2df18d7d32f48fb75156387817e
MD5 hash: c83743f1de3204400030b1ac752fd50f
humanhash: timing-india-grey-green
File name:69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:3'467'369 bytes
First seen:2024-01-18 21:35:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 49152:nSBvaPwSWpIh/2S2s+U1Z/KT39HdDVmHkfSBb5AcwOD1GjRCwtupTH7dcEGpRyiH:n4iYmeSdHZuHdDV2vNwOURRAfdGpE6
TLSH T10DF53362E793FC09C816AD3265E0E76C027CEED586208D2FDF7E696E78354506A370C6
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon c4dadadad2f492c2 (25 x GuLoader, 14 x RemcosRAT, 7 x AgentTesla)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://94.228.169.161/

Intelligence

File Origin
# of uploads :
1
# of downloads :
433
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471577/
Detection(s):
SecuriteInfo.com.Trojan-Downloader.NSIS.Adload.11039.9284.UNOFFICIAL
Create hunting rule

PUA.Win.Trojan.Casino-141
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65a999c494d1aebfb2a5f877/reports/57d50f5c-481c-4e26-8b7a-812847c4c7c3/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65be873cc23a619219eca
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b1dce87b-5394-45df-b4e8-b8b25bf90b1e
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1377072
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Multi AV Scanner detection for dropped file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1377072 Sample: 69e6517b2ee056dd1f5f70c46fa... Startdate: 18/01/2024 Architecture: WINDOWS Score: 84 140 www.thefastcenter.com 2->140 142 pstbbk.com 2->142 144 13 other IPs or domains 2->144 170 Snort IDS alert for network traffic 2->170 172 Antivirus detection for URL or domain 2->172 174 Antivirus detection for dropped file 2->174 176 2 other signatures 2->176 10 msiexec.exe 297 248 2->10         started        13 69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65.exe 42 2->13         started        16 Windows Updater.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 104 C:\Windows\Installer\MSIF9A8.tmp, PE32 10->104 dropped 106 C:\Windows\Installer\MSIF949.tmp, PE32 10->106 dropped 108 C:\Windows\Installer\MSIF89D.tmp, PE32 10->108 dropped 118 109 other malicious files 10->118 dropped 20 msiexec.exe 3 17 10->20         started        25 msiexec.exe 10->25         started        27 msiexec.exe 10->27         started        37 4 other processes 10->37 156 www.thefastcenter.com 23.106.59.52, 49743, 80 LEASEWEB-UK-LON-11GB United Kingdom 13->156 158 cemeterypaper.website 104.21.21.253, 49729, 80 CLOUDFLARENETUS United States 13->158 164 3 other IPs or domains 13->164 110 C:\winrar-x64-623.exe, PE32+ 13->110 dropped 112 C:\Users\user\AppData\Local\...\setup_3.exe, PE32 13->112 dropped 114 C:\Users\user\AppData\Local\...\setup_1.exe, PE32 13->114 dropped 120 3 other malicious files 13->120 dropped 29 setup_3.exe 13->29         started        31 setup_1.exe 58 13->31         started        160 allroadslimit.com 104.21.74.109, 443, 49740 CLOUDFLARENETUS United States 16->160 116 C:\Windows\Temp\...\Windows Updater.exe, PE32 16->116 dropped 33 Windows Updater.exe 16->33         started        162 win-peer-pbm-ecs-lb-495161369.ca-central-1.elb.amazonaws.com 3.96.123.81, 443, 49749 AMAZON-02US United States 18->162 35 tasklist.exe 18->35         started        39 5 other processes 18->39 file6 process7 dnsIp8 146 pstbbk.com 157.230.96.32, 49738, 80 DIGITALOCEAN-ASNUS United States 20->146 148 collect.installeranalytics.com 52.7.13.177, 443, 49737, 49739 AMAZON-AESUS United States 20->148 92 2 other files (none is malicious) 20->92 dropped 178 Query firmware table information (likely to detect VMs) 20->178 41 taskkill.exe 20->41         started        94 4 other files (none is malicious) 25->94 dropped 43 taskkill.exe 25->43         started        59 2 other processes 25->59 96 4 other files (none is malicious) 27->96 dropped 45 taskkill.exe 27->45         started        86 C:\Users\user\AppData\Local\...\setup_3.tmp, PE32 29->86 dropped 180 Multi AV Scanner detection for dropped file 29->180 47 setup_3.tmp 29->47         started        88 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 31->88 dropped 90 C:\Users\user\AppData\...\Windows Updater.exe, PE32 31->90 dropped 98 4 other files (3 malicious) 31->98 dropped 182 Antivirus detection for dropped file 31->182 51 msiexec.exe 31->51         started        150 dl.likeasurfer.com 172.67.150.192, 443, 49742, 49744 CLOUDFLARENETUS United States 33->150 100 4 other malicious files 33->100 dropped 53 v113.exe 33->53         started        55 v114.exe 33->55         started        57 conhost.exe 35->57         started        102 6 other files (none is malicious) 37->102 dropped file9 signatures10 process11 file12 61 conhost.exe 41->61         started        63 conhost.exe 43->63         started        65 conhost.exe 45->65         started        134 7 other files (6 malicious) 47->134 dropped 166 Multi AV Scanner detection for dropped file 47->166 168 Uses schtasks.exe or at.exe to add and modify task schedules 47->168 67 _setup64.tmp 47->67         started        69 schtasks.exe 47->69         started        75 2 other processes 47->75 122 C:\Windows\Temp\MSICAF9.tmp, PE32 53->122 dropped 124 C:\Windows\Temp\MSICA3C.tmp, PE32 53->124 dropped 126 C:\Windows\Temp\INAC931.tmp, PE32 53->126 dropped 136 4 other files (3 malicious) 53->136 dropped 71 msiexec.exe 53->71         started        128 C:\Windows\Temp\MSI1BA9.tmp, PE32 55->128 dropped 130 C:\Windows\Temp\MSI1B1C.tmp, PE32 55->130 dropped 132 C:\Windows\Temp\INA1A10.tmp, PE32 55->132 dropped 138 4 other files (3 malicious) 55->138 dropped 73 msiexec.exe 55->73         started        78 2 other processes 59->78 signatures13 process14 dnsIp15 80 conhost.exe 67->80         started        82 conhost.exe 69->82         started        152 bapp.digitalpulsedata.com 15.156.162.186, 443, 49748 HP-INTERNET-ASUS United States 75->152 154 3.98.219.138, 443, 49768 AMAZON-02US United States 75->154 84 conhost.exe 75->84         started        process16
Score:
21%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65be873cc23a619219eca
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65be873cc23a619219eca/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nhtfc6zo4bln2h27odcg7l3cgw4e3ol2ostfx2dtzqr2mgjbt3fa._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240118-1fwnkshfgk/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Unpacked files
SH256 hash:
89e24e4124b607f3f98e4df508c4ddd2701d8f7fcf1dc6e2aba11d56c97c0c5a
MD5 hash:
cab75d596adf6bac4ba6a8374dd71de9
SHA1 hash:
fb90d4f13331d0c9275fa815937a4ff22ead6fa3
Link:
https://www.unpac.me/results/332ac3f8-7c73-4382-b331-b56f5e50f78a/
SH256 hash:
df6aa15594e46d9cef5833451c5faad88712ebc06bdd76b99525817baa9a6a13
MD5 hash:
8f160b9da5191f5003ce83d346b5427c
SHA1 hash:
eacd4785371b9290a819e81bfb1a2216023377f5
Link:
https://www.unpac.me/results/332ac3f8-7c73-4382-b331-b56f5e50f78a/
SH256 hash:
d1144b0fb4e1e8e5104c8bb90b54efcf964ce4fca482ee2f00698f871af9cb72
MD5 hash:
857c878011a55ddd434d0d27dbbdb0d1
SHA1 hash:
796f754090a9dfa44edf60ee4ee4475c6c51ba18
Link:
https://www.unpac.me/results/332ac3f8-7c73-4382-b331-b56f5e50f78a/
SH256 hash:
94b0b503a87c0b9f4b4e14666c9771d939867634fd4832b041e5e0f54b080e1b
MD5 hash:
9ea95c0a09b40fdd8f51a892c4b6aa10
SHA1 hash:
eadcfbfe9ca334ab8bbdb37ac82cae1d83d3f65d
Link:
https://www.unpac.me/results/332ac3f8-7c73-4382-b331-b56f5e50f78a/
SH256 hash:
89ff617a962761f5c6688fab64584442a3d3ced9a513c81b1ebe24bd2b899735
MD5 hash:
95c94b773734f97e9307b10f1ceaa57f
SHA1 hash:
18d06e447f1713e2d140b1d61d12a2358af0c1da
Link:
https://www.unpac.me/results/332ac3f8-7c73-4382-b331-b56f5e50f78a/
SH256 hash:
394a7b88c52c0da5ecb5f5a6eb055a91850794a6b2c1110e7f8b7e680ee65564
MD5 hash:
993ea4ce83424f14ccf33b558ee0659a
SHA1 hash:
120dcf8cad135710418f954aef92d01cc44dc8bc
Link:
https://www.unpac.me/results/332ac3f8-7c73-4382-b331-b56f5e50f78a/
SH256 hash:
69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65be873cc23a619219eca
MD5 hash:
c83743f1de3204400030b1ac752fd50f
SHA1 hash:
e387173c31cbc2df18d7d32f48fb75156387817e
Link:
https://www.unpac.me/results/332ac3f8-7c73-4382-b331-b56f5e50f78a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/69e6517b2ee0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69e6517b2ee056dd1f5f70c46faf6235b84db97a74a65be873cc23a619219eca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/471577/

Comments