MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84e833237d4f79de14677632567858c73c68fcdafa16df9685f485c6408d19c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84e833237d4f79de14677632567858c73c68fcdafa16df9685f485c6408d19c3
SHA3-384 hash: bcc175431fde2d13eb179711800ef63fe4f14ef5e77b202241a85a4c7b4730e0f48e81d15bba70825d0961f3abcafe48
SHA1 hash: f2537c941b548c1af8f4fba4b9d44722d9ce8aca
MD5 hash: 851695031445470fd40a458dc3f10e9c
humanhash: utah-massachusetts-sweet-charlie
File name:boost.exe
Download: download sample
File size:86'151'766 bytes
First seen:2024-03-01 15:13:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:2/WHHr90/uSkvNsgHIHW+Wh/X7q/Cd/x77ODfIQwTg8AgMIsPv/HGYxJMvW+qeDf:2/8L9EuSkvqHzu7q/CD7cfIQKgHBxiFf
TLSH T13818330AD2265D7FE98AD7B755DD24C37B272A152A675D20220F2F7B24230CA1D8C1FB
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
dhash icon 98e5676565a5a198 (20 x EpsilonStealer, 2 x NovaSentinel, 1 x LummaStealer)
Reporter firarglobal
Tags:exe nodejs

Intelligence

File Origin
# of uploads :
1
# of downloads :
428
Origin country :
TR TR
Vendor Threat Intelligence
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65e1f0c0c51a2f3b9bbec771/reports/93af31cd-0f74-4126-8563-4490b75c773e/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/84e833237d4f79de14677632567858c73c68fcdafa16df9685f485c6408d19c3
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1401495
Signature
Drops large PE files
Multi AV Scanner detection for dropped file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1401495 Sample: boost.exe Startdate: 01/03/2024 Architecture: WINDOWS Score: 52 56 www.google.com 2->56 58 www.facebook.com 2->58 60 2 other IPs or domains 2->60 68 Multi AV Scanner detection for dropped file 2->68 9 boost.exe 179 2->9         started        signatures3 process4 file5 42 C:\Users\user\AppData\Local\...\win32.exe, PE32+ 9->42 dropped 44 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 9->44 dropped 46 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 9->46 dropped 48 11 other files (4 malicious) 9->48 dropped 70 Drops large PE files 9->70 13 win32.exe 5 9->13         started        signatures6 process7 dnsIp8 62 www.google.com 142.250.65.196, 49739, 49740, 80 GOOGLEUS United States 13->62 64 ipinfo.io 34.117.186.192, 443, 49743 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 13->64 66 2 other IPs or domains 13->66 50 98d58e91-d00e-4e9c...234af2147e.tmp.node, PE32+ 13->50 dropped 52 87506f83-2628-411a...307849dfef.tmp.node, PE32+ 13->52 dropped 17 win32.exe 1 13->17         started        20 cmd.exe 1 13->20         started        22 cmd.exe 1 13->22         started        24 37 other processes 13->24 file9 process10 dnsIp11 54 chrome.cloudflare-dns.com 162.159.61.3, 443, 49744 CLOUDFLARENETUS United States 17->54 26 WMIC.exe 1 20->26         started        28 conhost.exe 20->28         started        30 tasklist.exe 1 22->30         started        32 conhost.exe 22->32         started        34 conhost.exe 24->34         started        36 conhost.exe 24->36         started        38 conhost.exe 24->38         started        40 61 other processes 24->40 process12
Score:
58%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/84e833237d4f79de14677632567858c73c68fcdafa16df9685f485c6408d19c3
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qtudgi35j5454fdhoyzfm6cyy46gr7g27iln7fuf6sc4mqendhbq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/240301-smbyraha3y/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Detects videocard installed
Enumerates processes with tasklist
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
Enumerates physical storage devices
Drops autorun.inf file
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 84e833237d4f79de14677632567858c73c68fcdafa16df9685f485c6408d19c3

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments