MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd3ae41147c48bcea273f742ae19c229ad76c4a75895253e01a58bd4f3c2b9d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd3ae41147c48bcea273f742ae19c229ad76c4a75895253e01a58bd4f3c2b9d1
SHA3-384 hash: d385956a6e7d50c8efa50a5eee5eead98a90efa47ccaefb9c0136c7d1b6a0771a34186b314aa193fb09579ff7aba9eae
SHA1 hash: f651e10a0c340ea9efd74cdbba7cc1eb8d242c1a
MD5 hash: f9738d2e68ebcdc3f5b982867c7d232f
humanhash: purple-east-jupiter-ohio
File name:Flrеfох lnstаllеr.exe
Download: download sample
File size:6'550'144 bytes
First seen:2023-09-05 02:41:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 21314122cd4542a6b9b297f52a87acbe (3 x GuLoader, 2 x LummaStealer, 2 x ConnectWise)
ssdeep 98304:ptfl0kYax0dMiNsqWGXwtyImWspl7Gw6S4GPgAH8751S3RIZ/bpZt:jfl0kYa0bJz73uGtKzS3O/bLt
Threatray 25 similar samples on MalwareBazaar
TLSH T14566BF31328AC42BD66305B02A2D9ADF5528BF750BB154CBB3CC2E6E5BB45C21336E57
TrID 85.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f8e0c8d0e6e6fc18 (1 x RustyStealer, 1 x RecordBreaker, 1 x LummaStealer)
Reporter Xer0
Tags:ClearFake exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
CO CO
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Flrеfох lnstаllеr.exe
Verdict:
Malicious activity
Analysis date:
2023-08-31 23:26:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/90086ef9-1c75-410b-acc9-6e4abb546117

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/446192/
Detection(s):
SecuriteInfo.com.PossibleThreat.PALLAS.M.19483.1225.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Sending an HTTP GET request
Creating a file in the %temp% directory
Launching a process
Modifying a system file
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Running batch commands
DNS request
Sending a custom TCP request
Creating a file
Possible injection to a system process
Launching a file downloaded from the Internet
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/bd3ae41147c48bcea273f742ae19c229ad76c4a75895253e01a58bd4f3c2b9d1
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e60b5074-b7fb-4ce3-804b-6fade8084478
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1303207
Signature
Drops executables to the windows directory (C:\Windows) and starts them
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Yara detected Obfuscated Powershell
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1303207 Sample: Flr#U0435f#U043e#U0445_lnst... Startdate: 05/09/2023 Architecture: WINDOWS Score: 72 59 Malicious sample detected (through community Yara rule) 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Yara detected Obfuscated Powershell 2->63 8 cmd.exe 1 2->8         started        11 msiexec.exe 91 63 2->11         started        14 Flr#U0435f#U043e#U0445_lnst#U0430ll#U0435r.exe 62 2->14         started        process3 file4 65 Suspicious powershell command line found 8->65 67 Tries to download and execute files (via powershell) 8->67 16 cmd.exe 1 8->16         started        19 conhost.exe 8->19         started        35 C:\Windows\Installer\MSI732.tmp, PE32+ 11->35 dropped 37 C:\Users\user\AppData\Roaming\...\64.bat, ASCII 11->37 dropped 39 C:\Windows\Installer\MSIFDF7.tmp, PE32 11->39 dropped 47 7 other files (none is malicious) 11->47 dropped 69 Drops executables to the windows directory (C:\Windows) and starts them 11->69 21 msiexec.exe 11->21         started        23 msiexec.exe 11->23         started        25 MSI732.tmp 11->25         started        41 C:\Users\user\AppData\Roaming\...\64.bat, ASCII 14->41 dropped 43 C:\Users\user\AppData\...\qwindows.dll, PE32 14->43 dropped 45 C:\Users\user\AppData\Local\...\shi68E0.tmp, PE32+ 14->45 dropped 49 4 other files (none is malicious) 14->49 dropped 27 msiexec.exe 14->27         started        signatures5 process6 signatures7 55 Suspicious powershell command line found 16->55 57 Tries to download and execute files (via powershell) 16->57 29 powershell.exe 23 16 16->29         started        process8 dnsIp9 53 ocmtancmi2c5t.life 104.21.22.145, 443, 49726, 49727 CLOUDFLARENETUS United States 29->53 51 C:\ProgramData\DirectX12AdvancedSupport.msi, Composite 29->51 dropped 33 msiexec.exe 29->33         started        file10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd3ae41147c48bcea273f742ae19c229ad76c4a75895253e01a58bd4f3c2b9d1/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xu5oiekhysf45itt65bk4gocfgwxnrfhlckskpqbuwf5j46cxhiq._file
Verdict:
malicious
Similar samples:
082ac271e7068243ead494e9447288e5969d22bc461e6de9dd1203145a203a73
5bcc5718b11d0e933930934805ea3f1dcb888dd19eb9dd75574ef425e704d799
9d2321341dc5804543514a81cab9aac8dbc52466c77bad98a3835819cb9d9c7d
b408b7181ab5d530e5da80967be73f858ed93a2cfd172131bcea8f073164a5a0
bd043af859a796897462ed7a5aadb1c4a145f67f01a00c49b45a4b80564da6bb
d4923d3747714d0d8c1f6a2ceec5ec15c6290b030e828429fd39edcd49ccf27d
e00609f98a5ce391934710a1a47f748bb063ae939555e1cb491c4e5cff69fa97
e6ca97018621d4cab0eca8eeda2a5df23b4b35ac544a6e39a19207b847874c59
+ 15 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/230905-c61hfscg2s/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Unpacked files
SH256 hash:
bd3ae41147c48bcea273f742ae19c229ad76c4a75895253e01a58bd4f3c2b9d1
MD5 hash:
f9738d2e68ebcdc3f5b982867c7d232f
SHA1 hash:
f651e10a0c340ea9efd74cdbba7cc1eb8d242c1a
Link:
https://www.unpac.me/results/79a63629-668a-4902-a917-c2ba09943e57/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd3ae41147c48bcea273f742ae19c229ad76c4a75895253e01a58bd4f3c2b9d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe bd3ae41147c48bcea273f742ae19c229ad76c4a75895253e01a58bd4f3c2b9d1

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/446192/

Comments