MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd283851bbaa1409190af7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd283851bbaa1409190af7d
SHA3-384 hash: df97a2a6dfcd0df031130001d51063434cab9d58aaeb601c467f285e78015bd3da9f648304abca31c88a57cf7c527ea3
SHA1 hash: 4399812f37cdd502ad26f15e16ab38e82fd8ba82
MD5 hash: 52ba237771769f0dade8d1ff09415ed6
humanhash: mars-eighteen-nitrogen-moon
File name:d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:3'467'254 bytes
First seen:2024-01-18 22:10:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 98304:jttpLiOdiKTky4VtGgCpu0ooBJxy/nE1pdRnHGxu:jf1iOcokymDCY0oohy81pd9mk
TLSH T1B2F5334311D745B7F850A1B52132BE04CD6BC66DA722C3D383A1BD6DDF6DA0AA838D4B
TrID 92.7% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133)
3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
1.1% (.EXE) Win64 Executable (generic) (10523/12/4)
0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon c4dadadad2f492c2 (25 x GuLoader, 14 x RemcosRAT, 7 x AgentTesla)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
http://94.228.169.161/

Intelligence

File Origin
# of uploads :
1
# of downloads :
372
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471580/
Detection(s):
SecuriteInfo.com.Trojan-Downloader.NSIS.Adload.11039.9284.UNOFFICIAL
Create hunting rule

PUA.Win.Trojan.Casino-141
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65a9a1f85d1422b20815717a/reports/bdd17e16-08d9-4174-9d44-2728154b658f/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd283851bbaa1409190af7d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1ebeadd-981f-4ef4-91e9-a361189363a2
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1377090
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Multi AV Scanner detection for dropped file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1377090 Sample: d47b38d68c7ef6c19add401c1c6... Startdate: 18/01/2024 Architecture: WINDOWS Score: 84 140 www.thefastcenter.com 2->140 142 pstbbk.com 2->142 144 12 other IPs or domains 2->144 168 Snort IDS alert for network traffic 2->168 170 Antivirus detection for URL or domain 2->170 172 Antivirus detection for dropped file 2->172 174 2 other signatures 2->174 10 msiexec.exe 297 248 2->10         started        13 d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd28.exe 42 2->13         started        16 Windows Updater.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 122 C:\Windows\Installer\MSIEF14.tmp, PE32 10->122 dropped 124 C:\Windows\Installer\MSIEEF3.tmp, PE32 10->124 dropped 126 C:\Windows\Installer\MSIEC72.tmp, PE32 10->126 dropped 136 109 other malicious files 10->136 dropped 20 msiexec.exe 3 17 10->20         started        25 msiexec.exe 10->25         started        27 msiexec.exe 10->27         started        37 4 other processes 10->37 152 www.thefastcenter.com 23.106.59.52, 49719, 80 LEASEWEB-UK-LON-11GB United Kingdom 13->152 154 cemeterypaper.website 104.21.21.253, 49704, 80 CLOUDFLARENETUS United States 13->154 160 3 other IPs or domains 13->160 128 C:\winrar-x64-623.exe, PE32+ 13->128 dropped 130 C:\Users\user\AppData\Local\...\setup_3.exe, PE32 13->130 dropped 132 C:\Users\user\AppData\Local\...\setup_1.exe, PE32 13->132 dropped 138 3 other malicious files 13->138 dropped 29 setup_3.exe 13->29         started        31 setup_1.exe 58 13->31         started        156 allroadslimit.com 104.21.74.109, 443, 49715 CLOUDFLARENETUS United States 16->156 134 C:\Windows\Temp\...\Windows Updater.exe, PE32 16->134 dropped 33 Windows Updater.exe 16->33         started        158 win-peer-pbm-ecs-lb-495161369.ca-central-1.elb.amazonaws.com 3.96.123.81, 443, 49724 AMAZON-02US United States 18->158 35 tasklist.exe 18->35         started        39 5 other processes 18->39 file6 process7 dnsIp8 146 pstbbk.com 157.230.96.32, 49713, 80 DIGITALOCEAN-ASNUS United States 20->146 148 collect.installeranalytics.com 54.158.107.210, 443, 49714, 49716 AMAZON-AESUS United States 20->148 110 2 other files (none is malicious) 20->110 dropped 176 Query firmware table information (likely to detect VMs) 20->176 41 taskkill.exe 20->41         started        112 4 other files (none is malicious) 25->112 dropped 43 taskkill.exe 25->43         started        45 taskkill.exe 25->45         started        47 taskkill.exe 25->47         started        114 4 other files (none is malicious) 27->114 dropped 104 C:\Users\user\AppData\Local\...\setup_3.tmp, PE32 29->104 dropped 178 Multi AV Scanner detection for dropped file 29->178 49 setup_3.tmp 29->49         started        106 C:\Users\user\AppData\Roaming\...\decoder.dll, PE32 31->106 dropped 108 C:\Users\user\AppData\...\Windows Updater.exe, PE32 31->108 dropped 116 4 other files (3 malicious) 31->116 dropped 180 Antivirus detection for dropped file 31->180 53 msiexec.exe 31->53         started        150 dl.likeasurfer.com 104.21.32.100, 443, 49718, 49720 CLOUDFLARENETUS United States 33->150 118 4 other malicious files 33->118 dropped 55 v113.exe 33->55         started        57 v114.exe 33->57         started        59 conhost.exe 35->59         started        120 6 other files (none is malicious) 37->120 dropped file9 signatures10 process11 file12 61 conhost.exe 41->61         started        63 conhost.exe 43->63         started        65 conhost.exe 45->65         started        67 conhost.exe 47->67         started        98 7 other files (6 malicious) 49->98 dropped 164 Multi AV Scanner detection for dropped file 49->164 166 Uses schtasks.exe or at.exe to add and modify task schedules 49->166 69 _setup64.tmp 49->69         started        71 schtasks.exe 49->71         started        77 2 other processes 49->77 86 C:\Windows\Temp\MSI1183.tmp, PE32 55->86 dropped 88 C:\Windows\Temp\MSI10B7.tmp, PE32 55->88 dropped 90 C:\Windows\Temp\INAF0F.tmp, PE32 55->90 dropped 100 4 other files (3 malicious) 55->100 dropped 73 msiexec.exe 55->73         started        92 C:\Windows\Temp\MSI5BEA.tmp, PE32 57->92 dropped 94 C:\Windows\Temp\MSI5A33.tmp, PE32 57->94 dropped 96 C:\Windows\Temp\INA58AA.tmp, PE32 57->96 dropped 102 4 other files (3 malicious) 57->102 dropped 75 msiexec.exe 57->75         started        signatures13 process14 dnsIp15 80 conhost.exe 69->80         started        82 conhost.exe 71->82         started        162 bapp.digitalpulsedata.com 3.98.219.138, 443, 49725, 49745 AMAZON-02US United States 77->162 84 conhost.exe 77->84         started        process16
Score:
21%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd283851bbaa1409190af7d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd283851bbaa1409190af7d/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2r5trvump33mdgw5iaoby3ppxgno6h5mr7jihbi3xkqubemqv56q._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240118-13xjdsabhj/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Enumerates physical storage devices
Unpacked files
SH256 hash:
89e24e4124b607f3f98e4df508c4ddd2701d8f7fcf1dc6e2aba11d56c97c0c5a
MD5 hash:
cab75d596adf6bac4ba6a8374dd71de9
SHA1 hash:
fb90d4f13331d0c9275fa815937a4ff22ead6fa3
Link:
https://www.unpac.me/results/43bbe669-1c18-4eff-a802-a8bad0bf9ccb/
SH256 hash:
df6aa15594e46d9cef5833451c5faad88712ebc06bdd76b99525817baa9a6a13
MD5 hash:
8f160b9da5191f5003ce83d346b5427c
SHA1 hash:
eacd4785371b9290a819e81bfb1a2216023377f5
Link:
https://www.unpac.me/results/43bbe669-1c18-4eff-a802-a8bad0bf9ccb/
SH256 hash:
94b0b503a87c0b9f4b4e14666c9771d939867634fd4832b041e5e0f54b080e1b
MD5 hash:
9ea95c0a09b40fdd8f51a892c4b6aa10
SHA1 hash:
eadcfbfe9ca334ab8bbdb37ac82cae1d83d3f65d
Link:
https://www.unpac.me/results/43bbe669-1c18-4eff-a802-a8bad0bf9ccb/
SH256 hash:
89ff617a962761f5c6688fab64584442a3d3ced9a513c81b1ebe24bd2b899735
MD5 hash:
95c94b773734f97e9307b10f1ceaa57f
SHA1 hash:
18d06e447f1713e2d140b1d61d12a2358af0c1da
Link:
https://www.unpac.me/results/43bbe669-1c18-4eff-a802-a8bad0bf9ccb/
SH256 hash:
67bb62d802a0d7a8734e671363a1fea3ee1930a62fc83c3a2783729b34075488
MD5 hash:
4a31681b03f8809337aca07ea80ce14a
SHA1 hash:
09d6dfa41eff75cce8c7e4facf4fe6c756e6bc86
Link:
https://www.unpac.me/results/43bbe669-1c18-4eff-a802-a8bad0bf9ccb/
SH256 hash:
394a7b88c52c0da5ecb5f5a6eb055a91850794a6b2c1110e7f8b7e680ee65564
MD5 hash:
993ea4ce83424f14ccf33b558ee0659a
SHA1 hash:
120dcf8cad135710418f954aef92d01cc44dc8bc
Link:
https://www.unpac.me/results/43bbe669-1c18-4eff-a802-a8bad0bf9ccb/
SH256 hash:
d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd283851bbaa1409190af7d
MD5 hash:
52ba237771769f0dade8d1ff09415ed6
SHA1 hash:
4399812f37cdd502ad26f15e16ab38e82fd8ba82
Link:
https://www.unpac.me/results/43bbe669-1c18-4eff-a802-a8bad0bf9ccb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d47b38d68c7e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d47b38d68c7ef6c19add401c1c6defb99aef1fac8fd283851bbaa1409190af7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_SliverFox_String
Create hunting rule
Author:huoji
Description:Detect files is `SliverFox` malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/471580/

Comments