MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d740d3c26404ee20b5d4b9863c9fb4d402518c2a5c752e5a6c79ff060981b3f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d740d3c26404ee20b5d4b9863c9fb4d402518c2a5c752e5a6c79ff060981b3f3
SHA3-384 hash: 816171e581e504793e1860d807671a5b7793063705b51496a8d1e51fe360215b8c3e2bb8618df8d032cbba4ffcf8e456
SHA1 hash: 1722b439a0bbe0fc0a5aa52108df81e7d197c284
MD5 hash: 25dcb3a32c4d9c4c7876ff0c8581f7c2
humanhash: cola-nitrogen-oscar-ceiling
File name:ChromeSetup.exe.lnk
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'958 bytes
First seen:2024-03-07 19:18:42 UTC
Last seen:2024-03-08 14:32:40 UTC
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 24:8WYaEBmYhZHcvm4pyAcPkr+/4y+nQ6E38VQiOBEK5qRthavt3r3KrlcKOdm:8WYaCmSZHomuy1j3UQi+SWvpbolMd
TLSH T10A41BE0617F64B32E7B28E7A497967119E31B806ED12AF1E42A4919818A5501F874F3F
Reporter rmceoin
Tags:lnk


Avatar
rmceoin
91.92.250.150/Downloads/ChromeSetup.exe.lnk
lastmodified: Thu, 07 Mar 2024 12:42:48 GMT
LNK -> mshta http://89.23.98.210/ChromeSetup -> https://arf.berkeley.edu/update/ChromeSetup.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
180
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilLNK.HTTPDottedQuadPolicykill.20220908.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.SilverChairs4SilverBacks.20221114.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OtherPosition.02122024.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/d740d3c26404ee20b5d4b9863c9fb4d402518c2a5c752e5a6c79ff060981b3f3/results/dashboard
Payload URLs
URL
File name
http://89.23.98.210/ChromeSetup
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
forfiles lolbin masquerade mshta shell32
Link:
https://www.filescan.io/uploads/65ea132dc1137bbf1493d963/reports/283b9b1f-5df3-4b32-946a-bf0c8570f3e2/overview
Verdict:
Suspicious
Labled as:
Trojan.WinLNK.Agent
Link:
https://www.hybrid-analysis.com/sample/d740d3c26404ee20b5d4b9863c9fb4d402518c2a5c752e5a6c79ff060981b3f3
Result
Verdict:
MALICIOUS
Details
IPv4 Dotted Quad URL
A URL was detected referencing a direct IP address, as opposed to a domain name.
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1405042
Signature
Antivirus detection for URL or domain
Found URL in windows shortcut file (LNK)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Very long command line found
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1405042 Sample: ChromeSetup.exe.lnk Startdate: 07/03/2024 Architecture: WINDOWS Score: 92 41 pdfobject.com 2->41 43 arf.berkeley.edu 2->43 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for URL or domain 2->57 59 Windows shortcut file (LNK) starts blacklisted processes 2->59 61 5 other signatures 2->61 12 forfiles.exe 1 2->12         started        15 svchost.exe 1 1 2->15         started        signatures3 process4 dnsIp5 69 Windows shortcut file (LNK) starts blacklisted processes 12->69 18 powershell.exe 7 12->18         started        20 conhost.exe 1 12->20         started        53 127.0.0.1 unknown unknown 15->53 signatures6 process7 process8 22 mshta.exe 16 18->22         started        dnsIp9 47 89.23.98.210, 49711, 80 MAXITEL-ASRU Russian Federation 22->47 39 C:\Users\user\AppData\...\ChromeSetup[1], PE32 22->39 dropped 63 Windows shortcut file (LNK) starts blacklisted processes 22->63 65 Suspicious powershell command line found 22->65 67 Very long command line found 22->67 27 powershell.exe 17 18 22->27         started        file10 signatures11 process12 dnsIp13 49 arf.berkeley.edu 162.241.151.157, 443, 49717 UNIFIEDLAYER-AS-1US United States 27->49 51 pdfobject.com 185.199.109.153, 443, 49714 FASTLYUS Netherlands 27->51 30 Acrobat.exe 79 27->30         started        32 conhost.exe 27->32         started        process14 process15 34 AcroCEF.exe 104 30->34         started        process16 36 AcroCEF.exe 2 34->36         started        dnsIp17 45 23.200.60.110, 443, 49731 AKAMAI-ASUS United States 36->45
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d740d3c26404ee20b5d4b9863c9fb4d402518c2a5c752e5a6c79ff060981b3f3/
Threat name:
Shortcut.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-03-07 19:19:05 UTC
File Type:
Binary
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=25anhqteatxcbnouxgddzh5u2qbfddbklr2s4wtmph7qmcmbwpzq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/240307-x1hexabg33/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Checks computer location settings
Blocklisted process makes network request
Downloads MZ/PE file
Malware Config
Dropper Extraction:
http://89.23.98.210/ChromeSetup
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d740d3c26404ee20b5d4b9863c9fb4d402518c2a5c752e5a6c79ff060981b3f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

e5c44b0338c36ae76e5d99f19bef5495e736a1f628898a5606e2092272b73d07

Rhadamanthys

Shortcut (lnk) lnk d740d3c26404ee20b5d4b9863c9fb4d402518c2a5c752e5a6c79ff060981b3f3

(this sample)

unknown f3e6d8f973c6c8e1ab02c684e0a40bdd77e73ec7fd360f322da01f268582c655

Executable exe 7eb0014fac4365b6b61002f165673956d5e5efaba16efafebe9575396f58c09e

  
Dropping
SHA256 7eb0014fac4365b6b61002f165673956d5e5efaba16efafebe9575396f58c09e
  
Dropping
MD5 efc2f6683db49c074ed2e5e389763884
  
Dropping
SHA256 908ca27ec447937b2f97fd4053a8fea99f45bc7e2eb028152f2301c97f952acf
  
Dropping
MD5 d92c49ca712a0503de3e182f66e3dcba
  
Dropped by
SHA256 e5c44b0338c36ae76e5d99f19bef5495e736a1f628898a5606e2092272b73d07
  
Dropped by
MD5 94fc742fce899d0c370059827b2d86ae

Comments