MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e00609f98a5ce391934710a1a47f748bb063ae939555e1cb491c4e5cff69fa97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	e00609f98a5ce391934710a1a47f748bb063ae939555e1cb491c4e5cff69fa97
SHA3-384 hash:	c1f18e7080d736f68c7891cf4a217a30888cf11e16450e61dbb85e5e08863fa8a6d93799fc67f402567dc6a71eea0947
SHA1 hash:	4c2d403aecbb0e2bbc3549327fdde8d31caf1a84
MD5 hash:	09d605c20a1de79592e839c6d78e5d3f
humanhash:	potato-failed-alpha-romeo
File name:	radarinstaller.exe
Download:	download sample
File size:	11'990'127 bytes
First seen:	2023-01-18 22:07:53 UTC
Last seen:	2023-08-25 15:42:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8708d1fe1b5ff509570e29ce51663405 (1 x RedLineStealer, 1 x AgentTesla)
ssdeep	196608:d5gk9KH9qVm914RCgso1dTC6fOC76B0Jf067YhDrXrbUWh:4eKdcP1dTCcObobSnTh
Threatray	73 similar samples on MalwareBazaar
TLSH	T13DC6D0217686C43BD56A01B1692CDA9F5228BF721BB254D773CC3E7F1AB45C20632E27
TrID	58.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 34.3% (.OCX) Windows ActiveX control (116521/4/18) 3.0% (.EXE) Win64 Executable (generic) (10523/12/4) 1.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.3% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	6ded69c7b130b2c0 (12 x CryptBot, 8 x ValleyRAT, 4 x NetSupport)
Reporter	Anonymous
Tags:	exe fragtor

Anonymous

Trojan.Fragtor.D26B3B

Intelligence

File Origin

# of uploads :

# of downloads :

281

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

radarinstaller.exe

Verdict:

Malicious activity

Analysis date:

2023-01-18 21:03:15 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a02c239d-7d4e-40fd-b351-45494c881956

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/354272/

Detection(s):

SecuriteInfo.com.Variant.Fragtor.158523.27493.24394.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Searching for the window

Creating a file in the %AppData% subdirectories

Searching for synchronization primitives

Creating a file in the %temp% directory

Creating a file

Sending a custom TCP request

Verdict:

No Threat

Threat level:

2/10

Confidence:

80%

Tags:

evasive fingerprint greyware msiexec.exe overlay packed setupapi.dll shell32.dll

Link:

https://www.filescan.io/uploads/63c86dc6bda854045c1935ce/reports/1baf1599-fb1b-4086-b0bf-8c8eb6a0cbb9/overview

Result

Verdict:

MALICIOUS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8ed9426c-e783-47fd-be0b-654263ada42f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e00609f98a5ce391934710a1a47f748bb063ae939555e1cb491c4e5cff69fa97/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2023-01-17 22:06:22 UTC

File Type:

PE (Exe)

Extracted files:

233

AV detection:

10 of 26 (38.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4adat6mkltrzde2hccq2i73uroyghlutsvk6ds2jdrhfz73j7klq._file

Verdict:

malicious

42e369c8a08e42bb7ca81f3b4598b1352766fd602c32adc21cd5f1afab85f7f3

446736e381fa8942f8d32cb4f2ae8fb6a9245fa0e70b7f7298ee7a5cb6fe9f32

4f6cb888a4dfade727490683feaee96679d7044f0181799c18a8c7060cb8dab3

96f69fe5148b0838909afe927aa280b4919b7f12b1593ed4a461de49fa725b1b

ceba6a7f9a2c25a35090470c6209aefed808786c47194a18415a7898390c20cb

+ 63 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230118-118hwaba92/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Enumerates connected drives

Loads dropped DLL

Unpacked files

SH256 hash:

e00609f98a5ce391934710a1a47f748bb063ae939555e1cb491c4e5cff69fa97

MD5 hash:

09d605c20a1de79592e839c6d78e5d3f

SHA1 hash:

4c2d403aecbb0e2bbc3549327fdde8d31caf1a84

Link:

https://www.unpac.me/results/8dd35a8d-7b7d-4192-bf64-03f9163a8eed/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e00609f98a5ce391934710a1a47f748bb063ae939555e1cb491c4e5cff69fa97

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	APT_Sandworm_ArguePatch_Apr_2022_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:	https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe e00609f98a5ce391934710a1a47f748bb063ae939555e1cb491c4e5cff69fa97

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/354272/

URLhaus

https://urlhaus.abuse.ch/url/2511856/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample