MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RecordBreaker


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7
SHA3-384 hash: dc7575a0cab3577ac2abe2139a81710d9d35f0e46a093b965b2eb311d899487f659ed0a6efc0bba939724179f0fecbaa
SHA1 hash: d89c0480f212fa0eab35dc1c049c409e572c2f09
MD5 hash: 2a1400529544b41c0c7e56a7b91c43f6
humanhash: massachusetts-asparagus-seventeen-hawaii
File name:Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe
Download: download sample
Signature RecordBreaker
Create hunting rule
File size:3'434'260 bytes
First seen:2023-01-04 12:10:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:UboDpahPxyFximnbWtg5f4e+QFz6TBQ+/nqVF:USxHnbF5rZFz6TBQEqT
TLSH T1D1F53311BEC045B2E5B22D355A75AB20297D7C306F308EDBA3E42A1D96761C1EB30B76
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe recordbreaker


Avatar
abuse_ch
RecordBreaker C2:
185.244.181.112:33056

Intelligence

File Origin
# of uploads :
1
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe
Verdict:
Malicious activity
Analysis date:
2023-01-04 12:10:59 UTC
Tags:
evasion trojan socelars stealer loader rat redline smoke
Link:
https://app.any.run/tasks/0118d1af-c6e6-4d6f-972d-d1f791d3c9f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/349381/
Detection(s):
Win.Malware.Clipbanker-9873068-0
Create hunting rule

Win.Malware.Generic-9873526-0
Create hunting rule

Win.Malware.Clipbanker-9874840-0
Create hunting rule

Win.Malware.Passteal-9882272-0
Create hunting rule

Win.Malware.Passteal-9882333-0
Create hunting rule

Win.Malware.Nymeria-9883200-0
Create hunting rule

Win.Malware.Chapak-9883695-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Launching a process
Sending a custom TCP request
Creating a file in the %temp% subdirectories
DNS request
Sending an HTTP GET request
Searching for the browser window
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Reading critical registry keys
Changing a file
Unauthorized injection to a recently created process
Query of malicious DNS domain
Launching a tool to kill processes
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker greyware mikey nymeria overlay packed racealer setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/63b56cd7a70bef46551d05c4/reports/1806ac45-9f29-4a63-a88b-cac3cce95e1d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f1715452-4b25-41ff-9a54-d783a53ece10
Result
Threat name:
Amadey, FFDroider, ManusCrypt, Nitol, Pr
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1145034
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
DLL reload attack detected
Drops PE files to the document folder of the user
Found C&C like URL pattern
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Renames NTDLL to bypass HIPS
Sample is protected by VMProtect
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Yara detected FFDroider
Yara detected ManusCrypt
Yara detected Nitol
Yara detected PrivateLoader
Yara detected Raccoon Stealer v2
Yara detected RedLine Stealer
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 777764 Sample: Trojan-PSW.Win32.Racealer.l... Startdate: 04/01/2023 Architecture: WINDOWS Score: 100 109 google.vrthcobj.com 2->109 111 www.google.com 2->111 113 14 other IPs or domains 2->113 145 Snort IDS alert for network traffic 2->145 147 Malicious sample detected (through community Yara rule) 2->147 149 Antivirus detection for URL or domain 2->149 153 24 other signatures 2->153 11 Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe 1 27 2->11         started        14 rundll32.exe 2->14         started        16 nbveek.exe 2->16         started        signatures3 151 System process connects to network (likely due to code injection or exploit) 109->151 process4 file5 89 C:\Users\user\Desktop\pub2.exe, PE32 11->89 dropped 91 C:\Users\user\Desktop\jg3_3uag.exe, PE32 11->91 dropped 93 C:\Users\user\Desktop\KRSetp.exe, PE32 11->93 dropped 95 4 other malicious files 11->95 dropped 18 Info.exe 4 38 11->18         started        23 pub2.exe 11->23         started        25 jg3_3uag.exe 11->25         started        29 6 other processes 11->29 27 rundll32.exe 14->27         started        process6 dnsIp7 115 212.193.30.115, 49757, 49860, 80 SPD-NETTR Russian Federation 18->115 117 136.144.41.201, 80 WORLDSTREAMNL Netherlands 18->117 125 14 other IPs or domains 18->125 67 C:\Users\...\vGM1w11Y2mkJ6eJWSDoW2A8r.exe, PE32 18->67 dropped 69 C:\Users\...\swm5qaLcOKLcVRH5eYvMPA9i.exe, PE32 18->69 dropped 71 C:\Users\...\scxZirgha64GKw6VCyMPQNm6.exe, PE32 18->71 dropped 79 12 other malicious files 18->79 dropped 155 Drops PE files to the document folder of the user 18->155 157 Creates HTML files with .exe extension (expired dropper behavior) 18->157 159 Disable Windows Defender real time protection (registry) 18->159 31 scxZirgha64GKw6VCyMPQNm6.exe 18->31         started        34 Xs3htTLR72gppshR5AUFWg8F.exe 18->34         started        36 c_suyxcGs1alaEo2G3j4Q7UZ.exe 18->36         started        46 3 other processes 18->46 73 C:\Users\user\AppData\Local\Temp\CC4F.tmp, PE32 23->73 dropped 161 DLL reload attack detected 23->161 163 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 23->163 165 Renames NTDLL to bypass HIPS 23->165 179 2 other signatures 23->179 39 explorer.exe 23->39 injected 119 101.36.107.74, 80 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK China 25->119 75 C:\Users\user\Documents\...\jg3_3uag.exe, PE32 25->75 dropped 167 Tries to harvest and steal browser information (history, passwords, etc) 25->167 169 Writes to foreign memory regions 27->169 171 Allocates memory in foreign processes 27->171 173 Creates a thread in another existing process (thread injection) 27->173 41 svchost.exe 27->41 injected 48 4 other processes 27->48 121 www.listincode.com 213.227.149.193, 443, 49717 LEASEWEB-NL-AMS-01NetherlandsNL Netherlands 29->121 123 192.168.2.7 unknown unknown 29->123 127 4 other IPs or domains 29->127 77 C:\Users\user\AppData\Local\Temp\...\File.exe, PE32 29->77 dropped 175 Performs DNS queries to domains with low reputation 29->175 177 Creates processes via WMI 29->177 43 File.exe 13 29->43         started        50 5 other processes 29->50 file8 signatures9 process10 dnsIp11 97 C:\Users\user\AppData\Local\...\is-9S999.tmp, PE32 31->97 dropped 52 is-9S999.tmp 31->52         started        99 C:\Users\user\AppData\Local\...\nbveek.exe, PE32 34->99 dropped 55 nbveek.exe 34->55         started        181 Writes to foreign memory regions 36->181 183 Allocates memory in foreign processes 36->183 185 Injects a PE file into a foreign processes 36->185 187 System process connects to network (likely due to code injection or exploit) 41->187 189 Sets debug register (to hijack the execution of another thread) 41->189 191 Modifies the context of a thread in another process (thread injection) 41->191 59 svchost.exe 41->59         started        135 192.168.2.1 unknown unknown 43->135 137 oldd.webtm.ru 43->137 193 Multi AV Scanner detection for dropped file 43->193 101 C:\Users\user\AppData\Local\Temp\IQQeQe.cpl, PE32 46->101 dropped 195 Detected unpacking (changes PE section rights) 46->195 197 Detected unpacking (overwrites its own PE header) 46->197 139 iplogger.org 148.251.234.83, 443, 49721, 49722 HETZNER-ASDE Germany 50->139 141 www.google.com 142.250.203.100, 443, 49726, 49834 GOOGLEUS United States 50->141 143 5 other IPs or domains 50->143 103 C:\Users\user\AppData\Local\Temp\axhub.dll, PE32 50->103 dropped 105 C:\...\api-ms-win-core-string-l1-1-0.dll, PE32 50->105 dropped 107 C:\...\api-ms-win-core-namedpipe-l1-1-0.dll, PE32 50->107 dropped 61 conhost.exe 50->61         started        file12 signatures13 process14 dnsIp15 81 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 52->81 dropped 83 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 52->83 dropped 85 C:\...\unins000.exe (copy), PE32 52->85 dropped 87 3 other files (2 malicious) 52->87 dropped 129 45.32.200.113, 80 AS-CHOOPAUS United States 55->129 131 google.vrthcobj.com 55->131 199 Multi AV Scanner detection for dropped file 55->199 201 Creates an undocumented autostart registry key 55->201 203 Uses schtasks.exe or at.exe to add and modify task schedules 55->203 63 schtasks.exe 55->63         started        133 google.vrthcobj.com 59->133 205 Query firmware table information (likely to detect VMs) 59->205 file16 signatures17 process18 process19 65 conhost.exe 63->65         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-16 21:26:02 UTC
File Type:
PE (Exe)
Extracted files:
183
AV detection:
28 of 40 (70.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4r57u62yobxn52xxgzsahhaqzmp7pjix3az4bmuhkg4dlpogrt3q._file
Verdict:
malicious
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:ffdroider family:privateloader family:smokeloader family:socelars backdoor evasion loader persistence spyware stealer trojan vmprotect
Link:
https://tria.ge/reports/230104-pclhnaaf7z/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
AutoIT Executable
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Drops Chrome extension
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
VMProtect packed file
Detects Smokeloader packer
FFDroider
Modifies Windows Defender Real-time Protection settings
PrivateLoader
Process spawned unexpected child process
SmokeLoader
Socelars
Socelars payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.wygexde.xyz/
http://101.36.107.74
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1837f99c-5def-424f-bbab-a94303fc543f
Unpacked files
SH256 hash:
67cdc7c5de5e46229adc831dc6fd3053d996ecf02e94706b6b6ae1b0ed976f2c
MD5 hash:
555b5b60b2dcc53e71e6d9ba8302c4b9
SHA1 hash:
550326b1226629a867d4606ad0c98c4ef9596b47
Detections:
win_smokeloader_a2
Create hunting rule
SmokeLoaderStage2
Create hunting rule
Link:
https://www.unpac.me/results/706ddb80-f625-4aec-adc2-bc6060138aed/
Parent samples :
e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7
32ac0624a534a2c40fb8eba41e80bb1d31b99cd118d42208c89229079699f783
SH256 hash:
8d063d3aef4de69722e7dd08b9bda5fdf20da6d80a157d3f07fa0c3d5407e49d
MD5 hash:
559948db5816ae7ab26eb2eb533887ed
SHA1 hash:
e60442c6fb35239d298b01b0f4558264c01b2e7f
Link:
https://www.unpac.me/results/706ddb80-f625-4aec-adc2-bc6060138aed/
SH256 hash:
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
MD5 hash:
1c7be730bdc4833afb7117d48c3fd513
SHA1 hash:
dc7e38cfe2ae4a117922306aead5a7544af646b8
Link:
https://www.unpac.me/results/706ddb80-f625-4aec-adc2-bc6060138aed/
SH256 hash:
4d4ad145431ee356221914f2908ff9b4a4a56f90b9409ec752f7be1a978e7435
MD5 hash:
ae7c477ce9bd98d13ccff5fc4a0d190e
SHA1 hash:
249ff902f66c3d0cee6656802b14a9c34807bc8f
Link:
https://www.unpac.me/results/706ddb80-f625-4aec-adc2-bc6060138aed/
SH256 hash:
bc1cbffa62988b6ecef014bc9c95d2beac7f9dd27b253625239687650f1092e7
MD5 hash:
2aff0578f0cc7236195f6e7ef6ae0fcd
SHA1 hash:
d00b3920e214ea8f015bf3bfec44e2d1ae172074
Link:
https://www.unpac.me/results/706ddb80-f625-4aec-adc2-bc6060138aed/
SH256 hash:
7d5310c578b9da33d8998c4517f00e4451c865873e6d33ba6e029e57f5439f6a
MD5 hash:
32cd0748d6b269af6e8f503aff8ee054
SHA1 hash:
11ac1b16cab5c30c91e5c9290e64fa4a5a003f25
Link:
https://www.unpac.me/results/706ddb80-f625-4aec-adc2-bc6060138aed/
SH256 hash:
021f224a62320acde54efdebaf983240ff13f5c1cf36900966ab0e0f58307634
MD5 hash:
ecba72787e060ca7b0eaa42e7279178f
SHA1 hash:
b208a8440add66f6ffe4a74d02fc2a983db9bd79
Detections:
Socelars
Create hunting rule
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/706ddb80-f625-4aec-adc2-bc6060138aed/
Parent samples :
844131e4d854e4963f3e742809946adb7d3644409a819cce010415d611f2a174
10b52b26be692aea2c0365965a300d479698bdd72910592b55ea42dcb5a29e1b
e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7
SH256 hash:
4cd30d2f17882a8ed3700bcf0662ab1ac038e4c39d97b0ab6c5a7b1e3cfbf0cd
MD5 hash:
14beb8f26555d7a83c0c8973db5f23a0
SHA1 hash:
b4f7d7301c02be9562c528c9f02bfae80d9ad487
Link:
https://www.unpac.me/results/706ddb80-f625-4aec-adc2-bc6060138aed/
SH256 hash:
ecf1fb4534cd8c5420a9cc5c7d222521d172b66763f5251015bbbbfccc526e52
MD5 hash:
eacf1583233edb645c34c994283521a0
SHA1 hash:
76f210adc43beb0bb5841d7de8a5e22fc00c501b
Detections:
win_ffdroider_w0
Create hunting rule
Link:
https://www.unpac.me/results/706ddb80-f625-4aec-adc2-bc6060138aed/
SH256 hash:
1fca81640b7d41aa9e9647d205324ce60ffca800e8eeff7b8d7aa5f4b2b3ccae
MD5 hash:
318a928fa73c4712e339bcf93fc6319f
SHA1 hash:
2a05581c630cebb3c3f60e28eb94e2482fe77008
Link:
https://www.unpac.me/results/706ddb80-f625-4aec-adc2-bc6060138aed/
SH256 hash:
a1398a08ca925312d2b16888b3be5ea1dec231f6234f887f2a67205883e30769
MD5 hash:
aa437ea75721e0f5daf8d4fde2804ae5
SHA1 hash:
56879d88a997926dbd56b7ef258ad2194703a781
Detections:
PrivateLoader
Create hunting rule
win_privateloader_w0
Create hunting rule
win_privateloader_auto
Create hunting rule
win_privateloader_a0
Create hunting rule
Link:
https://www.unpac.me/results/706ddb80-f625-4aec-adc2-bc6060138aed/
SH256 hash:
bd947eeb649887f8a67027da8753348ed3ef63441ca5893df875fbd5b72cfe62
MD5 hash:
04c9247b0d89407862f2134fd5b47ff2
SHA1 hash:
9fe8134bd39615875645515287c7ebc20a54fa02
Link:
https://www.unpac.me/results/706ddb80-f625-4aec-adc2-bc6060138aed/
SH256 hash:
e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7
MD5 hash:
2a1400529544b41c0c7e56a7b91c43f6
SHA1 hash:
d89c0480f212fa0eab35dc1c049c409e572c2f09
Link:
https://www.unpac.me/results/706ddb80-f625-4aec-adc2-bc6060138aed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Chebka
Create hunting rule
Author:ditekSHen
Description:Detects Chebka
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Telegram_Links
Create hunting rule
Rule name:Windows_Trojan_Generic_a681f24a
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/349381/

Comments