MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05305ca0ea5b5882c399450974bed845fdc6560a0c5c6a7dfe14daf00f6e9385. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05305ca0ea5b5882c399450974bed845fdc6560a0c5c6a7dfe14daf00f6e9385
SHA3-384 hash: b0d584059d03bd4512f3a0b63664f2dda16decee27954be41bf6ff7dabd68e015c2a80d1fcc36e6bf78f8db588f9a3c9
SHA1 hash: 3d4b1b67092b5ca0df36cdf703a515f8b0333ad1
MD5 hash: 3fd7bf5bdabcf6b20768b350bbd10bb2
humanhash: ohio-failed-cardinal-quiet
File name:3fd7bf5bdabcf6b20768b350bbd10bb2.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:3'549'184 bytes
First seen:2024-08-26 00:50:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 49152:9KhzR9pXYH0nl/c18HxTfH7sfZ1LtiwjDG8JCOZrt7QuQuph8:9KVP//c18RE7Y0BiuJpq
TLSH T190F5E001BE44CE11F0991A33E3FF45488BB099516AA6E32B7DBA376D1A113973C1D9CB
TrID 51.8% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
22.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.4% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://a1021292.xsph.ru/de38ef2b.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://a1021292.xsph.ru/de38ef2b.php https://threatfox.abuse.ch/ioc/1316272/

Intelligence

File Origin
# of uploads :
1
# of downloads :
470
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
3fd7bf5bdabcf6b20768b350bbd10bb2.exe
Verdict:
Malicious activity
Analysis date:
2024-08-26 00:50:49 UTC
Tags:
rat dcrat remote darkcrystal netreactor susp-powershell wmi-base64
Link:
https://app.any.run/tasks/6e5d7f48-7cec-4ade-a493-48b589b95e07

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Msilmamut-9950860-0
Create hunting rule

Win.Packed.Uztuby-9963900-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66cbd179e7ff3f5a063bf895
Tags:
Execution Static Stealth Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a process from a recently created file
DNS request
Connecting to a non-recommended domain
Connection attempt
Restart of the analyzed sample
Launching a process
Blocking the User Account Control
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm cmd cscript explorer lolbin net_reactor obfuscated packed packed schtasks vbnet
Link:
https://www.filescan.io/uploads/66cbd178160755393ef07758/reports/7e6ba337-1605-4da8-95e6-8c55c5e57105/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8
Link:
https://www.hybrid-analysis.com/sample/05305ca0ea5b5882c399450974bed845fdc6560a0c5c6a7dfe14daf00f6e9385
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
HYPERSCRAPE
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ba0f018-1288-47b1-8e51-1b6dc96a9483
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1498809
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1498809 Sample: p7oBHwDt23.exe Startdate: 26/08/2024 Architecture: WINDOWS Score: 100 105 a1021292.xsph.ru 2->105 115 Multi AV Scanner detection for domain / URL 2->115 117 Suricata IDS alerts for network traffic 2->117 119 Found malware configuration 2->119 121 15 other signatures 2->121 15 p7oBHwDt23.exe 18 8 2->15         started        signatures3 process4 dnsIp5 107 a1021292.xsph.ru 141.8.197.42, 49707, 49709, 49718 SPRINTHOSTRU Russian Federation 15->107 69 da70ba5dea6a6dd8f6...a92bc21d436099c.exe, PE32 15->69 dropped 71 da70ba5dea6a6dd8f6...exe:Zone.Identifier, ASCII 15->71 dropped 73 8da33c12-6f25-42cb-b1ba-b03ac4c808ff.vbs, ASCII 15->73 dropped 75 2 other malicious files 15->75 dropped 109 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->109 111 Disables UAC (registry) 15->111 113 Disable UAC(promptonsecuredesktop) 15->113 20 wscript.exe 15->20         started        23 wscript.exe 15->23         started        file6 signatures7 process8 signatures9 123 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->123 25 p7oBHwDt23.exe 20->25         started        28 p7oBHwDt23.exe 6 20->28         started        process10 file11 97 91fe7aee-0244-4c66-9333-01f4ef3c95ac.vbs, ASCII 25->97 dropped 99 841ce9f8-059d-47f4-b521-375b72313034.vbs, ASCII 25->99 dropped 30 wscript.exe 25->30         started        32 wscript.exe 25->32         started        101 c6304a2a-f37d-40f9-baf4-08e6c5a9bdbd.vbs, ASCII 28->101 dropped 103 6538c1f2-04c9-4d9c-9dd1-48082323ccb2.vbs, ASCII 28->103 dropped 34 wscript.exe 28->34         started        36 wscript.exe 28->36         started        process12 process13 38 p7oBHwDt23.exe 30->38         started        41 p7oBHwDt23.exe 34->41         started        file14 89 c1dadcd1-56b0-4fc4-91ec-4b60b1d633b9.vbs, ASCII 38->89 dropped 91 787f26f8-80de-4ff3-8d91-64d30396ccb4.vbs, ASCII 38->91 dropped 43 wscript.exe 38->43         started        45 wscript.exe 38->45         started        93 a06cc09f-eda5-4c49-af49-015188ab4a02.vbs, ASCII 41->93 dropped 95 6b574675-f18e-4d75-babc-c55d6db7eb75.vbs, ASCII 41->95 dropped 47 wscript.exe 41->47         started        49 wscript.exe 41->49         started        process15 process16 51 p7oBHwDt23.exe 43->51         started        54 p7oBHwDt23.exe 47->54         started        file17 81 fe9b5460-0b79-4651-996c-2db3bcef8e54.vbs, ASCII 51->81 dropped 83 025ddfc7-04ea-479f-ac3f-4e66fc7f6578.vbs, ASCII 51->83 dropped 56 wscript.exe 51->56         started        58 wscript.exe 51->58         started        85 5e180f44-d2e5-4f49-a713-07d50fb208bb.vbs, ASCII 54->85 dropped 87 47fbbe5b-2a37-46a7-a3bd-6abf7e61cf8c.vbs, ASCII 54->87 dropped 60 wscript.exe 54->60         started        62 wscript.exe 54->62         started        process18 process19 64 p7oBHwDt23.exe 56->64         started        file20 77 4b37477b-6972-4a99-8e99-93197f07cb4e.vbs, ASCII 64->77 dropped 79 12e50184-d4fa-4c63-ab61-2866d59a6232.vbs, ASCII 64->79 dropped 67 wscript.exe 64->67         started        process21
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/05305ca0ea5b5882c399450974bed845fdc6560a0c5c6a7dfe14daf00f6e9385
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05305ca0ea5b5882c399450974bed845fdc6560a0c5c6a7dfe14daf00f6e9385/
Threat name:
ByteCode-MSIL.Backdoor.DCRat
Create hunting rule
Status:
Malicious
First seen:
2024-08-23 12:52:17 UTC
File Type:
PE (.Net Exe)
AV detection:
33 of 38 (86.84%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=auyfzihklnmifq4ziuexjpwyix64mvqkbrogu7p6ctnpad3osocq._file
Verdict:
malicious
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat evasion infostealer rat trojan
Link:
https://tria.ge/reports/240826-a7g2dsvgkc/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Checks whether UAC is enabled
Checks computer location settings
DCRat payload
DcRat
UAC bypass
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/82c701ea-d4cf-4938-b33a-9a4d6c37cfb7
Unpacked files
SH256 hash:
49147a58559afaa86fce786b07bc2ba5e66c8e105d37b41b8465b11c5ade20df
MD5 hash:
4ba244df8c73fcfb8f8faca0ca215721
SHA1 hash:
fafa80d8c85c1fccadaeabddb9190c0bbf02b0b3
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
47a4ed952987e09050ce30bd65d62fc084e8dccbbb6cfdf2406b703347e4aa0b
MD5 hash:
7e1d809895409e73cc724739bb6c2c41
SHA1 hash:
f8aa030be8892b6e7d68c4963ecfe1ae567aa404
Detections:
dcrat_telegram_notifier
Create hunting rule
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
e05b854e9fc87b0f13dd70d0797f26fd2a4b5b85d0503d709f9c1afcf79c2656
MD5 hash:
80dd7671e65d33e99b5765d55d4bdb67
SHA1 hash:
ded513e69291f2b35f9a4365a4626b0296fbea5e
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
89dc4a49a1339de24b1b4d58497b9b444ff7cf84cc4849bd45081d5d9b71e7a2
MD5 hash:
b9cd3b9885097dc52d4a4092c6663296
SHA1 hash:
d4b82555fd1ef891fa3e3b275c833ba8e311da9d
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
8172349bde669f3c22f3dfd99e3a28b420367719e2328a27542fe39035dc4835
MD5 hash:
d677265343c6c0292b7081d232834d77
SHA1 hash:
cfb4bd15be3b23046f296975aa8d445d94a1e99d
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
f5b649b1b84f54efff1fab34662460d437666459896396c3b5209e04bcb693ec
MD5 hash:
4b7207bc6aa7e9be50b031bbe360fbde
SHA1 hash:
ca8ad4b0b9bfdcb531007bdd1cdca8a6ec8595e8
Detections:
dcrat_crash_logger
Create hunting rule
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
c437f62ba58e8a321ff5f78bf1a85fe6e7b942d296e0e60e55e263a756de3bb7
MD5 hash:
95746ee7bc668815e0b5279f61ae4d04
SHA1 hash:
c282eb09bf80eb5b32b3c1c67c59ccb29a5e3adc
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
fa91bfdf6d84bbc0d79a2315fe5cd5c124f02301d777fa52a2ae82e42b31e555
MD5 hash:
db48835c72061368a8bb56eeaff56551
SHA1 hash:
c0eeb6e213530142c61532d5ef6fd1f4a9895068
Detections:
dcrat_block_input_plugin
Create hunting rule
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
ce0dc1e9a653c18ccfba4462fe52904f4584bd7dfb65a15367643425a464f1a0
MD5 hash:
28f0119c2ced36c4d5929b229de113ef
SHA1 hash:
bd7efd34581b4e97006f6eb0fce681f820f22541
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
79d3e0795d44aaacff76a3717905328e0d9f3f0e4b7f522209f25f1beb49c924
MD5 hash:
fa2a75b78c0ceaed781f7edca693c29d
SHA1 hash:
bcb769726ccfe3188e67defa2f8ac67ec993e931
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
f4bdcbb71eb9fcaa4b611d0e2b86d9aa24b0f35836c398e9361d8ffc69bd133a
MD5 hash:
ca9bbf3603a57302b90d88853317db4e
SHA1 hash:
b58aeb34b88a89779cee3a3894e5fe29d33593d6
Detections:
dcrat_system_restore_points_cleaner
Create hunting rule
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
c0cedbb90ce38887090f847ef546de664ca84d3c80e07405c2c087f0dfce6b30
MD5 hash:
e06b2d10389f76516d28e2dc147ee695
SHA1 hash:
b006d45c7729291c24edfbb79e0901af4b2986b3
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
ced608d5f5826533e8b2df84558a3c460ba46ae716a15f99e4b4b67fbc06c106
MD5 hash:
6eb8cc11833900eae9eab4125de7dc55
SHA1 hash:
ac475d0a76ed27798bebd7b66e5801a3feac9d35
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
455cc8338e4c47446b6dc69386afb7f5869588e59a8ad2baf53b91475558227d
MD5 hash:
d0c1b332eab468b8d39d1c28207fec9c
SHA1 hash:
a29e826c8728f7f3f1d014669f228f8a15a2425e
Detections:
dcrat_obs_grabber
Create hunting rule
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
27db90247d07c7792edd6f0d5df92fcfdc80ac4d5e77dbd68bbe11706a782b60
MD5 hash:
9c84510c2fe11a38ddfcb8417da901ed
SHA1 hash:
a02302a59b6ef7ccff742bd1a4209f206751ebdb
Detections:
dcrat_performance_counter
Create hunting rule
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
23d0c446c083706c543a1129d94463deea091ca837ebc1249b2cdb7f2a50220e
MD5 hash:
c245467135790bda7b4275b268c2a044
SHA1 hash:
8daa923496c5bc3b58b16877dbd4b91e93a83c50
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
c02a76e5afc3bbe10973edea618a8f488d55f3e7aa35e31c2b2da7fff458ef61
MD5 hash:
8b5545b2ee72a310cfeddcb131e1c239
SHA1 hash:
81542099eb47e991a4b4bb571031cbaea38c24c9
Detections:
DCRatMiscInfoGrabberPlugin
Create hunting rule
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
e25b33e325818c40a0faf17f93432dbd689b7515d45b78d6250ad5e9ad4b18ea
MD5 hash:
8eb4bace32e9d36e67361b777d178c44
SHA1 hash:
7223847c385c84be6e20ec38ad20684612a06efc
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
c09d7b1ecf9dd4917c8f081132ac5c533bc326959505d7364aa546d4822e5c9c
MD5 hash:
60b6a611559a27f113b51c76733f26d0
SHA1 hash:
6dc70a539f0d1c8b9a84edef26c2bdf82bbfa098
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
cc86e0c50d8035f6003d3af2fc0ca595bb382ee14f805f7d7dbf349da7fc38e0
MD5 hash:
1cf245396fbedc2884b0d0212fb37943
SHA1 hash:
622d373e26173f9583f1466f653d7e53dfd63394
Detections:
dcrat_vpn_grabber
Create hunting rule
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
b496393c16d8033b91c950a4a3cc0106e52588f9585eacf62a8dc3a76c5954c8
MD5 hash:
2a6e19d37f3b58b7b5cc332972deb544
SHA1 hash:
5ca562caf812d73d1b7129f1b11abeaff927ed31
Detections:
dcrat_user_ping_counter
Create hunting rule
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
a6961717611d5e276dc288c7a79e4b53db54326e46ca7b6c516247aaf1539071
MD5 hash:
8372644a8f15ad1bacabfdd948d22c02
SHA1 hash:
590024c7af62c018a8f123b3ee4000da9c76bb57
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
dc16611cf2212ce45e0fdb728b53c14a31b440309f2cfe30672c5d1f42bfc245
MD5 hash:
dfd264b2dfc05c83422b062c5b169da6
SHA1 hash:
586b07f1599179bc305ab2806c0fb813a3caf21d
Detections:
dcrat_disable_uac
Create hunting rule
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
f0baf1938305792f1263b913a30a5009132653998ccf9a386d65bd78071877fa
MD5 hash:
c3ced5208084ed802f372a92da654d18
SHA1 hash:
5399debdc95977f3ab9a2e2f9e44a82be6225fa7
Detections:
dcrat_reg_editor_plugin
Create hunting rule
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
0aea8e6a2ec5a4e0010ce76d7c5a803872e2c87e2acdef8ba84376705e6cff22
MD5 hash:
a94574d2b45d0e36cb329995df094267
SHA1 hash:
4e8bdf20f9532da25603be730bb4e22101866cc5
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
f3847fbf39a75855432d0a89563916d933cb3814fe11995784a4aa27f318e7de
MD5 hash:
a85d4cd7e02d37e0480744c2c4378f05
SHA1 hash:
4ddce462358788870a3de6117fc819bbe75ad03e
Detections:
dcrat_bsod_protection
Create hunting rule
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
8cb57f19ddac24a1b96b3cf8d62b9cefb680edd38805a7813e5d280b08bd8772
MD5 hash:
41ce9524cc8228f0dc79f450ff777d6e
SHA1 hash:
3d3a96a0362e25f2693e853c7773e342ecfd98d4
Detections:
dcrat_message_on_start
Create hunting rule
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
a1565f53f39018e81c50adc947c7eab5d59c1be775e482e1327d13909b7c636b
MD5 hash:
7a21ff90b54c0adbaa496b37dc844707
SHA1 hash:
3c369a5a17ab453076ccf89e25c5d12f16d54074
Detections:
dcrat_usbspread
Create hunting rule
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
3e0aa3c28c6ce47b6612c92e3675bb4447871decfdeafc16e2b7ee25f8eb9acd
MD5 hash:
f445b0820abb911510ddc183b5d42a31
SHA1 hash:
3a8f1450e9e8543d4f8eaf1507d51d2e31b59073
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
Parent samples :
284f083103d1c160d9e4721ecce515646ce451a1b7ddf9dd89817904e21a4a2d
87f220dad3bbeec6f39ed3e74eaa5b63f91924104b238fd33b4c5d49cc88f1ac
1365414d90a8e9a059336e150f9123f59562c2c5b3a354f3d73f882773f04571
22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400
3fa6ddcabcb03763ef1887117e16ebdf0553a1cc2a16b58bdecaba0735d4e60a
b108df3575c8f9c77577486a92b52fe55bfb6508acca68b22250d8e1fc0494fb
dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e
5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db
8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f
a6a27d9ba682a107558cdb16fcd50ebbe3d112c8dab38e96d5926c522781cc81
7238e57350be305f25ca913714b571ee225a658bf5234d9e98cf72e176b8749b
6b415af659470e76f2e7fd163dc72d040746e6aaa4da4503fe8946675dffe25c
1177a24b2539e173f4f9d25c0f3e43a22d23ec64b562a86b4b7ef65741734067
533c1f6d82962094e076116e5eaf643dd440eff83861ccf26334bc553fb6d129
5a089053f785fbdc6e6d11d32a6e74c9e5af34a6b3be078e867b0fe18833a7b6
a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1
374290f4bc29e1d5a3295b8f23c281393075beae64db51cd5a5e96c03f9ef8b0
ad3cad3320c96364564203d96cc76ebea925dcc8de447195e0c1addb9f28e7e8
38b3c41d485fa638c249ee54c9a3ca358a9eb36e561834d9f7f2fca088da6248
cdb363f810ebeea6e40abc725c14e9bf78a3014559ec32903c15fd7576fcac20
25228b9b7646e3a44d0c0458b2d9f4dde89cb36ca52f69ae317edad02678678c
23f8f5fa14be58995db500b8506fde23f21f469a76912178b7934c354b3ce712
4ce4afc5fd856ed5951e35c3efd45fdc03662abf43050fddc564023ef40e6823
cb5bd9dcab7d07c1775ad24d25f72e15b6d62d4c22ce95345ce95632bc68be63
092853fc5c2163fdafef345aff1be3116697804b6f81ef2374422822d1e78bfa
e7f193ed34c9c44b2e7ad602f0abb5eacf9ba78806cac5d8c81a9cf9f1a1477f
6ad806c1234b782cd3a54e146cf02463424fa67c1a3e962c2f43ca10398178b4
de7afeddc29a1d624396c18da80702aa9ab9f8e5212446022a49b7f804252f0e
bc8c14e388292845423f694eee8c01accb528d4a8dab6faf396846f08098dfcd
a3d949b62016bc688520dfe0bf68075ca6666089eea641a62be626aecd1872ef
cccb59dbcce9a68ffed699333477bba15ef02b19de9e5a345eed09e87440fc28
294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c
05305ca0ea5b5882c399450974bed845fdc6560a0c5c6a7dfe14daf00f6e9385
1683c3759dd64d42623510c28230a23c9b999f12d5b63f2cb02f9eaf769f45a6
8a542076ec9b9522127f2c63954f51720b7a933e701a902c853e8abb37bad7e0
19e2bde176b68e7b609977a3965b60bb74afc5810781e1545c1dc83beeb64672
5524ccb07590eff8d27d9807cebede9c67da9189af8dc5055d4df5ec72b89580
e412cff14b15f8734935b193a36c5a4d72957c2976899b8ffeb27cd0f68b6146
5f89b33cedfe3e9f075dd2312b10580dd16b5fb1702fe1f1ce572a792ec9bf91
3ac5dd621c370ef1fd89c945b220fa1dc5a1ccaf30ef5300034acb5cfdfa3e11
497ac5eb72b62c3db2d5383bc2823bf38596e00d877ec7e9d572a94830f07a0e
af0e7981166891af0e066bc0eb1fb73ae36ba339e05e40510a526385b48ad00d
e23b924ff1c1b8a67aebc3b98711c63e12832e2bdd41ff8a52b15685bfabfc6d
fcc7ce0c1cf2c3d90bef0d564fcb9ac13631d73dd516a4e32f01ecd3ea9bcda9
8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4
d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0
7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445
078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd
e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed
0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8
7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67
fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e
4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0
3490a06a34fbdc0f9d3ae55ff159fe407bf962f67b56bde78a9ad0bb312a1610
3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987
7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474
feeeddd06c6b90360e7adf808b216628c585888af8e8b4179be7bb1a4e1e6994
94d6f5344b79742f145659d00c8e6d7113741ced8930b855dd6161b222f3e6c3
b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd
cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67
7a50b6909d72e88e6ac537a03602b33e4bb6c066841f066ed4e1ed42d9f77a6b
a3c93f62df949e293b45844f26bdd12f00ac83ca63b595dfa88cda056d9d7be0
014feb184c1838be5b8ca7761e5ddeafb5af92492718f13bcaedf5a736ce6377
b06c1166e2ceeb7def9f3d7efef3f22f2b004b5d36c785a4a4cb443b6e1281de
f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343
6e333e5b68668934186d53525c24d2ed857c35e36b4d21102d06e52e6890ac5f
524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611
60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2
394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617
13f24a33b0bda605948ee337aac9f7095faeb536a0c1ba8d221a53af3822eec3
cc92c665e4e26f4bf880e69666f019f9d568533510d8ca3d5e4651c1e121231e
b49adf276a5e055ef1a3685f032701b41be76177f7f9eb85dfac2d33b5fa7c9f
121d462ca9f33798e076d069ec6b84c5ae0573bbaac8df8dd78efbb7041bd30b
7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb
4d460e49e0c569a7593cd7fd6e3a181b2e25dd7b98bd2906015007bd241b4d86
82aaf8a6c7718e883bf7f9cb3d18a7889a8080227f14f9bc1ce0e9efa77d651b
2f49f91f40825f17a112a2099798b009d70aba693865a858f42e806fec6d5d8d
c3627f7a85532ddd721bc37ed3816ff0197641ff368ed20bd39c19aabeeb97db
8d34477674ccda710d5acd22a1ea3ce7c9e818d7b6d3b19200c896fcf42f5b4b
3f6feb2ff90be022f4b11b4e4be46768ce735fa4fda2fc731232fd1105a109da
3f7dbeb177934d53205b93a27b9f4262fe0f46aaf090326cb8e2069d90d0414c
44b1eed72ab863bdd9ba6f995cd5673fb875055abf4150baee7802c13bfc7057
1ce99f60292aa8808687010e53feff56ab3af5af3d725d8a9008dd4a1cf252cb
70c558209d7201e690991be17a01c6ef7f5b14775f2cfb288f0abafa43187fe2
3acf15dfd8e4a0fbe7404c2f8aadda1cff0aba5c058f5b5c3481bb44d8ff5b64
fea10c485839f80cc78106c2ef1d4a3ef70a5a0c208586be219a070bca061d6c
7482844fa9ea3044100ff708dd43854bf604859d30e1e6f556a7fa55d32323e4
afdeaf8649ee916f5734e9363da47ef0b0174bbbd1fca080e75ce291e2760d9c
d945170cc27804050d9789baaf9e86fcd5c4e130ef4b38cec14e3a833a2cf6f9
e4a9185f0986262e066fdd0a863444e2667b40655df1c7098c605be5bd3ec6e6
62fd8c7e773674a56856b0ed4907df4eb15ac0fb4e4a18fea5b244180c70b575
ce0545657884415ef34e052fcdf36506eee3f33315810fac1b7f7c615f439dcf
5539d434ee526c3dd170b22ac661ded347391278c129f0f7571d683bdc0fb1db
8f22bfcfe5137aec0a8c659e08c604acbfa1ab64e85a05b2ad99a2995afae0db
e0b4936809d8a75b5095ce25dfb12e14c825e9401d941356749bba86a26b6bbb
f9e07becd2faaba0a53f178a513cef474849c4d82a1e69a871c81617db614296
4533579ade22cae8ab3bf23355133ca9d148328aefb35a543661f818e6af1a1b
bef3edd51fd9d18caaf806dc73b6d31554c805af50228e47c1543c00b81fe083
fc5b0314dfd53a19bb905de5b758720df8a25857bdd1c5a72e5b1af7d4ff994a
7dc1fbc080662648b9fbfb4a4bd3ccf782b02ef3ffb1f1c841e5a041109ec7bf
f08995b47577c1055a9dba345fec4ef1718e482fb014769e5d29e917837b1aed
a97a9f96d06d9e06dc3a0b49088553f0f3591e714cd905a6650ae02a28054351
01e7f777e19a70073e6e8d286263b12b59bf8cc9af1e0b0c9fa4244ff63c9dc0
4728a46d0432b4fa8c56c71597346276a69c9a38842725426a44364cc0655457
f35cac13d76f955a715a51f5029ec8e4539004f02a447eec2b84febd7a4f62af
39c734ab91b8067c2458a620ce002b8bbe6f0e18176a7d98d022883ec73e67ec
a38d77ec66208f83f4065fe43bf51c96b587d2937b0d5f6d1abb1ab973de3751
b58aef4c00cd53ff6c8dbd8dc77106cc4d3c9267dd6a85a60689a7d877d296eb
2759f638365196e35d569a12402c45060dc7f262b6d428da7c3bcee43c231742
a0f0432f815889adb15907adaab5489844a71f5527bb07afb3d37f1a6ef948df
3993abaf8f1b6758260ab97a7192a4dcce70c41ffb326db7f0e94dffaf647312
7949b1fd0ad6619b0571cc5811092164829d49c19ab062466497ec8d91fea232
cdbdad075c206d9c7b7507f5896dd87dd3a5df371bbf7113e0255bf9fdcf7ca9
b0049161819d1b613e9bac0c0ab31c4926013efcb93041f2b8c56f5d34f2336a
4e6eb217528d9643d9a41ea4ef18d97e64d425d5c419738a82081e2577964de5
c4c2a82a7d454bb85fa22f12d2571639c1640ba4a6790d708f4a229f91a7a99b
a00f90db29e2c261c2b6bb00093c43659b577708e8afff72c97f17d41bb06e2e
ec8877718f6bace8cef59ee505e0cbed94a2f6531249d0801192b2de127cab85
9ca2e817ff19e5313105b3b468c5390aff48fabe778333d4d2d045659818e73a
dc5f62878c3764af000c4f1fe93a837744ff28a37f312856cb1cc4c320d1f1ad
b86a67a7dea558bd5719148ecc93ecb2c4f9270006ff304d860c866519c8ca15
d31183ab1c4b40cd810613950b57e160aaf5ed3653e94a118bbfd1004aafee8d
17eabc9a47c7be45b7f3fe07bb5b172facdf56eec68519cc6f4a46b425911d74
bd6dd0383aadbfe35d3ff072e5cfe720252fe7b269da1c8248a3750040f72d0d
b97ea2aa74f7242a5c80e11e87484d5e8f293493db33973adce9c1854a734250
ba2d4bb1811b715213b5845997a842f503c822a5500852f14a3ecf68aa320fc2
1570eccae560c58ea44678a7c2c22d1465ea8a9877c6009425d737927ed76920
d540e07cb7ddc6329f581ad9135190552040a7601020a68ac58c4d702821cd24
c0f50b83de6f99d12bd60bf76002162b2216b03645588dd28f33733c285559e5
4e5712fab9aafbdfab1a9e274c5c3ac81aa2edec7881d629a652a63f15de6ee4
d31d3cffc35347c38b0c958b7311d3d6e65c24c0a3ccb91cbcd1df36817850d9
4534074d213942449c22ba14aa2d85c191f955606f70e875fbefda4358cda01b
639434ab2249f233c5b191405f19dfa09d6d87b4939049fe60c6b4d1715afa1d
dbf2476b04ae66c2eb361fdea361c62778286823b60feea32cdbc15d59d024d3
d607bfcbe22d2dd7d7a40172c2c5e1680d5d1132c8cab4b2ce51b57ca84fe997
a1f1d8797ffd930f0a16f3a1bd96b58419bb05bcd304a6e4ec2ddc14c664c83c
dd71110a6b7fb79b2949280611957646f76503f1bda866b06e74b9a74e54dc89
0d02b9160a66ec959cc0b029816c61576581b92070c23ce5e492dcc3987b5554
c4fd4ed2f44625ba8af80b9e9751a005de4a3060eab685bb8e3e4b455b90e3ba
107e5d98e41c2de3fc4d8844c85e6ccb2af6d35414a6b958eb39cb3feed64854
43bf0e585ed703c5aa53e6a74b04e2b3c10a3a7708889a5d823c7f84e29c2aab
96f8492fd115abf7134203668cd31f428efbc1d75edb9c6f26aaf8201e19950e
a80013d4175fe572cbeadb27d38a4fd397550d2b81532f6d800300c195536597
3c9a5d90d37ba18c0ff3a4e6461cabdf1de6a3eee8890a39e68a1549c433c7e0
f0c19bca34ec10ca7f3057c3ecccc0a4b2d8f21fa163c1149ca8d15fa9918703
452896fac3f4fea522f38b7974de9428b372bef3ccd30953ba7e808643312d11
4c940f9d7bd8b2397c93151446cf167acbde7afe5fb29205f3f58bf79d714ea0
43647972490c89b2f54bb84a4abdcf9037cc2f6d0768b9cdad9ec22deb935e11
29a955752a6b382e17a74244825f66d1cba8776f1c47ae908b1e9c9fc88a513d
f2420fdc9492498195a8a0bae43cfbf7c721b18c43b55ccfecf941f06164b154
c91ecca54c0cbdf3f8714d7c92ca6858d4ddb5957ab06f9ed33bb73e3b5f6207
e7cf9ae73751f92a53dbbc41b4939510e23352bf3a942e86b269c72b80cdb63c
47b707ee7aeb49ae4d8e8a7abb7aa067a49f7ec9a804aa7c21d2c563cf2cb50f
SH256 hash:
fe4714d846d810caaa398ea386985f4b363af58ab30e4dd41dfb3543cdb68072
MD5 hash:
c8a3eac60833884617d5a53e6e65782a
SHA1 hash:
2f41d33e334bdc7d02138058c2348fc57d19aeee
Detections:
dcrat_hosts_editor
Create hunting rule
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
f628b3f1a9c6e8c7c99df4edc19e39c75bf94a5bfcc1777f37edc56af2c16a66
MD5 hash:
871ca563bcdd2a16a7220d6e1060a248
SHA1 hash:
2cf61c78bec863add7e68a281182734799191983
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
e44ca69391824deece6bc2c82cfad09e5c7b5ba06335477f02dd2ce7016495ea
MD5 hash:
a7f906dcebc53e6fb108d9071ce6a4ec
SHA1 hash:
2c93494df858adef95c97ed13b40f67c1e597e64
Detections:
dcrat_clipboard_logger
Create hunting rule
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
c8c2429260989d972caacb3195d572f467bb8fc3174e955e92de5668f5d43b16
MD5 hash:
9ab838e52249f7203e60eb8cd8204e5a
SHA1 hash:
29f0ec31df48f4ac9c33651d01536f95c3420aa2
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
98982219b51721a8978d8896c6c2d6786af62d1f1c563870b57605254cbf5cbd
MD5 hash:
f8c8c81a2fa64772fab5917594f00b10
SHA1 hash:
192999e675e5637e1c6487788cd7918d352eb6ef
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
48f859f5933ba8987bccc2dfc067337a289a028c371c62db528567bda39ce623
MD5 hash:
2cf59f5fb87747205a86b10a1e452ba0
SHA1 hash:
0eff4505c1f6f20ad7c41be40a0d52fb61e3e740
Detections:
dcrat_file_searcher
Create hunting rule
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
SH256 hash:
05305ca0ea5b5882c399450974bed845fdc6560a0c5c6a7dfe14daf00f6e9385
MD5 hash:
3fd7bf5bdabcf6b20768b350bbd10bb2
SHA1 hash:
3d4b1b67092b5ca0df36cdf703a515f8b0333ad1
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d754f759-e739-483d-b6f9-6ae6ef188d1b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/05305ca0ea5b5882c399450974bed845fdc6560a0c5c6a7dfe14daf00f6e9385

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments