MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bf636489b239160bcd7a08ded2f7f8ba0fecf881828794d141223533a912c23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ResolverRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0bf636489b239160bcd7a08ded2f7f8ba0fecf881828794d141223533a912c23
SHA3-384 hash: 44aad530ef204f6f1f99e1d0ff0c4ecf2e0a8c7aa5e47d77e805c3327f0000de5706ed1a758bbd8db25a60b018c1db7d
SHA1 hash: eba85d3a046812d91bdfec14564300519482877e
MD5 hash: 7afa30350b5b75db348fdf47360a0166
humanhash: skylark-kentucky-butter-spring
File name:file
Download: download sample
Signature ResolverRAT
Create hunting rule
File size:12'925'842 bytes
First seen:2025-12-09 14:38:00 UTC
Last seen:2025-12-10 06:51:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e8ac1646024d52d1534a88da2e8037cd (9 x OffLoader, 9 x HijackLoader, 7 x ValleyRAT)
ssdeep 393216:HDKX8q7o6NK9lvm7dW20hJnX/kBIrmvGfxKozUH2HbV2:4bK9lvwdn0hJvkKVfkTH27V2
Threatray 468 similar samples on MalwareBazaar
TLSH T132D62323B28E273DE07A4A364972A945553FAA61A11F8CA3D6F40D4CCF2D4601E6FF17
TrID 60.0% (.EXE) Inno Setup installer (107240/4/30)
23.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.8% (.EXE) Win64 Executable (generic) (10522/11/4)
3.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.5% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 ResolverRAT


Avatar
Bitsight
url: http://178.16.55.189/files/8352719041/L9LocW2.exe

Intelligence

File Origin
# of uploads :
11
# of downloads :
117
Origin country :
US US
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/6276c4f5-1bad-4b04-8f94-963a2e0ddafd/
Malware family:
n/a
ID:
1
File name:
0bf636489b239160bcd7a08ded2f7f8ba0fecf881828794d141223533a912c23.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-12-09 13:58:23 UTC
Tags:
zgrat netreactor purehvnc
Link:
https://app.any.run/tasks/c9fd02d8-78f5-42e5-abc8-6c1f2a250b71

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44000/
Detection(s):
SecuriteInfo.com.FileRepMalware.94413634.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6938345ea675b653bd0f65e9
Tags:
shellcode asyncrat keylog virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Moving a file to the %temp% subdirectory
Launching a process
Creating a process with a hidden window
Loading a suspicious library
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Connection attempt
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context embarcadero_delphi fingerprint inno installer installer installer-heuristic overlay packed
Link:
https://www.filescan.io/uploads/693834591eac7b9b76a1ca54/reports/995237d3-4469-496a-9c0a-dec0e019d564/overview
Verdict:
Suspicious
Labled as:
Backdoor.MSIL.XWorm.gen
Link:
https://www.hybrid-analysis.com/sample/0bf636489b239160bcd7a08ded2f7f8ba0fecf881828794d141223533a912c23
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-09T12:13:00Z UTC
Last seen:
2025-12-11T08:31:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Shellcode.jhr Trojan-PSW.Win32.Coins.sb Trojan.MSIL.Donut.sb Trojan.MSIL.Crypt.sb PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Agent.gen Backdoor.MSIL.Agent.sb
Link:
https://opentip.kaspersky.com/0bf636489b239160bcd7a08ded2f7f8ba0fecf881828794d141223533a912c23/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6dc3a2a5-a6c7-4991-aa4b-40e323d052dc
Score:
86%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0bf636489b239160bcd7a08ded2f7f8ba0fecf881828794d141223533a912c23
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/7afa30350b5b75db348fdf47360a0166
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0bf636489b239160bcd7a08ded2f7f8ba0fecf881828794d141223533a912c23/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/0bf636489b239160bcd7a08ded2f7f8ba0fecf881828794d141223533a912c23
Threat name:
Win32.Trojan.Sonbokli
Create hunting rule
Status:
Malicious
First seen:
2025-12-09 13:58:24 UTC
File Type:
PE (Exe)
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bp3dmse3eoiwbpgxucg62l37roqp5t4idauhstiucirvgourfqrq._file
Verdict:
malicious
Label(s):
unc_loader_078
Create hunting rule
Similar samples:
0bf636489b239160bcd7a08ded2f7f8ba0fecf881828794d141223533a912c23
ResolverRAT
4ceec9e93a1021697e5e23ac3e67cf886dadf683e3ddc40f7a2c770115027cbd
ResolverRAT
857e90a2dd27c9a704cd80e71ffbe8c8f116b427320478e4fd2848d40080d70d
ResolverRAT
9e655b6372ef19cce9713a211eb47b875a52671ae7d885602e874e6ee0adeb02
ResolverRAT
a9cbc9ef4eae8d3c279ccf6322af7423193bcd71cabf4b5daf90e9794047d145
ResolverRAT
bf6e0c343ec5053da9bd0d0fa577839f017edc9a6e760bb611fb13424e621351
ResolverRAT
bfc96abe978e154086f793062458b43ca9d570fd8c62c47c0d4ad0d3e1edbbaf
ResolverRAT
ce50b4d9c84e5d113361ed821f86fef6f509a04cfac76f003f25a2aaec49954f
ResolverRAT
error
ResolverRAT
f537de2f844b1e24a1f29744ff459850a99ce22f1e5eeeeb09de99f7bdddb3a3
ResolverRAT
+ 458 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery installer
Link:
https://tria.ge/reports/251209-rzttnazmdq/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
System Location Discovery: System Language Discovery
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7759a53a-bfd9-40eb-b51a-dd7318f14741
Unpacked files
SH256 hash:
0bf636489b239160bcd7a08ded2f7f8ba0fecf881828794d141223533a912c23
MD5 hash:
7afa30350b5b75db348fdf47360a0166
SHA1 hash:
eba85d3a046812d91bdfec14564300519482877e
Link:
https://www.unpac.me/results/9112831c-8024-4313-83bd-3f489490c69d/
SH256 hash:
430d27f82440d13c895fb39c36340b1bb10e6edf7c42c4a40f6016d9dcc50915
MD5 hash:
95528ffcc73c0a0c7f4af82615f79947
SHA1 hash:
4046fe4cb61f344f9851cbc4d10e83bd80030999
Link:
https://www.unpac.me/results/9112831c-8024-4313-83bd-3f489490c69d/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/9112831c-8024-4313-83bd-3f489490c69d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0bf636489b23/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0bf636489b239160bcd7a08ded2f7f8ba0fecf881828794d141223533a912c23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Windows_Generic_Threat_c9003b7b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ResolverRAT

Executable exe 0bf636489b239160bcd7a08ded2f7f8ba0fecf881828794d141223533a912c23

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3729964/
Cape
Cape
https://www.capesandbox.com/analysis/44000/
  
URLhaus
https://urlhaus.abuse.ch/url/3730026/
  
URLhaus
https://urlhaus.abuse.ch/url/3730355/

Comments