MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ca06fdcde3535302c06a3e448ae72c15006f0653e4775693988510d2a56f91f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ResolverRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 24 File information Comments

SHA256 hash:	1ca06fdcde3535302c06a3e448ae72c15006f0653e4775693988510d2a56f91f
SHA3-384 hash:	6665190600cbff5ef4f1c4a03c8306d994ba538a50ce7dc3b22235b38d03b790964289d1eca68e16cb6bd0dac8ccbec2
SHA1 hash:	e7b4aadb8f0715ba1f8ecf5c34364e25e9508cd2
MD5 hash:	f1c6fa77fb988c55b569f42752c97397
humanhash:	triple-east-oranges-lemon
File name:	f1c6fa77fb988c55b569f42752c97397.exe
Download:	download sample
Signature	ResolverRAT Create hunting rule
File size:	58'453'504 bytes
First seen:	2025-06-16 12:06:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b88b26d50717225c0b69c16621a27b41 (3 x ResolverRAT)
ssdeep	786432:0eYXSGTAyfHgZUADoUJB0gN17TCuFeeyuTZAYRki9iSPFkGx:0MGcr9DoUUgNhCuF/yIZAYRki9iNI
Threatray	291 similar samples on MalwareBazaar
TLSH	T173D78D23B8415035D7D343B2CEADB9689AFCAE30037595E7579C2C55ABB18D2B332683
TrID	53.5% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 13.5% (.EXE) Win64 Executable (generic) (10522/11/4) 12.8% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 6.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.7% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	2959b92c20b8b206 (3 x ResolverRAT)
Reporter	abuse_ch
Tags:	exe ResolverRAT

Intelligence

File Origin

# of uploads :

# of downloads :

398

Origin country :

Vendor Threat Intelligence

Malware family:

asyncrat

ID:

File name:

f1c6fa77fb988c55b569f42752c97397.exe

Verdict:

Malicious activity

Analysis date:

2025-06-16 12:27:31 UTC

Tags:

nodejs stealer auto-reg netreactor purehvnc rat asyncrat remote

Link:

https://app.any.run/tasks/7d762d0a-8a5f-43fb-b1f9-cc33fe84ed8f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=685008cd8bd5d68a12e8d1ad

Tags:

malware

Result

Verdict:

Malware

Maliciousness:

Verdict:

Malicious

Labled as:

QD:Trojan.GenericQ

Link:

https://www.hybrid-analysis.com/sample/1ca06fdcde3535302c06a3e448ae72c15006f0653e4775693988510d2a56f91f

Result

Threat name:

PureCrypter, ResolverRAT

Detection:

malicious

Classification:

evad.troj.spyw

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1715425

Signature

Allocates memory in foreign processes

Detected PureCrypter Trojan

Drops PE files to the document folder of the user

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Suricata IDS alerts for network traffic

Tries to harvest and steal Bitcoin Wallet information

Writes to foreign memory regions

Yara detected ResolverRAT

Behaviour

Behavior Graph:

Download SVG

Score:

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/1ca06fdcde3535302c06a3e448ae72c15006f0653e4775693988510d2a56f91f

Gathering data

Threat name:

Win32.Trojan.Kepavll

Status:

Malicious

First seen:

2025-06-04 20:32:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dsqg7xg6gu2talagupserltsyfian4dfhzdxk2jzrbiq2ksw7epq._file

Verdict:

malicious

Label(s):

resolverrat

unc_loader_044

ResolverRAT

1ca06fdcde3535302c06a3e448ae72c15006f0653e4775693988510d2a56f91f

ResolverRAT

1ecc353c089e2581af25543adfbcf3d1600d622c5f908a4012e2f73b6d38fc3f

ResolverRAT

457c8b3a3be87e9f6268be29ee37e5f5fbc6a6848094416ba1f4c8797c4d7380

ResolverRAT

8c4e2908eebef7809f904d0e93851ab9397db0693c989dc9c83e840c927d3dc8

ResolverRAT

963dea75e95d8f622ca0e412b8e7dfdc558f172856351cd5ddf8e9346de41b17

ResolverRAT

9bba145cc6507236b26e3b1cc0e91e03a4a12299d57573a0679e6c50b7413b06

ResolverRAT

error

ResolverRAT

+ 281 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

discovery persistence

Link:

https://tria.ge/reports/250616-n9w5zsxms3/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9d60d115-6880-4398-aaf4-e8b55e415dc8

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dependsonpythonailib Create hunting rule
Author:	Tim Brown
Description:	Hunts for dependencies on Python AI libraries

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Indicator_MiniDumpWriteDump Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references

Rule name:	ldpreload Create hunting rule
Author:	xorseed
Reference:	https://stuff.rop.io/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	reverse_http Create hunting rule
Author:	CD_R0M_
Description:	Identify strings with http reversed (ptth)

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	test_Malaysia Create hunting rule
Author:	rectifyq
Description:	Detects file containing malaysia string

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::ConvertSidToStringSidW ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW ADVAPI32.dll::ConvertStringSidToSidW ADVAPI32.dll::CopySid ADVAPI32.dll::CreateWellKnownSid ADVAPI32.dll::EqualSid
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::midiInAddBuffer WINMM.dll::midiInClose WINMM.dll::midiInGetDevCapsW WINMM.dll::midiInGetErrorTextW WINMM.dll::midiInGetID WINMM.dll::midiInGetNumDevs
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::CreateRestrictedToken ADVAPI32.dll::DuplicateToken ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetKernelObjectSecurity ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::ImpersonateAnonymousToken
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateRemoteThread KERNEL32.dll::CreateProcessW ADVAPI32.dll::OpenProcessToken KERNEL32.dll::OpenProcess ADVAPI32.dll::SetThreadToken
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::GetCommModemStatus KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::AllocConsole KERNEL32.dll::AttachConsole KERNEL32.dll::WriteConsoleW KERNEL32.dll::AssignProcessToJobObject KERNEL32.dll::GetConsoleScreenBufferInfo
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileMappingW KERNEL32.dll::CreateFileA KERNEL32.dll::DeleteFileW KERNEL32.dll::DeleteFileA
WIN_BASE_USER_API	Retrieves Account Information	ADVAPI32.dll::LookupPrivilegeValueW KERNEL32.dll::QueryDosDeviceW
WIN_CRYPT_API	Uses Windows Crypt API	ADVAPI32.dll::CryptAcquireContextW ADVAPI32.dll::CryptCreateHash ADVAPI32.dll::CryptGenRandom ADVAPI32.dll::CryptGetHashParam ADVAPI32.dll::CryptSignHashW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegDisablePredefinedCache ADVAPI32.dll::RegNotifyChangeKeyValue ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryInfoKeyW
WIN_SOCK_API	Uses Network to send and receive data	WS2_32.dll::freeaddrinfo WS2_32.dll::getaddrinfo WS2_32.dll::WSACloseEvent WS2_32.dll::WSACreateEvent WS2_32.dll::WSAEnumNetworkEvents WS2_32.dll::WSAEventSelect
WIN_USER_API	Performs GUI Actions	USER32.dll::CloseDesktop USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW USER32.dll::OpenClipboard USER32.dll::OpenInputDesktop

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample