MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ecc353c089e2581af25543adfbcf3d1600d622c5f908a4012e2f73b6d38fc3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ResolverRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ecc353c089e2581af25543adfbcf3d1600d622c5f908a4012e2f73b6d38fc3f
SHA3-384 hash: f51ebdd761c8f7a8a8842b5f2d2fb639b1e215fae1e9d9e2b178cf3e6c72f8423a377ca1152475e37e0567fa9d4ca722
SHA1 hash: 7303523b1d86d89ba5c48e19a1957259275a6349
MD5 hash: c7bf7ee6dd69677b2733badee854c7d1
humanhash: utah-orange-chicken-oxygen
File name:qyWSUTe.bat
Download: download sample
Signature ResolverRAT
Create hunting rule
File size:1'239 bytes
First seen:2025-05-26 15:13:34 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 24:85CE3w+E3VacnGQO7g4atljDjVWpYVdB0TljD9s97c/fUf+4/JH1E3qafljD7:eV3w530oGr7g4atlHpWkBMlH9l/8m4U5
Threatray 262 similar samples on MalwareBazaar
TLSH T1E92178203EA90C7F432231BA42C4817DD8E5F79999105B6471EC0D85531DBA61BEEEBC
Magika batch
Reporter abuse_ch
Tags:bat ResolverRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-05-25 15:43:46 UTC
Tags:
auto-sch amadey loader botnet stealer rdp stegocampaign ta558 apt payload reverseloader lumma telegram xmrig arch-exec antivm
Link:
https://app.any.run/tasks/caf36c59-a826-4450-8ab8-31d9dd786ec8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Script.SNH-gen.32200.6287.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6834877cacf88f5815e72f7d
Tags:
shell spawn sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Searching for the window
Launching a process
Creating a file
Connection attempt to an infection source
DNS request
Connection attempt
Sending an HTTP GET request
Creating a process from a recently created file
Сreating synchronization primitives
Sending a custom TCP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1ecc353c089e2581af25543adfbcf3d1600d622c5f908a4012e2f73b6d38fc3f
Result
Threat name:
PureCrypter, ResolverRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1699353
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Detected PureCrypter Trojan
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Powershell drops PE file
Uses threadpools to delay analysis
Writes to foreign memory regions
Yara detected ResolverRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1699353 Sample: qyWSUTe.bat Startdate: 26/05/2025 Architecture: WINDOWS Score: 100 42 getbae-ai.com 2->42 62 Multi AV Scanner detection for dropped file 2->62 64 Yara detected ResolverRAT 2->64 66 .NET source code contains potential unpacker 2->66 68 2 other signatures 2->68 9 cmd.exe 1 2->9         started        11 svchost.exe 1 1 2->11         started        signatures3 process4 process5 13 cmd.exe 5 9->13         started        15 conhost.exe 9->15         started        process6 17 vnch.exe 1 13->17         started        20 powershell.exe 29 13->20         started        23 curl.exe 2 13->23         started        26 conhost.exe 13->26         started        dnsIp7 50 Writes to foreign memory regions 17->50 52 Allocates memory in foreign processes 17->52 54 Injects a PE file into a foreign processes 17->54 56 Found direct / indirect Syscall (likely to bypass EDR) 17->56 28 InstallUtil.exe 2 17->28         started        32 conhost.exe 17->32         started        34 AddInProcess32.exe 17->34         started        36 C:\winsystem\vnch4\vnch.exe, PE32+ 20->36 dropped 38 C:\winsystem\vnch4\msys-ncursesw6.dll, PE32+ 20->38 dropped 40 C:\winsystem\vnch4\msys-2.0.dll, PE32+ 20->40 dropped 58 Loading BitLocker PowerShell Module 20->58 60 Powershell drops PE file 20->60 44 getbae-ai.com 172.86.82.131, 443, 49683 M247GB United States 23->44 46 127.0.0.1 unknown unknown 23->46 file8 signatures9 process10 dnsIp11 48 45.141.87.200, 49687, 49695, 49697 CLOUDBACKBONERU Russian Federation 28->48 70 Found many strings related to Crypto-Wallets (likely being stolen) 28->70 72 Uses threadpools to delay analysis 28->72 74 Detected PureCrypter Trojan 28->74 signatures12
Score:
41%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/1ecc353c089e2581af25543adfbcf3d1600d622c5f908a4012e2f73b6d38fc3f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ecc353c089e2581af25543adfbcf3d1600d622c5f908a4012e2f73b6d38fc3f/
Threat name:
Script-BAT.Downloader.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2025-05-25 18:46:51 UTC
File Type:
Text (Batch)
AV detection:
8 of 38 (21.05%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d3gdkpaitysydlzfkq5n7pht2fqa2yrml6iiuqas4l3tw3jy7q7q._file
Verdict:
malicious
Label(s):
resolverrat
Create hunting rule
Similar samples:
13de9f72ccf866a8e354bff7f0dc02f834b91121ae20a23247f66eeb9f81f9be
ResolverRAT
374c270caa42b3ba1a0b31c33a47fe590c38ef8997845d48ae3fb8a575f7d608
ResolverRAT
5a255dfa2a938f47ac098bd54e7cfd3e1e0ba5d494bf45898e2e32c6738f3be6
ResolverRAT
7977ce0e5277b4e5e028bbded8d565c83e6e9331771b325cc1d6915e599b7aef
ResolverRAT
b52b2eddde8a80f4c2704382446b169e1f684e0561c1aa880631af22d3d6a3f0
ResolverRAT
cdc8c80d162e34fc129c8726a03240f48971cabd84861c899a1d00d23663bc59
ResolverRAT
d539d8a4e3ca4d3b94d072bdf9638ef870f3a77967ea1c9bdf606b892bcb016d
ResolverRAT
error
ResolverRAT
+ 252 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250526-sp1pwszzcy/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ecc353c089e2581af25543adfbcf3d1600d622c5f908a4012e2f73b6d38fc3f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ResolverRAT

Batch (bat) bat 1ecc353c089e2581af25543adfbcf3d1600d622c5f908a4012e2f73b6d38fc3f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3552387/
  
Delivery method
Distributed via web download

Comments