MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2982280afdfbc8b6dd5184297227f7b9dc534430858e3f4844d5a8af15ce403e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ResolverRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2982280afdfbc8b6dd5184297227f7b9dc534430858e3f4844d5a8af15ce403e
SHA3-384 hash: c9454fa15cadc634f2cb8cfc011b653c88c09b19d19d1174056dfafba3ec28a24f43f874f2163043a15bb38a27aeec9a
SHA1 hash: 73fe0e462728e3cd62aeb1d256ebb0e61b446726
MD5 hash: d7bf5ed732671ee0607335db1e65f690
humanhash: washington-edward-may-diet
File name:SecuriteInfo.com.Win32.MalwareX-gen.19349.19684
Download: download sample
Signature ResolverRAT
Create hunting rule
File size:324'096 bytes
First seen:2025-06-04 09:47:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 6144:dXX8JXQbbJKYqSXog6Mb5Z/T+sswN76m6RYlEIDKKvFHU3BuujDd/PsJIJVx:lYAbbJIS7JbP/Zsw/PlEIuKtURuSD99P
Threatray 283 similar samples on MalwareBazaar
TLSH T10D64230019EDD317EAC409B4527F428E033ABB6178E5D7B67C9E45823D3B38726979D2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe ResolverRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
464
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.MalwareX-gen.19349.19684
Verdict:
Malicious activity
Analysis date:
2025-06-04 10:46:29 UTC
Tags:
stealer purehvnc
Link:
https://app.any.run/tasks/7fbeb560-a61b-4a7c-8e26-b4b9ec9a6cb4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7247/
Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684017558bd5d68a12e51051
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Connecting to a non-recommended domain
Connection attempt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/6840166b171e01f95935a4b7/reports/019de5c1-7dfb-4ab2-ab57-c971a25da0b4/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/2982280afdfbc8b6dd5184297227f7b9dc534430858e3f4844d5a8af15ce403e
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/cfc6ba76-2de2-4a82-91f0-3a4ca159e52a
Result
Threat name:
PureCrypter, ResolverRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1705748
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Connects to many ports of the same IP (likely port scanning)
Detected PureCrypter Trojan
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Uses threadpools to delay analysis
Yara detected ResolverRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2982280afdfbc8b6dd5184297227f7b9dc534430858e3f4844d5a8af15ce403e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2982280afdfbc8b6dd5184297227f7b9dc534430858e3f4844d5a8af15ce403e/
Threat name:
ByteCode-MSIL.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2025-06-04 09:48:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fgbcqcx57pelnxkrqquxej7xxhofgrbqqwhd6sce2wuk6fooia7a._file
Verdict:
malicious
Label(s):
resolverrat
Create hunting rule
unc_loader_044
Create hunting rule
Similar samples:
40dfa88543539053fe9175c88cb958b494d78f3fca793ea482ded480a30212a1
ResolverRAT
457c8b3a3be87e9f6268be29ee37e5f5fbc6a6848094416ba1f4c8797c4d7380
ResolverRAT
9861b4a602eee6742bfcb24f2d262a67f0dc768826e1be1acc3ba84c4a15d0f5
ResolverRAT
b221883a446ba878919607ee77399c3a57d671f7a0ce125b8cd2339fe9ecd633
ResolverRAT
dc496f12d56a2118fd804e0ea7c33d873ce053cd6ebb7cd91e0ee1f16f0059d3
ResolverRAT
error
ResolverRAT
f7868fe2fc9c0e91175219fc893e06ea4001e6c1de3ac33552ac85588e1c9f7d
ResolverRAT
+ 273 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250604-lsyalsvns5/
Behaviour
System Location Discovery: System Language Discovery
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dc65e931-6ea0-4efa-aa24-0ddeb2b1ffc0
Unpacked files
SH256 hash:
2982280afdfbc8b6dd5184297227f7b9dc534430858e3f4844d5a8af15ce403e
MD5 hash:
d7bf5ed732671ee0607335db1e65f690
SHA1 hash:
73fe0e462728e3cd62aeb1d256ebb0e61b446726
Link:
https://www.unpac.me/results/1502a4a6-f44a-4f78-8749-3870aafbe161/
SH256 hash:
f6641dd761aae135cd8e293594adba22a07992c24a720fbf731f074b2a8d0431
MD5 hash:
19d615923a80e6676ba67786d34727c4
SHA1 hash:
4edec46f9657537906279082e9d31f1cadca81dc
Link:
https://www.unpac.me/results/1502a4a6-f44a-4f78-8749-3870aafbe161/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2982280afdfbc8b6dd5184297227f7b9dc534430858e3f4844d5a8af15ce403e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ResolverRAT

Executable exe 2982280afdfbc8b6dd5184297227f7b9dc534430858e3f4844d5a8af15ce403e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3558080/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/7247/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments