MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 312f91c7df05769397ae4813e57059077535302f7eec6e789860695c4719cb88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 312f91c7df05769397ae4813e57059077535302f7eec6e789860695c4719cb88
SHA3-384 hash: 076a5939d07f471b12a8a831fa3c25beea3744266d7c82c0bd972f29d3b333040f8e185c590c1793e58aabb2f93d1a3b
SHA1 hash: de92633e327257f701a450ae21e32e88bb709e5e
MD5 hash: a14b19a3fab75fd6ef1504b29ba56e1d
humanhash: lemon-oven-tennessee-spaghetti
File name:decode_df6bc9f0e951924b983b0bbcdd9e62e52dda0db020418e35bc5fae82c48d1bcc
Download: download sample
File size:44'032 bytes
First seen:2023-08-30 14:16:37 UTC
Last seen:2023-09-05 18:00:01 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 768:ch6wa0Zounlq5jPAvWecghlXb5jzZ6hUMt7seRDF5HmLNWpM2fVCB:dUGun45jgVhldwPt7R75HmQC
Threatray 11 similar samples on MalwareBazaar
TLSH T13E138D0AF387C666C9EA07B7D4D7429007B0D3116677EB1F758E231AEE8338B8B51649
TrID 87.2% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter jstrosch
Tags:dll

Intelligence

File Origin
# of uploads :
2
# of downloads :
282
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/445333/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.21909.27895.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64ef4f695ec4a8623261dfd7/reports/4955786a-60a3-44f9-8661-f2cf2a765003/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/312f91c7df05769397ae4813e57059077535302f7eec6e789860695c4719cb88
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b7351ec6-d2b1-4730-ba37-0b8b4be340b5
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1300439
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1300439 Sample: decode_df6bc9f0e951924b983b... Startdate: 30/08/2023 Architecture: WINDOWS Score: 60 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Machine Learning detection for sample 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/312f91c7df05769397ae4813e57059077535302f7eec6e789860695c4719cb88/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-08-30 05:58:34 UTC
File Type:
PE (.Net Dll)
Extracted files:
4
AV detection:
16 of 37 (43.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gexzdr67av3jhf5ojaj6k4cza52tkmbpp3wg46eymbuvyryzzoea._file
Verdict:
malicious
Similar samples:
23f9cab9765f1e0d17ecedd1f7485750d74c66659e0b9bc8560b5d5945509008
4c91c1999a25d525a41e688d4f86dee6d583f51210b58ca20d1a2ac312d8b93f
534bc98179bd7a6f7c7491fdee34ff06ae1d90f7bf1db29586d39a5ae971eea5
5dd81b46f9b2a310868ab2b1ea4d61619ab039d8d19e8abff4a559930be4fe19
60035c20c6889c26178deeba950e22da4224795ad96f4d3f3eea3ad77f031c85
adc06c9330fd9af92df24003d3e620f7104c23920473b5e3b03b56a2d6d66fb4
c68b7153fdf0f50387d3d594f00b361d3b03b0c1efa12ff741a11313b92ff9c0
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230830-rlpmsafh49/
Unpacked files
SH256 hash:
312f91c7df05769397ae4813e57059077535302f7eec6e789860695c4719cb88
MD5 hash:
a14b19a3fab75fd6ef1504b29ba56e1d
SHA1 hash:
de92633e327257f701a450ae21e32e88bb709e5e
Link:
https://www.unpac.me/results/9f0611f3-efe4-44a5-bc19-6704edf50957/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/312f91c7df05769397ae4813e57059077535302f7eec6e789860695c4719cb88

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/445333/

Comments