MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36af345135ab790115485aa09233ec620e30e1256a80225cc02092a86309e791. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 18


Intelligence 18 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36af345135ab790115485aa09233ec620e30e1256a80225cc02092a86309e791
SHA3-384 hash: 98aeaa6c26bdef544c4871182af840773c698ca808d2c809a967db7c66db222cd05503c2ccbac4e898d653676ee0d990
SHA1 hash: 73da1268edf86b484fd670f048f08ed01069956d
MD5 hash: 2bb5274a4fbeabc358f7c68d9f08f6d7
humanhash: bravo-mexico-jupiter-single
File name:2bb5274a4fbeabc358f7c68d9f08f6d7.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'419'264 bytes
First seen:2025-03-14 02:10:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:SgJICjGx+VQUiKp9C+DOwc1t5CzcZRTPOzWnLcY97IrcZmtYatq0P:VIY7VrJdOwwrcSLfsJKg
TLSH T153657C017E84CE52F0181233C2EF854847F0A991B6A6E32B7DBA37AD55163A77C1D9CB
TrID 51.8% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
22.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.4% (.EXE) Win64 Executable (generic) (10522/11/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://77.105.147.252/_7Base/Windowstraffic.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
559
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
2bb5274a4fbeabc358f7c68d9f08f6d7.exe
Verdict:
Malicious activity
Analysis date:
2025-03-14 02:47:56 UTC
Tags:
rat dcrat remote darkcrystal netreactor
Link:
https://app.any.run/tasks/cedba4e9-f561-44a9-8f1f-68cfc2971b46

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d3ae5d3962f1a6f4711f9b
Tags:
virus msil hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Connection attempt
Sending an HTTP GET request
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd cscript dcrat explorer lolbin net_reactor obfuscated obfuscated packed packed prometheus reconnaissance schtasks vbnet
Link:
https://www.filescan.io/uploads/67d3903b01edd28374af5cad/reports/e5bcfcb2-e0e5-4457-b7f2-712305408e28/overview
Verdict:
Malicious
Labled as:
Ransom.Prometheus.Generic
Link:
https://www.hybrid-analysis.com/sample/36af345135ab790115485aa09233ec620e30e1256a80225cc02092a86309e791
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/40a83857-31e2-43c9-870e-18bb1e98ddca
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1638016
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1638016 Sample: DwGQUTeIQN.exe Startdate: 14/03/2025 Architecture: WINDOWS Score: 100 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 Antivirus detection for dropped file 2->82 84 10 other signatures 2->84 14 DwGQUTeIQN.exe 17 8 2->14         started        process3 dnsIp4 74 77.105.147.252, 49714, 49715, 49716 PLUSTELECOM-ASRU Russian Federation 14->74 62 a40b7d9398c9731e35...df3d1dc7950c13f.exe, PE32 14->62 dropped 64 a40b7d9398c9731e35...exe:Zone.Identifier, ASCII 14->64 dropped 66 344cf117-0127-4553-83b6-3f507151bca7.vbs, ASCII 14->66 dropped 68 2 other malicious files 14->68 dropped 76 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->76 19 wscript.exe 14->19         started        22 wscript.exe 14->22         started        file5 signatures6 process7 signatures8 86 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->86 24 DwGQUTeIQN.exe 6 19->24         started        process9 file10 54 60cfba4a-0c1e-4beb-9abc-9413d3f22c6c.vbs, ASCII 24->54 dropped 56 3a77c828-a837-4cdb-bad8-74da365d95fa.vbs, ASCII 24->56 dropped 27 wscript.exe 24->27         started        29 wscript.exe 24->29         started        process11 process12 31 DwGQUTeIQN.exe 27->31         started        file13 70 88d72faf-8874-426a-9866-49af31805b82.vbs, ASCII 31->70 dropped 72 026f3ff9-6497-4585-8284-77a3ba08a76d.vbs, ASCII 31->72 dropped 34 wscript.exe 31->34         started        36 wscript.exe 31->36         started        process14 process15 38 DwGQUTeIQN.exe 34->38         started        file16 50 be84138c-173b-440f-bd28-bf82014430e1.vbs, ASCII 38->50 dropped 52 08a6b7ff-3f92-440f-b910-9f911666312f.vbs, ASCII 38->52 dropped 41 wscript.exe 38->41         started        43 wscript.exe 38->43         started        process17 process18 45 DwGQUTeIQN.exe 41->45         started        file19 58 ce4a9db5-07b1-4319-80a1-5706e04887bb.vbs, ASCII 45->58 dropped 60 7af80b76-4bc0-4812-a079-7b0d8e51a668.vbs, ASCII 45->60 dropped 48 wscript.exe 45->48         started        process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/36af345135ab790115485aa09233ec620e30e1256a80225cc02092a86309e791
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36af345135ab790115485aa09233ec620e30e1256a80225cc02092a86309e791/
Threat name:
ByteCode-MSIL.Backdoor.DCRat
Create hunting rule
Status:
Malicious
First seen:
2023-08-14 11:56:14 UTC
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g2xtiujvvn4qcfkilkqjem7mmihdbyjfnkacexgaecjkqyyj46iq._file
Verdict:
malicious
Label(s):
dcrat
Create hunting rule
Similar samples:
error
DCRat
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat
Link:
https://tria.ge/reports/250314-cmbpzssjy9/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
DCRat payload
DcRat
Dcrat family
Verdict:
Malicious
Tags:
rat dcrat Win.Malware.Uztuby-9957322-0
YARA:
MAL_EXE_DCRat_Jul_08_2
Link:
https://app.threat.zone/submission/aac07834-d040-4228-9c2d-be6357cd3ee7
Unpacked files
SH256 hash:
36af345135ab790115485aa09233ec620e30e1256a80225cc02092a86309e791
MD5 hash:
2bb5274a4fbeabc358f7c68d9f08f6d7
SHA1 hash:
73da1268edf86b484fd670f048f08ed01069956d
Link:
https://www.unpac.me/results/839306b0-45aa-43ba-a94a-76a46fb83671/
SH256 hash:
c84dea67a6c2545d557a90c1a3e0bb8f98516c839a84449fa163433a7e0de858
MD5 hash:
22258e50376579879e7a14e2e1e6e632
SHA1 hash:
020b6c495704912c8e9b149f6c0c1d11339b42fd
Link:
https://www.unpac.me/results/839306b0-45aa-43ba-a94a-76a46fb83671/
SH256 hash:
434cec84fc953c768938e337aba6e0075078b650f78a08fb4a588e9be61fb798
MD5 hash:
61ef7c1420eeb0cacfdd57a53935a508
SHA1 hash:
253ee0118e48662afc46a643da6e322b9c4d8a16
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/839306b0-45aa-43ba-a94a-76a46fb83671/
Parent samples :
a2512b666fa818ad048140923871c415f8e67660ae101caef333812ac2e0fb85
669634a33853f70175e367b9519b29e5ac57ddeb412884c004875344ad2b5165
425fea1071b9d17709b1c93a92ce8497bd4d8f42d17bf7f7dc47db9fede0133a
4384d73f957c5b5359b59d6613589a03488bac292e0f3c2720e230a4115985f2
a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37
6cfe745f03252b83604bf8159f4100e402af25444247e697165c96e2e12f58d2
1365414d90a8e9a059336e150f9123f59562c2c5b3a354f3d73f882773f04571
5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48
3e5c92ebdbc350c5d12d8a684ae957f570f9fed8c4099415f1d9206c910886a5
3fa6ddcabcb03763ef1887117e16ebdf0553a1cc2a16b58bdecaba0735d4e60a
b108df3575c8f9c77577486a92b52fe55bfb6508acca68b22250d8e1fc0494fb
76fc0359cb26a2df509d072b2b5e925de39dc95d502f5173b45d11406bab815d
5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db
b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2
8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f
90b1c491ebd369f524e0343718ac18651ffee650df5b887123a53430a55f7baf
3bf9e41b570eeb923ed1f44e1fffa81fbd3dfe9f0324c594327d2d271af8cc6f
7238e57350be305f25ca913714b571ee225a658bf5234d9e98cf72e176b8749b
68b58f037c9ef5103ffb728b4617db685539364b30a61c4749c4a126125a80be
7b332c9ae15219490ae6cd4099c00ec77e01e9f321b21bbf61e163f78ef9b78d
3592f60e97f29ab2d4e60ed3604d154c4455f59c318723aa0d25dd6a5c255f66
1177a24b2539e173f4f9d25c0f3e43a22d23ec64b562a86b4b7ef65741734067
3fa2ae2c75e268ca2e53b24f91f27cf03bf8d1287242923f83c2959d31fb244a
5a089053f785fbdc6e6d11d32a6e74c9e5af34a6b3be078e867b0fe18833a7b6
00db2c26608e0e750b9262587d68d19dfd37e45b185a22b9438fb309ceb15cd9
ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd
a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1
54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88
c729d915ac96ff25722e76303e87e67c8ed51f776992724fa89fedbb77fc8a28
374290f4bc29e1d5a3295b8f23c281393075beae64db51cd5a5e96c03f9ef8b0
ad3cad3320c96364564203d96cc76ebea925dcc8de447195e0c1addb9f28e7e8
38b3c41d485fa638c249ee54c9a3ca358a9eb36e561834d9f7f2fca088da6248
a56e046d587cf2a6351bbf456ce47982f4aa1c9a6248ead75d734dce42d80fe8
4963827ab4881382f900255fa034f5c5f369cdc11d30863c69a04ed7f6abca5e
9c8937d1ffc2a8ce23cbaddaa9e8b046d1460fc684d05b609fec3514ab14c39c
25228b9b7646e3a44d0c0458b2d9f4dde89cb36ca52f69ae317edad02678678c
23f8f5fa14be58995db500b8506fde23f21f469a76912178b7934c354b3ce712
90cd882d4b7aa3939307bcc71bc05d38e600cb22e8984985335df1feac12e44a
4ce4afc5fd856ed5951e35c3efd45fdc03662abf43050fddc564023ef40e6823
86c845b26ff1a36147c647ba50a1cf1ef62c829bcd432bb6ffb6d167532da7c6
34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710
47159fe5dc5b2812344f7ec698e318cef30ec35f4425fd386ee8a7856cdaa646
94bd0998c7505445e3f74a8d902e4e768adc6304e0135075d0d856eae7c37ab1
88f80fbe352e5778eb8a9d0cb508c888d8a3c88c676455c5a5dc6348f7a427b1
0ade415868175c73d51330fb85ddcb58654ccd18254066fc1f9861482f649adb
cb5bd9dcab7d07c1775ad24d25f72e15b6d62d4c22ce95345ce95632bc68be63
092853fc5c2163fdafef345aff1be3116697804b6f81ef2374422822d1e78bfa
cd526b1117e1c22762e6c48441856143ec31f33b8b8efaa13cb3ba37631c5972
6ad806c1234b782cd3a54e146cf02463424fa67c1a3e962c2f43ca10398178b4
633b3cade3eac35d244499864b7951091dc5d8cbac3cb6dd4fa87a214be9c41c
de7afeddc29a1d624396c18da80702aa9ab9f8e5212446022a49b7f804252f0e
7cef1a964acbe38f4796b9ddbbd95e3fc19215594b2f3ab74483d58fe4bb93ad
511b7dffe882fa5fa36b6aa5b426a58ba4be1a090294f6ba1dd197ee3fd6bdee
bc8c14e388292845423f694eee8c01accb528d4a8dab6faf396846f08098dfcd
a3d949b62016bc688520dfe0bf68075ca6666089eea641a62be626aecd1872ef
cccb59dbcce9a68ffed699333477bba15ef02b19de9e5a345eed09e87440fc28
294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c
1353ef9da4acb986188b6aae8930ecd1618afc282c4f9d6a85b7f07412d93efd
1683c3759dd64d42623510c28230a23c9b999f12d5b63f2cb02f9eaf769f45a6
8a542076ec9b9522127f2c63954f51720b7a933e701a902c853e8abb37bad7e0
6cb8969c2e226f0597598198992dd4afd52d70ac83c187852d3cd872dd6b7a0d
5524ccb07590eff8d27d9807cebede9c67da9189af8dc5055d4df5ec72b89580
e412cff14b15f8734935b193a36c5a4d72957c2976899b8ffeb27cd0f68b6146
158c9599f5310708e34c67ba1f72241b28e0b5633dec9e786fd6031a95da6d3d
cf7d328ce0b9c53b4613030296421f1cc710aa391bca418b3e3566db1128cbe5
5f89b33cedfe3e9f075dd2312b10580dd16b5fb1702fe1f1ce572a792ec9bf91
499892681280fc9d231c592992c4836792153efc11a296d401ec67138a2a8248
791d92ffb559abed9ec0f3266f5e0f2a98a5af1fab714f0b3b1b2548f05ca8b0
a68bc10b645b0b5748702f6db2b275549a5214854c0bc1efcb4259930760aa2f
4d9a9e78a3c511c60f991fd3cf064372a05ae143ca05cd15be9fd83138d9d44a
5bdd5d335f1dce7bff7ad597aa12c5c36d2831b58d4a1a37650fab7b070c6e23
c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16
d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0
007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594
501aa5f94b15b8716ef7f76e2dbdc146b436cd9e72274d6ec5dec7265706c0ad
078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd
8e7147a2aaffb6632052f190dad38b7d945ae42f1c4e21307f6d9079afb76372
85768ff86e86155faadff2443ea1c9656fc479ffa5f0ae90c9b738bf31ff1080
e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed
54c2cddb942d1e8d23dc7cf72043f1875aed4b25047b3587ddc017cb266bfdab
7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67
fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e
4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0
96c2e9a2370d0df91033333bb9f4dd0662af2c7cd15a2f23ba2b9bb8a699aad0
c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a
3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987
7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474
3529cf36c8b41b4d5ef281bc32cd211152e573d6639dc15399ee69a4ff0c0fd9
a5d763a75a1e676476c9fc43b354c94f9e10180352e1cb8b7d1a60a69bbd195b
7676e27b7a9afde332f828b3375bcefa5dbe8cb92c274b167b140a22ead8131d
00564ed0e7500f4ed88ae136b1c140425556bf536c6bd8c6c74b7d9665d6fe20
37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72
f08bab568e1877365870d1d321bb77c1e6e36f5f91b29e73c7c33d13a01c31d1
f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510
74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3
75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835
91a5d06a6ddc1dbc0d573871082b21c0ef5d260987d760bff9b1d19966d0c32d
0a0eebfca8553e921339c90b0060ceb6adcbc5f747696b1abecd376f50283911
079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a
2f49f91f40825f17a112a2099798b009d70aba693865a858f42e806fec6d5d8d
8d34477674ccda710d5acd22a1ea3ce7c9e818d7b6d3b19200c896fcf42f5b4b
2ea69f49817149fb5d008a79ac6975b890d949aa57708f3cb76fa15d8ce3f106
32137cf4d6060f5047dcee2185431bcfcd3fa5b244d63050410a4448df737b38
3f6feb2ff90be022f4b11b4e4be46768ce735fa4fda2fc731232fd1105a109da
3f7dbeb177934d53205b93a27b9f4262fe0f46aaf090326cb8e2069d90d0414c
1ce99f60292aa8808687010e53feff56ab3af5af3d725d8a9008dd4a1cf252cb
70c558209d7201e690991be17a01c6ef7f5b14775f2cfb288f0abafa43187fe2
3acf15dfd8e4a0fbe7404c2f8aadda1cff0aba5c058f5b5c3481bb44d8ff5b64
fea10c485839f80cc78106c2ef1d4a3ef70a5a0c208586be219a070bca061d6c
ce0545657884415ef34e052fcdf36506eee3f33315810fac1b7f7c615f439dcf
5539d434ee526c3dd170b22ac661ded347391278c129f0f7571d683bdc0fb1db
8f22bfcfe5137aec0a8c659e08c604acbfa1ab64e85a05b2ad99a2995afae0db
e0b4936809d8a75b5095ce25dfb12e14c825e9401d941356749bba86a26b6bbb
f9e07becd2faaba0a53f178a513cef474849c4d82a1e69a871c81617db614296
bef3edd51fd9d18caaf806dc73b6d31554c805af50228e47c1543c00b81fe083
58207d1c5728785516cdbe3bc2323b9aeee09ba1a2e6e237cf18a364b7449ace
9f39a758c86041bc56ea46dad466476907466a5bbae961c28e1bb3d70c1cd3ca
bede23ca2e4d3eb802787a7098e718606abd5768e83dd7169b57c05f664a77bf
84f54e72011bbefa9480f3b556de2739efdd2910018230990ac5a1b580ff4993
4cb2a089b9b5c731fa3bca4d3e697271d948fed7882fb6ab86c3ebb3d86ab0ca
bc4e72a6f1c09c44c778658efec7f0eb4d60d16e43527f72f9e5e98cb51667cd
fc5b0314dfd53a19bb905de5b758720df8a25857bdd1c5a72e5b1af7d4ff994a
63533c321441c3186976b15172a575eda99ad7ec6a937073b7b36ec45cf3e1f5
7dc1fbc080662648b9fbfb4a4bd3ccf782b02ef3ffb1f1c841e5a041109ec7bf
36af345135ab790115485aa09233ec620e30e1256a80225cc02092a86309e791
f08995b47577c1055a9dba345fec4ef1718e482fb014769e5d29e917837b1aed
da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb
e3e871921dd331a3518688e2527c2d5f8178c61e86c287414022fc8ad1fedef0
74793488f23a075f3d4e966eeb3d523c152d6fde434a4712a2a700d3db7b65ac
a97a9f96d06d9e06dc3a0b49088553f0f3591e714cd905a6650ae02a28054351
01e7f777e19a70073e6e8d286263b12b59bf8cc9af1e0b0c9fa4244ff63c9dc0
54e4d1481b91b56fc5336dcb0522318815f330a8b7e9f240901501baa407d29d
327c974b8d165bfbdc0c4277bd3d68e24b6d55a6d970340662ff78468a9c4e29
5680eb1ffa1fac4f1c5a78024331ff7dd8982138d89d2df4ec56996b44c9cc99
f6ed7343476246eb693d80b64bdc9b130af9c05dc260e907cc443c2be6693978
4728a46d0432b4fa8c56c71597346276a69c9a38842725426a44364cc0655457
f35cac13d76f955a715a51f5029ec8e4539004f02a447eec2b84febd7a4f62af
327cf6e74f487f7a2b852c4698be5bb0c32500a77c7ad07061052e7e95bedd49
39c734ab91b8067c2458a620ce002b8bbe6f0e18176a7d98d022883ec73e67ec
818d5b7ce2bbd0ddcf6693b650106d1770e7ca6aa71b15a79d8906827da0c690
eced2aadf0074e3f52a0d9db1f2ca5d107a3d67be858da503cdbc42bd69b9083
feff1bf844bab637c8574b49864ff122078ca8c15d0eea205657e28587c16eba
4f22748956c9ec725df67a7729730ae3d56f88dc37db966abfc3a7557bbdb69a
a38d77ec66208f83f4065fe43bf51c96b587d2937b0d5f6d1abb1ab973de3751
5aa25cfc673d28e0a8bf6a3f4fe1166bdb83c2be2982834eee4ad3308171fa70
41556fc8255feca7f1ddd424cec3c7e3f9007fea4f810db053a3886b4d7b8ec1
5a7e59ae0fa4917f94ff223e8499130923a02b0f0f6a39a02fe38dbde3a26e47
462662fa78d865d05b8ab25d9e3df1f033d3af7822055deacfcec845c8c7c9d1
a11e40b54e8ad5e3d24d075395267181f8cf0e12034bc2d38cfbd8a5dddc2b31
2759f638365196e35d569a12402c45060dc7f262b6d428da7c3bcee43c231742
525b609b4fac8d454a86232d28999c3135fb2b3c10961723073f431fd75c2020
a0f0432f815889adb15907adaab5489844a71f5527bb07afb3d37f1a6ef948df
b31a48cc3055c0a4d94234ba2bf0844378550d8966cf0197a2cd140a945c8d33
d6782248f4c374547fa92b0cc3aad3c968de76fffbc8625b0f465f71afb9027b
3993abaf8f1b6758260ab97a7192a4dcce70c41ffb326db7f0e94dffaf647312
7949b1fd0ad6619b0571cc5811092164829d49c19ab062466497ec8d91fea232
8f007c143c969158f00b6d71d656abaf7843ca93a99b97b8728677d92e3b3d5d
3b70a6bfb2982c55bc61cc9bd84bbc25fbf36361267c61b35a09bed33e9f0640
bb2153f4393601174d491f9be952ec246a4f77e67b46e0ad7983d7270436b8f1
b0049161819d1b613e9bac0c0ab31c4926013efcb93041f2b8c56f5d34f2336a
4e6eb217528d9643d9a41ea4ef18d97e64d425d5c419738a82081e2577964de5
c4c2a82a7d454bb85fa22f12d2571639c1640ba4a6790d708f4a229f91a7a99b
a00f90db29e2c261c2b6bb00093c43659b577708e8afff72c97f17d41bb06e2e
ec8877718f6bace8cef59ee505e0cbed94a2f6531249d0801192b2de127cab85
9ca2e817ff19e5313105b3b468c5390aff48fabe778333d4d2d045659818e73a
a597c2e3591fa1db03f00323ebfd51039f207af1325b6c41a90b7b5ec5a5ac4e
b86a67a7dea558bd5719148ecc93ecb2c4f9270006ff304d860c866519c8ca15
ad8a9a7b26fe9302ae52ff26fbb84efbb129f28aa37c5de62c7a04905bee32f9
2b2431e573b21859215ef274be6597132161163a62bd1036fac6f29eef3077d5
d31183ab1c4b40cd810613950b57e160aaf5ed3653e94a118bbfd1004aafee8d
17eabc9a47c7be45b7f3fe07bb5b172facdf56eec68519cc6f4a46b425911d74
0f0dae1305e32c864e9f7314081b7e2e8d8feea59853511892f16837d5590ad4
1a12f351719aea41823db2bd70eebcd2333d65b1b48e1f43074b5ab48c4b22e8
641147ebf5c72915252a1945a8b299ce379515aaea0deda98e7c59d6a217eeb4
4b3c55405763bd70c67aa1be3a5ff64ec09c0255d6151e94bfef3b230c295aa0
d2fc19b248cc9ab6b922f82fc5053d290b38f1346cc299eadc795b5880d3234b
d5de28ab9d6c56d5eacee86451c92836f930ab3f4ff7851b467f4786657b754d
ebbf0823315707c04f814d68d3c3528354b522215ff0768303002115245b9e44
1886dfcc58adcf502245977e9d482a942079d580348e2c404092762e35774754
d99cf2cb4cb19eaa429333d14049d76583cc2321623a59f254082546cf22a733
e5b885c601e8eac5c698a6ab463e742a7c0258122261c6c0fc053e22ba714232
02529aa767e4cc3dce0d28f7bafd9b289f16c8ad039f9885a7cb1a050d6e654e
579b72fd2fcc3cce6facff0b2b01a0571d041792d3a0b9f3ae7c7155467067a2
8635b498be98d750486f1a5e832bb862fe8c2248e983435546459bf101632221
dbf2476b04ae66c2eb361fdea361c62778286823b60feea32cdbc15d59d024d3
35884e6b675c04af9969b8f158e6ead42a2ce5b5542e7e47facbc8aac437ca9e
d607bfcbe22d2dd7d7a40172c2c5e1680d5d1132c8cab4b2ce51b57ca84fe997
a1f1d8797ffd930f0a16f3a1bd96b58419bb05bcd304a6e4ec2ddc14c664c83c
39dc98aab824b50c4c5171f784ba828aeba17aef6f195bb0af91a69e169956f5
53f1b22b7222e54552757808dd631a43c1358a87534af1ca6225bf845a4d66a3
e558f5933da137aada6e4743c99da665e9bd70e93e87b0dc6de33f2a31eb7b56
dd71110a6b7fb79b2949280611957646f76503f1bda866b06e74b9a74e54dc89
0d02b9160a66ec959cc0b029816c61576581b92070c23ce5e492dcc3987b5554
b0ddeb6193714ee02ba7efdab8caeb6279984817348a230a1ffc7bb2f9fe1b0f
473342049f1b8951f181f886f59e7c4e2c1a059153b19b84af2ca41b8521d1a9
43bf0e585ed703c5aa53e6a74b04e2b3c10a3a7708889a5d823c7f84e29c2aab
f29da44cb8b621f596ac80029f3b2bf08c7da29532eca778d0dbc1f69b68f49f
96f8492fd115abf7134203668cd31f428efbc1d75edb9c6f26aaf8201e19950e
64a5d64cf3af0a6739ee706e3fb1d4a997fa5c32a52cc42167f673ab14bee3d4
a80013d4175fe572cbeadb27d38a4fd397550d2b81532f6d800300c195536597
3c9a5d90d37ba18c0ff3a4e6461cabdf1de6a3eee8890a39e68a1549c433c7e0
f0c19bca34ec10ca7f3057c3ecccc0a4b2d8f21fa163c1149ca8d15fa9918703
24c385ea07c1158d7c24d6be8814a8356cbe1f06aaf78835d3f09f52637c06eb
e945de86856a0a84ba5655d2f379d7b6ecedfcd9d8a0bdf3ac0cb17161240521
8d1f945ab98dd2e36451a886f621535448aadeaebc7dddb5fa38eb5c047f4f4b
486f3560972827fb2f0faa5c4e9e4b95d76a7cac604ea71aa951ff031f6c31a8
164406a15fdde9b61ff47c268b9853bde4284f854b50975e2ccd648180d1dd97
2049b554fa0475b934d928927c95dbb42a979ad1e9356f0897ea83533575aec2
c22ffc1b974658f59a252e303a22ea383a888911c8147fbc470c3e8120029fc8
c5168a141c82061514060cda27a45cb8d59be5465974f5e5477b5fd000ee1c29
01cf3732fc2dda453bc38f2e3ee9d92d75e15c4559625bd1ffd209516128bf41
2d460e887cab8b04d177abcde12caaf3fc92da243a8774b04a46ae77fa0f2891
ec259063f9999d8569781cea00cbff7da90f088ed04c79c494754949d3e07fa9
05af274a83acfef260398e86ef52f2a889c6dd7d2818e54b20e90ee535019b5b
566c604f26742adb324f674132c9e3d7ae9015ad8e3301e7d5b9fc98b7c2e8f8
5e44dddfbb8bcddff6231529beff64d1f5a20be2fde1356dd7a0c4e82a72a468
452896fac3f4fea522f38b7974de9428b372bef3ccd30953ba7e808643312d11
4c940f9d7bd8b2397c93151446cf167acbde7afe5fb29205f3f58bf79d714ea0
43647972490c89b2f54bb84a4abdcf9037cc2f6d0768b9cdad9ec22deb935e11
29a955752a6b382e17a74244825f66d1cba8776f1c47ae908b1e9c9fc88a513d
f2420fdc9492498195a8a0bae43cfbf7c721b18c43b55ccfecf941f06164b154
c91ecca54c0cbdf3f8714d7c92ca6858d4ddb5957ab06f9ed33bb73e3b5f6207
e7cf9ae73751f92a53dbbc41b4939510e23352bf3a942e86b269c72b80cdb63c
SH256 hash:
8e70b153c0c449b40027879028371cf86d0755b2fa86f380f33c1579a2873c46
MD5 hash:
bfbc04b2441b9609e1704ffa781d2514
SHA1 hash:
2b271bb94d6217130c0ebb1d1dc4eb56224198c8
Link:
https://www.unpac.me/results/839306b0-45aa-43ba-a94a-76a46fb83671/
SH256 hash:
7548d403d8b54e3c276810cfdde6e57fd84c6d8409aeeb036efec12a4f82df3e
MD5 hash:
e2d5bf7cb19aac919d2dd163c1c1dc34
SHA1 hash:
89beab4324007ef16b5586dbae42da17680312d9
Link:
https://www.unpac.me/results/839306b0-45aa-43ba-a94a-76a46fb83671/
SH256 hash:
18fe48031a18449fab109af60ba11c09558d0a388962c14c1be453aff9126c0f
MD5 hash:
ad122d61ca248b162cc410a0d8220ee5
SHA1 hash:
c0c0f96efde22b527c90d8b3552f0a5584e317bb
Link:
https://www.unpac.me/results/839306b0-45aa-43ba-a94a-76a46fb83671/
SH256 hash:
150bc49f9755f25221bfc445c7a067615cdb8de797c6c6ba873e3f56e0036799
MD5 hash:
62e2e1875fed8255a355ad33978871f8
SHA1 hash:
cbd378e64a125ba6b0306d126eec6bd4cecda46c
Link:
https://www.unpac.me/results/839306b0-45aa-43ba-a94a-76a46fb83671/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36af345135ab790115485aa09233ec620e30e1256a80225cc02092a86309e791

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments