MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36d52f4d3719a38a45bf61c75b32dd62db19375c0d85b54baa1a80c92865858c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 19


Intelligence 19 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36d52f4d3719a38a45bf61c75b32dd62db19375c0d85b54baa1a80c92865858c
SHA3-384 hash: 076518eeed72a5882470ac64f52221574bfebd62a66652dfadee4146a14da4ecd521ae95c949d06676fbc77d4c447740
SHA1 hash: e2e849dfd9bf2ec1bb270c035f0e60854ba84b56
MD5 hash: 14d207455f3c58375386de4f35780f1f
humanhash: massachusetts-mike-three-rugby
File name:14d207455f3c58375386de4f35780f1f.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'216'644 bytes
First seen:2025-03-16 23:55:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:U2G/nvxW3Ww0tQva9FREl0UMHEUEJtE2KFBXGMaqNyBI6wN8D9/VykAmqAyT:UbA30QvyaqXpt
Threatray 193 similar samples on MalwareBazaar
TLSH T186455A017E44CE12F0181633C2EF4A0847B4AC512AA6E72B7EBE376E55523977D1DACB
TrID 76.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
16.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
3.0% (.EXE) Win64 Executable (generic) (10522/11/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://artemcd9.beget.tech/L1nc0In.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
567
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
14d207455f3c58375386de4f35780f1f.exe
Verdict:
Malicious activity
Analysis date:
2025-03-16 23:59:12 UTC
Tags:
autorun-sched rat dcrat remote darkcrystal
Link:
https://app.any.run/tasks/ec818c85-9810-4d6d-a54b-a9e3e57f5ccd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d766e408116ce425719b54
Tags:
autorun virus sage msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Program Files subdirectories
Creating a file in the Windows subdirectories
DNS request
Connection attempt
Sending an HTTP GET request
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt dcrat fingerprint installer microsoft_visual_cc obfuscated overlay packed packer_detected reconnaissance sfx
Link:
https://www.filescan.io/uploads/67d7651c01edd28374b18083/reports/14d64ef3-53ee-4bc0-836e-66b99a8cfe01/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8.Gen;Trojan.Uztuby
Link:
https://www.hybrid-analysis.com/sample/36d52f4d3719a38a45bf61c75b32dd62db19375c0d85b54baa1a80c92865858c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b4332fe-648a-4530-bb7b-09c95d2c0de9
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1640126
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1640126 Sample: 518FC8Q4N1.exe Startdate: 17/03/2025 Architecture: WINDOWS Score: 100 52 artemcd9.beget.tech 2->52 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Antivirus detection for URL or domain 2->60 62 8 other signatures 2->62 10 518FC8Q4N1.exe 3 6 2->10         started        13 ctfmon.exe 2->13         started        16 qOII5O2k4wjGK5.exe 2->16         started        18 9 other processes 2->18 signatures3 process4 file5 48 C:\bridgemscomNet\fontsaves.exe, PE32 10->48 dropped 50 C:\...507q2YNOmgFQHTo3T9TwGHk8V9jEYj.vbe, data 10->50 dropped 20 wscript.exe 1 10->20         started        74 Antivirus detection for dropped file 13->74 76 Multi AV Scanner detection for dropped file 13->76 signatures6 process7 signatures8 64 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->64 23 cmd.exe 1 20->23         started        process9 process10 25 fontsaves.exe 1 20 23->25         started        29 conhost.exe 23->29         started        file11 40 C:\bridgemscomNet\IOS93awuSrBl.exe, PE32 25->40 dropped 42 C:\Windows\Prefetch\...\TAGXa8vX3lr.exe, PE32 25->42 dropped 44 C:\Users\Default\...\UserOOBEBroker.exe, PE32 25->44 dropped 46 5 other malicious files 25->46 dropped 66 Antivirus detection for dropped file 25->66 68 Multi AV Scanner detection for dropped file 25->68 70 Uses schtasks.exe or at.exe to add and modify task schedules 25->70 72 Creates processes via WMI 25->72 31 CefgEk14qrekLO.exe 25->31         started        34 schtasks.exe 25->34         started        36 schtasks.exe 25->36         started        38 22 other processes 25->38 signatures12 process13 dnsIp14 54 artemcd9.beget.tech 5.101.152.71, 49723, 80 BEGET-ASRU Russian Federation 31->54
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/36d52f4d3719a38a45bf61c75b32dd62db19375c0d85b54baa1a80c92865858c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36d52f4d3719a38a45bf61c75b32dd62db19375c0d85b54baa1a80c92865858c/
Threat name:
ByteCode-MSIL.Backdoor.DCRat
Create hunting rule
Status:
Malicious
First seen:
2025-03-15 01:40:30 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g3ks6tjxdgryurn7mhdvwmw5mlnrsn24bwc3ks5kdkamskdfqwga._file
Verdict:
malicious
Label(s):
dcrat
Create hunting rule
Similar samples:
04b8f50422cab457314c0904aef88ed3003b4b841ffd4441e67415f4d07da2bb
DCRat
2e8c1c67fa381e4c84a7e6a42a9c9ad78ad8a9fe2d595ce8b85efb7b94ac207b
DCRat
2f9bf1b8e047c1fa8ec80deccb3e9b575aaf5247f23c0fea81157b8b995562c9
DCRat
425fea1071b9d17709b1c93a92ce8497bd4d8f42d17bf7f7dc47db9fede0133a
DCRat
error
DCRat
+ 183 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat discovery infostealer rat
Link:
https://tria.ge/reports/250316-3y2zestse1/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
DCRat payload
DcRat
Dcrat family
Process spawned unexpected child process
Verdict:
Malicious
Tags:
rat dcrat Win.Trojan.Uztuby-9855059-0
YARA:
MAL_EXE_DCRat_Jul_08_2
Link:
https://app.threat.zone/submission/d9ba9766-0c64-4ed0-ba37-e816f5d1592f
Unpacked files
SH256 hash:
36d52f4d3719a38a45bf61c75b32dd62db19375c0d85b54baa1a80c92865858c
MD5 hash:
14d207455f3c58375386de4f35780f1f
SHA1 hash:
e2e849dfd9bf2ec1bb270c035f0e60854ba84b56
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/ad7f73a9-0515-47d7-89d8-b285bd0eb44a/
SH256 hash:
caf258e0dd0e3def833754269e926a72be39512817c09fd6e063ea57377fccce
MD5 hash:
7adb02d85616c06216112bb6fc7abcb4
SHA1 hash:
cdc568f39f5b9331e9aed46bf8a4959ae20cb038
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ad7f73a9-0515-47d7-89d8-b285bd0eb44a/
SH256 hash:
d2e28fd26bd6c86f7a08cee3c1535bcd4ee08c81505bf15f138fbbb592c17735
MD5 hash:
d785afd30f0576890fd4a9ee9928a20f
SHA1 hash:
90aefb0ad056efa509a72b7886c46d681c843b7c
Detections:
dcrat_message_on_start
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/ad7f73a9-0515-47d7-89d8-b285bd0eb44a/
Parent samples :
bd92b5309471d738558909eda794cef44dfbc8a363b8be00048f1576536b8bf4
189a5a34e99c66355da0eb5c04636ac3a06404723cc2de86a22bda42aadeea21
cd652234e4620f37b2c74931cfa9bc463560d38976ea12f384c92c4827366434
b84321d7416c9898a381c39e94867b880aea15a68049795d81888371c70d16c3
06c5043de5a30a81b57f1afdd651d8d8dcafa12a548bf22c129fc0ab1559a6d9
377f3033cdfdcf4b2bd6b9c2949abcb8d7973c2ade4115d1c622db274bfac687
34e740ecbaab29c15536abd6409bd10e1880a77eeb8a5a88e787051d4fd916a9
9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
a8aa581a55d93a40301bfe2fcfc548c3d75241303134fdcd585bc8383a65acb9
dfb61558c4fe802041d53dc777e82106afc9377cf60567e797296b1cd74aa402
3eeb9115c3888d0b1c4cfccc25bb48661b90f308bdcc1ea0c2a56a7030d5c547
94b238a6c0c1757059b32035d7f7908b93a03c95cbcfb5c410380093a4ae3e00
a87d18df4d58e31acb40b03e05c9de4a507991b1d4f3ba8cc22b599671fbf43a
425fea1071b9d17709b1c93a92ce8497bd4d8f42d17bf7f7dc47db9fede0133a
682a4c477758cc6b25d07c284879656f821722910a3eaa3c335afa6d50b79706
e131950a925158b637f77523a77a2c5566f5b4b102a84a703b979b603e199ce4
d2a2ae30988da5b110e5d4b42870a73e89a3a50fef8841413a92461ab6bcd11e
27fb772f0a2179eb3a713bdde7dd8877b3e208cc29743a97be71308309664e91
cebb491e8af42508a08b3d72e299bb73ce764dbe0697aa86d5e300ff50cfeb69
284f083103d1c160d9e4721ecce515646ce451a1b7ddf9dd89817904e21a4a2d
e75535592e23584ee41ae9338ea80eb8472ef608af0288c855185617e465341d
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
de00660d0d96ff67cb8e89a8d8525567327b109bc54b9042e5fdd516dcc0e51a
c272d027197eb4f77e23f4dd1882c2cc211e5eee6034bb05d8bcfc24b57d1e95
1365414d90a8e9a059336e150f9123f59562c2c5b3a354f3d73f882773f04571
36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20
db831bd29c0acfbc69b882388d8b074081b8008dfdba99f8e04eb54374d06cd5
e1612f1eb7384250bddbbe3633589076a659e5104f003ba5cd29adb9bfc6b075
3fa6ddcabcb03763ef1887117e16ebdf0553a1cc2a16b58bdecaba0735d4e60a
b108df3575c8f9c77577486a92b52fe55bfb6508acca68b22250d8e1fc0494fb
5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db
8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f
93fab8f38647afb8584bd6dbe31d748aa68f08d8015f5047db33e7a903eb4891
7238e57350be305f25ca913714b571ee225a658bf5234d9e98cf72e176b8749b
3592f60e97f29ab2d4e60ed3604d154c4455f59c318723aa0d25dd6a5c255f66
1177a24b2539e173f4f9d25c0f3e43a22d23ec64b562a86b4b7ef65741734067
5a089053f785fbdc6e6d11d32a6e74c9e5af34a6b3be078e867b0fe18833a7b6
374290f4bc29e1d5a3295b8f23c281393075beae64db51cd5a5e96c03f9ef8b0
ad3cad3320c96364564203d96cc76ebea925dcc8de447195e0c1addb9f28e7e8
38b3c41d485fa638c249ee54c9a3ca358a9eb36e561834d9f7f2fca088da6248
371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0
4963827ab4881382f900255fa034f5c5f369cdc11d30863c69a04ed7f6abca5e
90cd882d4b7aa3939307bcc71bc05d38e600cb22e8984985335df1feac12e44a
4ce4afc5fd856ed5951e35c3efd45fdc03662abf43050fddc564023ef40e6823
cb5bd9dcab7d07c1775ad24d25f72e15b6d62d4c22ce95345ce95632bc68be63
092853fc5c2163fdafef345aff1be3116697804b6f81ef2374422822d1e78bfa
de7afeddc29a1d624396c18da80702aa9ab9f8e5212446022a49b7f804252f0e
1683c3759dd64d42623510c28230a23c9b999f12d5b63f2cb02f9eaf769f45a6
5f89b33cedfe3e9f075dd2312b10580dd16b5fb1702fe1f1ce572a792ec9bf91
3ac5dd621c370ef1fd89c945b220fa1dc5a1ccaf30ef5300034acb5cfdfa3e11
497ac5eb72b62c3db2d5383bc2823bf38596e00d877ec7e9d572a94830f07a0e
af0e7981166891af0e066bc0eb1fb73ae36ba339e05e40510a526385b48ad00d
d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0
7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67
94d6f5344b79742f145659d00c8e6d7113741ced8930b855dd6161b222f3e6c3
1ce99f60292aa8808687010e53feff56ab3af5af3d725d8a9008dd4a1cf252cb
70c558209d7201e690991be17a01c6ef7f5b14775f2cfb288f0abafa43187fe2
3acf15dfd8e4a0fbe7404c2f8aadda1cff0aba5c058f5b5c3481bb44d8ff5b64
fea10c485839f80cc78106c2ef1d4a3ef70a5a0c208586be219a070bca061d6c
ce0545657884415ef34e052fcdf36506eee3f33315810fac1b7f7c615f439dcf
5539d434ee526c3dd170b22ac661ded347391278c129f0f7571d683bdc0fb1db
0d9d5a151e1cc28b6f79bfde2adc3bbf34f16b21303a647230a932e54624759e
e0b4936809d8a75b5095ce25dfb12e14c825e9401d941356749bba86a26b6bbb
f9e07becd2faaba0a53f178a513cef474849c4d82a1e69a871c81617db614296
4533579ade22cae8ab3bf23355133ca9d148328aefb35a543661f818e6af1a1b
bef3edd51fd9d18caaf806dc73b6d31554c805af50228e47c1543c00b81fe083
58207d1c5728785516cdbe3bc2323b9aeee09ba1a2e6e237cf18a364b7449ace
9f39a758c86041bc56ea46dad466476907466a5bbae961c28e1bb3d70c1cd3ca
bede23ca2e4d3eb802787a7098e718606abd5768e83dd7169b57c05f664a77bf
5ba161e67deaaeaea044b14dca79b7bea7050bd4ad76582c1e229d794e9d9029
bc4e72a6f1c09c44c778658efec7f0eb4d60d16e43527f72f9e5e98cb51667cd
63533c321441c3186976b15172a575eda99ad7ec6a937073b7b36ec45cf3e1f5
36d52f4d3719a38a45bf61c75b32dd62db19375c0d85b54baa1a80c92865858c
da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb
01e7f777e19a70073e6e8d286263b12b59bf8cc9af1e0b0c9fa4244ff63c9dc0
f35cac13d76f955a715a51f5029ec8e4539004f02a447eec2b84febd7a4f62af
ce4f0de3346625b38371d6e608e7f1dce0e078e3c307ffc7ea793f8443a25e9a
75162536c16046734b4d39d6f66a17a502ab3f7763727a0172e80a6d3b0eb27a
39c734ab91b8067c2458a620ce002b8bbe6f0e18176a7d98d022883ec73e67ec
818d5b7ce2bbd0ddcf6693b650106d1770e7ca6aa71b15a79d8906827da0c690
eced2aadf0074e3f52a0d9db1f2ca5d107a3d67be858da503cdbc42bd69b9083
feff1bf844bab637c8574b49864ff122078ca8c15d0eea205657e28587c16eba
a38d77ec66208f83f4065fe43bf51c96b587d2937b0d5f6d1abb1ab973de3751
41556fc8255feca7f1ddd424cec3c7e3f9007fea4f810db053a3886b4d7b8ec1
5a7e59ae0fa4917f94ff223e8499130923a02b0f0f6a39a02fe38dbde3a26e47
525b609b4fac8d454a86232d28999c3135fb2b3c10961723073f431fd75c2020
a0f0432f815889adb15907adaab5489844a71f5527bb07afb3d37f1a6ef948df
b31a48cc3055c0a4d94234ba2bf0844378550d8966cf0197a2cd140a945c8d33
bb2153f4393601174d491f9be952ec246a4f77e67b46e0ad7983d7270436b8f1
a00f90db29e2c261c2b6bb00093c43659b577708e8afff72c97f17d41bb06e2e
ec8877718f6bace8cef59ee505e0cbed94a2f6531249d0801192b2de127cab85
9ca2e817ff19e5313105b3b468c5390aff48fabe778333d4d2d045659818e73a
b86a67a7dea558bd5719148ecc93ecb2c4f9270006ff304d860c866519c8ca15
1dd4e49b7c3099c66edbb99d4d44ef594998908bde9b131df77b750aa72ea1b7
517cf866220ab92aabf5d1969ca4239126fbb7ee72d2698df2fbf3d9dc8fc4c5
6dcc2f68713b9fd65e7cbd3c987632b67f4db83a27f7c1a4fc7b16b07f7e5306
935f8b46fa1548e9b65f218996e8d3ca6f409684631803e5f88c9e4d931422ab
ebbf0823315707c04f814d68d3c3528354b522215ff0768303002115245b9e44
1886dfcc58adcf502245977e9d482a942079d580348e2c404092762e35774754
35884e6b675c04af9969b8f158e6ead42a2ce5b5542e7e47facbc8aac437ca9e
883deea17e26a18bb9c6a8d5184f6d4d326b84d16c3d43589fb4a7287bfb0dca
7d406ea4f3c94f86228662495df35517c89df991b672eb804d5ec796fa0a2a63
5e44dddfbb8bcddff6231529beff64d1f5a20be2fde1356dd7a0c4e82a72a468
c91ecca54c0cbdf3f8714d7c92ca6858d4ddb5957ab06f9ed33bb73e3b5f6207
e7cf9ae73751f92a53dbbc41b4939510e23352bf3a942e86b269c72b80cdb63c
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/36d52f4d3719/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36d52f4d3719a38a45bf61c75b32dd62db19375c0d85b54baa1a80c92865858c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_xorist_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.xorist.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments