MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c5c5eac09d165dcab59bcd240f337b27af6638f344c6367c0d83f50aabbdab5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c5c5eac09d165dcab59bcd240f337b27af6638f344c6367c0d83f50aabbdab5
SHA3-384 hash: 0a5ebedb5f2c24ae2f21ea5a021a1f9b77c9678a5f4f011c6e889e599b90c794559a48121755f55308eed53197121bd2
SHA1 hash: 798127d083f49dfbd8d463f67a42d527853851c6
MD5 hash: caa2154e1443eee5a95ce016204b37fd
humanhash: whiskey-oxygen-burger-arkansas
File name:58018063.exe
Download: download sample
File size:480'256 bytes
First seen:2022-03-23 04:37:38 UTC
Last seen:2022-03-23 07:12:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash afec26099e3f11d466913b19e228f448 (1 x DCRat)
ssdeep 12288:+Qar+C8rNNgqGK/lGRgOUqmq9kR6lhKXADIGZuIkvo2pWWA:+QarBqGK/cRgOnmq9g6KGEdWWA
Threatray 7'454 similar samples on MalwareBazaar
TLSH T1DAA42339644FE058E5FCF9F1FC54EE1F5618735B6C8498BB879CBB062468A312EA104E
File icon (PE):PE icon
dhash icon 0e2933985921528c (1 x DCRat)
Reporter adm1n_usa32
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/255245/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/623aa43d0cd58dbd92dcaa45/reports/0850dd4c-c72b-44d4-b66a-ddb777f5fa49/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/962430
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file has nameless sections
Powershell drops PE file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 594909 Sample: 58018063.exe Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 30 ip-api.com 2->30 32 cdn.discordapp.com 2->32 34 api.telegram.org 2->34 36 Antivirus detection for dropped file 2->36 38 Sigma detected: Powershell download and execute file 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 6 other signatures 2->42 9 58018063.exe 2->9         started        signatures3 process4 signatures5 46 Contains functionality to inject code into remote processes 9->46 48 Writes to foreign memory regions 9->48 50 Allocates memory in foreign processes 9->50 52 2 other signatures 9->52 12 RegSvcs.exe 9->12         started        process6 process7 14 cmd.exe 1 12->14         started        signatures8 54 Suspicious powershell command line found 14->54 56 Tries to download and execute files (via powershell) 14->56 17 powershell.exe 15 16 14->17         started        22 powershell.exe 5 14->22         started        24 conhost.exe 14->24         started        process9 dnsIp10 28 cdn.discordapp.com 162.159.134.233, 443, 49792 CLOUDFLARENETUS United States 17->28 26 C:\Users\user\AppData\Roaming\tlo.exe, PE32+ 17->26 dropped 44 Powershell drops PE file 17->44 file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c5c5eac09d165dcab59bcd240f337b27af6638f344c6367c0d83f50aabbdab5/
Threat name:
Win32.Trojan.RealProtectPENG
Create hunting rule
Status:
Malicious
First seen:
2022-03-23 04:38:22 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
1b7b6ef3fc21c58be4121dcd66b8e3b1231c0bb49f6e256460cc213775f4dd90
36ed7e4e8dfce10773b1b1f1b7302e80d38bfd75d7c35bc5da2abf9a8a0b99e3
60e6e0f067230326553fef06a25719c538bc8bd9c9a2de543adc3d846e121672
7fa24025283e6b745f20c81e15a8cdb866905fb079579b71efd9e659398cb574
+ 7'444 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220323-e9fnkafcf6/
Unpacked files
SH256 hash:
6bbe5ad06683425e7312564a36bcbc395e6a9c2e92ea9bc0c4a103512dea0c57
MD5 hash:
ae6b57e32b956075c7df92484599c2eb
SHA1 hash:
2937d4a2d4b19c02e59a881460aa79dd8e9158f4
Link:
https://www.unpac.me/results/f5f215ca-0619-47e7-b070-f727c6c00633/
SH256 hash:
3c5c5eac09d165dcab59bcd240f337b27af6638f344c6367c0d83f50aabbdab5
MD5 hash:
caa2154e1443eee5a95ce016204b37fd
SHA1 hash:
798127d083f49dfbd8d463f67a42d527853851c6
Link:
https://www.unpac.me/results/f5f215ca-0619-47e7-b070-f727c6c00633/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.46
Link:
https://yomi.yoroi.company/submissions/3c5c5eac09d165dcab59bcd240f337b27af6638f344c6367c0d83f50aabbdab5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/255245/

Comments