MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 571fbb18f4fb9c36e5a991451316360fb81e5e537604b8fe7143b79fb3b926b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

HorusEyesRAT

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	571fbb18f4fb9c36e5a991451316360fb81e5e537604b8fe7143b79fb3b926b5
SHA3-384 hash:	3ea3eaf8cacab659cf72215c44c8e86606a48c6ed0b37b5a01754dbf7d4dd52566a55be7c5f7b0f9245b7691cb9b3791
SHA1 hash:	8e25cd630c84c4c2fc837af0711fc6413f656616
MD5 hash:	30cddd0662f0d4f5b7ccbf51eb83e8ce
humanhash:	foxtrot-one-november-march
File name:	Stub_64.exe
Download:	download sample
Signature	HorusEyesRAT Create hunting rule
File size:	33'792 bytes
First seen:	2021-08-06 05:59:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	768:vtPUpt5VXSXZ1XjHkut9MzvbnZ4MKl8zCMWE2WtB0+Tb:vtPUDGZ1XQuwnnZ4V7TYNb
Threatray	7 similar samples on MalwareBazaar
TLSH	T14FE2D008B7948601C6BE5FBD3A73470425F0E24BA923C7D92DD8F4B659AF74506323EA
Reporter	JAMESWT_WT
Tags:	exe github Horus Eyes RAT HorusEyesRAT SantanderModulo

Intelligence

File Origin

# of uploads :

# of downloads :

126

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

HorusEyes.Rat.V0.2.1.0.zip

Verdict:

Malicious activity

Analysis date:

2021-06-29 21:54:37 UTC

Tags:

evasion

Link:

https://app.any.run/tasks/fbe70594-d84f-4104-8741-fd75cdf4f4b7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/176887/

Detection(s):

Win.Packed.Tasker-9878136-0

Win.Malware.Bulz-9880996-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ac21905d-abab-43f9-b2e3-3eba3606a1c9

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/828090

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/571fbb18f4fb9c36e5a991451316360fb81e5e537604b8fe7143b79fb3b926b5/

Threat name:

ByteCode-MSIL.Trojan.Tasker

Status:

Malicious

First seen:

2021-02-27 09:50:49 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

19 of 29 (65.52%)

Threat level:

5/5

Verdict:

unknown

HorusEyesRAT

244a1abc92912383268d141128a0eafcdf2b4b2a57b9e0490169b8f233c9671a

HorusEyesRAT

7341c552248fde8f1a9edd84a0535e118ddd98d079091c986d87400c96c53443

HorusEyesRAT

915caf575fdbc904c0d5a3755135545f76b81bf633cdac3c98b85bd0ab76dfb6

HorusEyesRAT

a49e379153901b3cab3c699af90979848ec51fdd2d07790606b3ed2bedb74297

HorusEyesRAT

a717b5d3af3173ce9958a23f95269e2d8ccd8979445626342c32b398d4f08f8a

HorusEyesRAT

b58248fcc771ae21b12857d72462c26ae30f3234bd5095986079c7b807791fa6

HorusEyesRAT

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210806-wa156cetlx/

Behaviour

Suspicious use of AdjustPrivilegeToken

Unpacked files

SH256 hash:

571fbb18f4fb9c36e5a991451316360fb81e5e537604b8fe7143b79fb3b926b5

MD5 hash:

30cddd0662f0d4f5b7ccbf51eb83e8ce

SHA1 hash:

8e25cd630c84c4c2fc837af0711fc6413f656616

Link:

https://www.unpac.me/results/b77ae594-4b01-42c0-a87b-1c257a9b3386/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.49

Link:

https://yomi.yoroi.company/submissions/571fbb18f4fb9c36e5a991451316360fb81e5e537604b8fe7143b79fb3b926b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/176887/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample