MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c03e3ae592ccc1818f69b790c4fc141059b78fe220206751197b5613f940f9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c03e3ae592ccc1818f69b790c4fc141059b78fe220206751197b5613f940f9c
SHA3-384 hash: 678b15e3fa7c51d81a944677f8695183bc56783ca16b109820d0a9ea8240fbfc04cf3cd34e8447091caca13c3539a7db
SHA1 hash: a51c53780f6a128e41e3badbc397320ca9922c8f
MD5 hash: 4602069400b12c71869d9420de15e02d
humanhash: march-south-football-jig
File name:4602069400b12c71869d9420de15e02d.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'559'244 bytes
First seen:2024-05-09 19:55:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:T2G/nvxW3Wo2KvcMJUkSLzY6I9M8QEhwWmw3zGfaux+wHWbBphtt1VF:TbA3qKDUkSvxcp
Threatray 3 similar samples on MalwareBazaar
TLSH T108759D017E54CA11F01A1633C2FF454847B4AE516BA6E32B7EBA37AD55123A33D0DACB
TrID 76.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
16.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.2% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 82e978c8c878e982 (2 x DCRat, 1 x SheetRAT)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://vladiez8.beget.tech/L1nc0In.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
376
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
6c03e3ae592ccc1818f69b790c4fc141059b78fe220206751197b5613f940f9c.exe
Verdict:
Malicious activity
Analysis date:
2024-05-09 19:56:12 UTC
Tags:
rat backdoor dcrat remote stealer
Link:
https://app.any.run/tasks/0460e455-b932-4390-a758-4da6325c9a03

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Msilmamut-9950860-0
Create hunting rule

Win.Packed.Uztuby-9963900-0
Create hunting rule

Win.Packed.Uztuby-9969968-0
Create hunting rule

Win.Malware.Uztuby-9972880-0
Create hunting rule

Win.Trojan.DarkKomet-9976180-0
Create hunting rule

Win.Trojan.Uztuby-10010740-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd cscript dcrat explorer fingerprint installer lolbin overlay packed packed prometheus risepro schtasks setupapi sfx shdocvw shell32
Link:
https://www.filescan.io/uploads/663d2a5354aa07c307f2bc66/reports/80a7f7e2-f747-4416-ae7a-fdc7b799fe3a/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/6c03e3ae592ccc1818f69b790c4fc141059b78fe220206751197b5613f940f9c
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1eae0bdf-3695-4b96-9af0-baf6a19c440f
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1439145
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops executable to a common third party application directory
Drops PE files to the user root directory
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1439145 Sample: Qd3usMZwOg.exe Startdate: 09/05/2024 Architecture: WINDOWS Score: 100 50 vladiez8.beget.tech 2->50 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Antivirus detection for dropped file 2->58 60 12 other signatures 2->60 11 Qd3usMZwOg.exe 3 6 2->11         started        14 cscript.exe 2->14         started        signatures3 process4 file5 46 C:\websvc\system.exe, PE32 11->46 dropped 48 C:\websvc\86s0IKCVmR4uRX.vbe, data 11->48 dropped 16 wscript.exe 1 11->16         started        process6 signatures7 52 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->52 19 cmd.exe 1 16->19         started        process8 process9 21 system.exe 2 35 19->21         started        25 conhost.exe 19->25         started        file10 38 C:\...\HkcNnYSHChijSgOSxBfwpbRprvwJao.exe, PE32 21->38 dropped 40 C:\...\HkcNnYSHChijSgOSxBfwpbRprvwJao.exe, PE32 21->40 dropped 42 C:\Windows\Branding\Basebrd\lsass.exe, PE32 21->42 dropped 44 12 other malicious files 21->44 dropped 62 Antivirus detection for dropped file 21->62 64 Multi AV Scanner detection for dropped file 21->64 66 Machine Learning detection for dropped file 21->66 68 5 other signatures 21->68 27 schtasks.exe 21->27         started        30 schtasks.exe 21->30         started        32 schtasks.exe 21->32         started        34 32 other processes 21->34 signatures11 process12 signatures13 70 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 27->70 36 Conhost.exe 30->36         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6c03e3ae592ccc1818f69b790c4fc141059b78fe220206751197b5613f940f9c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c03e3ae592ccc1818f69b790c4fc141059b78fe220206751197b5613f940f9c/
Threat name:
ByteCode-MSIL.Ransomware.Prometheus
Create hunting rule
Status:
Malicious
First seen:
2024-05-03 23:17:33 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nqb6hlszftgbqghwtn4qyt6bieczw6h6eibam5irs62wcp4ub6oa._file
Verdict:
malicious
Similar samples:
6679397d43cb816bfcddd2e6719235bd7477c5e3090644612e071e4462893c3d
DCRat
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat evasion infostealer rat
Link:
https://tria.ge/reports/240509-ynnltseg32/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Disables Task Manager via registry modification
DCRat payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
27dccc65ce8165512408ae59f94d38cf1a1e93044308ca957700ca1655d69031
MD5 hash:
aba96cbe98c5bdcc152aca94eb26376e
SHA1 hash:
34555ff2f2fa3daf81af12c5979d80aada71f5ab
Link:
https://www.unpac.me/results/7273b483-eaec-495e-92ce-41ce099b3eb2/
SH256 hash:
239d629363a9ca2f584ba5686e1554717d8ba6f5f2094a2ba97f570afcb02fc5
MD5 hash:
efa9aea3cede341bbe3d6501c3e2daed
SHA1 hash:
afbdada7a76a818f7cc38d631c8e27eb69189d9d
Detections:
dcrat_user_ping_counter
Create hunting rule
Link:
https://www.unpac.me/results/7273b483-eaec-495e-92ce-41ce099b3eb2/
Parent samples :
f554f85e09589b01fd0b4280b8446e4c28300e699676ca4c1a1bac3342b48522
c77f97d66580abf03cf332242848689969e9957747a9fcc21dfe7a2ac1237b0d
ab4f8a0df38c09efb9b9db694511d4d6e615cc3c35bfc14b55ddaa3828e13864
faf8f7128b7208eca7740b99f169cbf0a9dc2c1d589dbbfdc4846f75406d1b6a
43824e5c1db3c8dfcc071806b4df30ac44467d2a9ef29c0346c528d21f88c96c
edfa4854459543300b21cfa4a7c56ccab6c5a31668c926a40840e947f0125710
fe88bfce79e8987f3c91cbf189e89f6699bf133ca150b83f4d838a5e13d34cd3
ad36fd29255e2cc7311a9ee8acf001adb391d8e7f7ab084db88b772fb6d8c2e1
e0fa9c62364826149547d32728d06d155bdc6a54e90554695f8039bd7b73d036
c54d820f7ddabf09562c1913c2099aceff06122699944496f1edf5b58f70eae9
db356737d8940879b057bd0173aae780602b9ceb0a5790bd90e12c5cfc194088
bd92b5309471d738558909eda794cef44dfbc8a363b8be00048f1576536b8bf4
0c580f2f9f3e2c64e1a23ab9f81e37e47fee22704d46a7bf7741802694cae951
189a5a34e99c66355da0eb5c04636ac3a06404723cc2de86a22bda42aadeea21
cd652234e4620f37b2c74931cfa9bc463560d38976ea12f384c92c4827366434
b84321d7416c9898a381c39e94867b880aea15a68049795d81888371c70d16c3
d14caa68b3176ca4bde4b434eecd00ec121d9c649f73d1ba6510730cda54eb05
fd4ac5261b3f8357ad4e1f5fbee2e3f3e9e2a6cc0f8c1c61f1a840d8b54fe28c
d0f98ae4d8b585e9e7ea3258fd72b21dece44a9dd018eff8f0b890c579fa324a
377f3033cdfdcf4b2bd6b9c2949abcb8d7973c2ade4115d1c622db274bfac687
34e740ecbaab29c15536abd6409bd10e1880a77eeb8a5a88e787051d4fd916a9
9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
1f9168ebe5c0fb87e5d3a637d2dfc6d6271ef1ad37c9da811743cc28dffccb1e
942ce9bb5178d33eb90530cb614c3857f6b76723548e2e2865655072f47ecc62
66c9abad6488aa8867643b6c417c458ae6978ad86d4fa30ee40bd1f90683433c
d996ba4c72a3da0f1da06932a424ea615c79d9456d24e78c8f6d01bbd46af5b3
bc2867b87c9b183bc7a16286c7602eccbdd3b4ea5197af474c97212807f6bf60
fdaa21ae214d6212d81b966051fa320b9b6cea4181f8e8b64776f4bface87e4f
a2512b666fa818ad048140923871c415f8e67660ae101caef333812ac2e0fb85
76825233479175a84a1f41b38bca8949aa84ad2b60124b6247a036cd40506480
1dd3edb673a05c19521b785935f8e803ec5f3104883db80f1a671182e23c4274
e6e4997c4d3b458b12715acf42f18421e60121dcbb461476ecdc487d5caa5284
5420a52b2fd6ea953a44e49cfce57fe4827436da7fe02a68154e71fe5cf4aa19
3eeb9115c3888d0b1c4cfccc25bb48661b90f308bdcc1ea0c2a56a7030d5c547
310d1c1dbab48d7859d151a039887c40da8f92fdf2e6d9be8e73fb3d9ef22e51
9c8b561cf27708f285da964826b1183608e75be698f6b5a4469faea8e535a760
a0c3348c11bf5e4f17b6a94de802de80417cdf71f5f9e5ae53d24302fe87a072
e5ceb36a479f4affece79593a04374e43b3619ab38e64b1b36a76b25a149baff
65d59cc441cd33c09cc1d83f3097da96414b23480d94ee0bf74477aa0f012588
e341875335ab0192719a7a17c39dd43fe185be56d7dff52c8434525489523007
669634a33853f70175e367b9519b29e5ac57ddeb412884c004875344ad2b5165
aa3f635e15b1e53709d01a66e31958b649d40122541f1aa207805f0ce31f0fe9
7d9ec2e09c8559b1d695569da5f16b9a6edd54c38526b91d458ca5c43c401761
edfa67a16bfdc33dc54dd105c07cf96d4595b34cfbf37e1cc249b1078a085653
a87d18df4d58e31acb40b03e05c9de4a507991b1d4f3ba8cc22b599671fbf43a
425fea1071b9d17709b1c93a92ce8497bd4d8f42d17bf7f7dc47db9fede0133a
770eab290d4e855026a8f93e90190785ce6a5b772d6a46446b91d18bcea950a1
53f5687e99cd9f17ea56728183c0e8c32e8825efd4c92c3a62278613c5a8d0ba
266126ef45c3eb686abbb96bb3dc4427f7772bb48b8e9ad1c502b43c63c92475
59b3e1bdfc8900a7f4391eba28960949f5ab658a4cbc65d249205eb968354aa1
17154764e83a28a94dd2d6d0250d641c9e1284ecd7b6def2302f640728bdc102
8d719797d54ade99d81bc37270540ae77d665a7a11322fbd7cc6821033ee55f5
c4ec5d7b7a9bf60de2c201ebaca15ef8da3590033d4abc42fa402bcd2e5abd79
4384d73f957c5b5359b59d6613589a03488bac292e0f3c2720e230a4115985f2
486a172f5e53e60a401aafcd42ea3ff43474f7fc728408fbcc74993e3327a823
0bcb6a2a0bc53d7f8123dc77302edaaa382ac3f3b1124187277df169bee3b11d
a93149d4911689487366f8b17fa9d5d4f3ecc43e7e75daeb28786e41a9712797
1ffead6366d7467684c0149184393734aff4cc1052107ef3152854af38de3ead
c3f98fcf5d25e5f8347c5884b6c41d4efa8a7fe63ebc84ff02025f2c87359dbd
69f2383556669975073a487dd45f4c273ebac2d2c2130e5f03b6a96b301a8cda
27fb772f0a2179eb3a713bdde7dd8877b3e208cc29743a97be71308309664e91
682282bf621bee4f2a2ec6b574b88f9b45685034fcc4db866e6777706b774bff
cebb491e8af42508a08b3d72e299bb73ce764dbe0697aa86d5e300ff50cfeb69
95fc23f9723930fd582ef6d912e8e4608c55a6350dde85a1ebf618e1a281a195
78e05cedaa8ac3d3361793ab8b19b6ba2147ea99cd6e406720e90dc5474fcda0
0cdd9cd133555f23cc30876c7ef36cca43834f4d6172a161436238cdc80c9e17
2098a5c58be76612a56e5dc768ecffac4d8ca0c90f98d089838f299b5cc2990d
ef8ca9548082bc58b1bbe0fb16193449b582371704af80bda53f8f184d24187a
284f083103d1c160d9e4721ecce515646ce451a1b7ddf9dd89817904e21a4a2d
738f3b29b73ecee8cb2f1439bfb37f537b00fea55329de4d5a9eb556f5124898
57d8aa5144b218e2f5932aa7dae64a40afd2219b6ce2859cd9f306151357039d
7f95aaeec04b3259cf25c0f19d3aace72d5b70b3011a7ae31f57499aa3287bdb
ca834f0de0a8eb1fa2beda59fc7a5dc9879886f9a066d6065ef621506b43590f
87f220dad3bbeec6f39ed3e74eaa5b63f91924104b238fd33b4c5d49cc88f1ac
c65512593015efaa2501ca5a6154cef621fa1f7deb67d5ed870a5b159752e655
a73e65253b8c42111f3a92fd4d7c40d22c944b1f94dcc8e4d72c618ab4730bae
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
6120c9db8e0c5d714fd87dcb35954c460439498928bc85978aef0fb377e43e1d
ec4949fff4b4320c7b50929a7d72b90fc1ca703d39c7819f31ec95a8e7e91ed7
de00660d0d96ff67cb8e89a8d8525567327b109bc54b9042e5fdd516dcc0e51a
e0acb3c17aac695ada5fd83580506ffa0e6972bd8551e961c3f7b6ecc22dc793
8709a2d366b5a25dafcda279a431d07da457676948024ee28e60e7848b7d24e4
4e6333e4c4cb032d90a01f0499d63346da93f702ef1bc8aa6a0b0a8cad912354
1fbcb895a6e34fb2a307c0c9896b7922ea723e5eea183fa319c0142c5a761fdf
01ef75f76ae452476b1de15a3238617f33c4b685e5bb423de49f34f44b0a0111
e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847
a5f4363625928d7fb64087212bd9d094972260739b274f44b53bbbd5be6d19b7
a7026eb135336fc541bb8cf376de89754873bfe36cba3098fbd6bdfb8c22a89d
a377c1c13801481e8dcc3c8a30c3df070ad73b9983e8c4fe85c058ac9034ee37
da0812e23452fddd5fdd646d72a9558bed67337dbac56701e4558d0cad39fc4c
bd4cdf39296e818201a4d836ceba532578bbb45a986413ec6ded74bd745a0c81
36b4c1632f6121f74305e5af623f983c9b97b01080470c7daae076dff51b8c20
0dacdf0e2ae577718cce67a4498ca419da614bf7b536c615528bb6e273717f54
6c03e3ae592ccc1818f69b790c4fc141059b78fe220206751197b5613f940f9c
bfe50b1ade213b5f699739f7e47b6860cdcf9b7b5ba8d0a6701d2f6cbbe0d1fc
dfdf2fdf2c2eb51f23f7cbe9003ae084e6a552032fadac0ee7b29d32876e3ac8
6dbb7863ec2cef5ef8c17fe567d007fdbab3bbe330f934da1f4146e886204606
93052bbf65ee2790cbee9f7bd67f27a5501818747793caf86a2d0a7f1b0768ed
d979fd8848a2fe7df6ea8cb353086d8a28d7c2523b5e10222c19285ab40fa5f3
0b4aa6685967ac49d493aa595578c445dd75bf839dc95aa48604825c1eef0ee9
a016313bc090d337a66dcefc7cc18a889f5c1cfc721185fa9ad7038159efb728
3e5c92ebdbc350c5d12d8a684ae957f570f9fed8c4099415f1d9206c910886a5
f7d99a21243a3f643960b9c4ca7c006a71d2f2cd46d1aed4e8fe615dba6f9376
4d908524b238846077a6fb1df34be93ae926e13c15bb8ac5c45a8980ef4862ce
c7d5c20a8f8704cd72855276ade10f22dc95cbce0d89aedcaab2ad64a8753693
3fa6ddcabcb03763ef1887117e16ebdf0553a1cc2a16b58bdecaba0735d4e60a
b108df3575c8f9c77577486a92b52fe55bfb6508acca68b22250d8e1fc0494fb
b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2
8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f
a6a27d9ba682a107558cdb16fcd50ebbe3d112c8dab38e96d5926c522781cc81
93fab8f38647afb8584bd6dbe31d748aa68f08d8015f5047db33e7a903eb4891
7238e57350be305f25ca913714b571ee225a658bf5234d9e98cf72e176b8749b
025ecb4bd7e95666a15b84ef10a548106f3495914a626da84fa491779fb9056e
3592f60e97f29ab2d4e60ed3604d154c4455f59c318723aa0d25dd6a5c255f66
49691df1941f383a519f87b72d504014b93e45bbf5de5fadf2b46e9f7d3a942b
5a089053f785fbdc6e6d11d32a6e74c9e5af34a6b3be078e867b0fe18833a7b6
4ef7de62e3718e5d598d0e856ac127e10d0cc8c9b375555648c00f695b8d3d9d
f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72
00db2c26608e0e750b9262587d68d19dfd37e45b185a22b9438fb309ceb15cd9
8fc9056ebee5adcd70c3d96e53885fcb355030869137a6f1977a463759f15d86
2891ed67cda3644765fd94fce012ff41aa4e32fc4c2857e63648803884d76c6f
ea6e4e54c6aa6df24c7a386a5ac3bd9a224d69ecd629a555744e72cde043cadd
2b4d2a49f21bb03260121613a9d00d054dce9acfeb4c76c4bd54be7568c4c45f
3e9e0cd9de7f50623058c9306b1ea32ba9bd2a70a8bcfec39cf47caf30a4ba59
b56d3e6d1b59e49bbec7d67b46efdabcd4f63113d4937e713c017a5c8307c1f9
e0a44f25632730e54db070a4508bdaf73621f4dc7f61987df2051d5d4b512ed7
374290f4bc29e1d5a3295b8f23c281393075beae64db51cd5a5e96c03f9ef8b0
8ac5083f52da0ff312259331f65b326782803aa837a7b371a6d43a021b0c24c3
ad3cad3320c96364564203d96cc76ebea925dcc8de447195e0c1addb9f28e7e8
cdb363f810ebeea6e40abc725c14e9bf78a3014559ec32903c15fd7576fcac20
9c8937d1ffc2a8ce23cbaddaa9e8b046d1460fc684d05b609fec3514ab14c39c
25228b9b7646e3a44d0c0458b2d9f4dde89cb36ca52f69ae317edad02678678c
72d0cb65a851e5221a89b68994aea432ba72da0a2c213e26bb4b72d84420e026
23f8f5fa14be58995db500b8506fde23f21f469a76912178b7934c354b3ce712
90cd882d4b7aa3939307bcc71bc05d38e600cb22e8984985335df1feac12e44a
4ce4afc5fd856ed5951e35c3efd45fdc03662abf43050fddc564023ef40e6823
86c845b26ff1a36147c647ba50a1cf1ef62c829bcd432bb6ffb6d167532da7c6
67e022273972cda8e1633f002043e4f03cc62bf603bfc95dd5c78af8c0cfb5d2
34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710
47159fe5dc5b2812344f7ec698e318cef30ec35f4425fd386ee8a7856cdaa646
44a3a0a7c95c9ab758df5f7a17dbf792b4695e1da2c0a0d477d6fe3bfbe51307
88f80fbe352e5778eb8a9d0cb508c888d8a3c88c676455c5a5dc6348f7a427b1
aae1af2413e177b7c707f7d6769c91188cd3b7fb5a016d7e33eb6a59c5a4a1b4
acd97e225aefd41985f222c40b6b3073998626e34bfaba7c65e9c5254b746368
e1b8ed2880ce666a4d5f4fe82efb15594f53b4d5883b727753948cba14404905
633b3cade3eac35d244499864b7951091dc5d8cbac3cb6dd4fa87a214be9c41c
ea013cbc1ac6fe7992f8af75ac2d9c0d6ae6c004df923f3738a7bde0d5a10d1d
984326f043144d68f6fd2fbd6748495970ea175eb7353211d6a9e2efef5438ac
e52b64a5eb615cd021fcbb9de98cd8ba55bfe8fd7d7a2fc48148b598896169b9
8d7e7c63b0739df784f5db7c063be7b3ef2d1f6b6b71d76e0ed1e5b6592512a6
de7afeddc29a1d624396c18da80702aa9ab9f8e5212446022a49b7f804252f0e
7cef1a964acbe38f4796b9ddbbd95e3fc19215594b2f3ab74483d58fe4bb93ad
07c5b49533598137fc6ef895cb707c538407c9acc4d48a7a86890a5a7380957b
687e5f5115610b54efc08f0b53ac4c55dd8b2d7d4e7cf8a22d52c6594de7195d
33e5d8a9c8a0d2868e7ab97ef348ca81c0e76020fe846ddfee4f3cb11089a08e
a3d949b62016bc688520dfe0bf68075ca6666089eea641a62be626aecd1872ef
cccb59dbcce9a68ffed699333477bba15ef02b19de9e5a345eed09e87440fc28
294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c
85354c1c3ad99f6c010f945400e0f423d6aa91b2e06dda7462f7cf66eca40bcc
1683c3759dd64d42623510c28230a23c9b999f12d5b63f2cb02f9eaf769f45a6
3049dff59c007e4d95714d9e75a74a50e0ce1e012c0ea0e8dd0c4d457d99bf44
6cb8969c2e226f0597598198992dd4afd52d70ac83c187852d3cd872dd6b7a0d
7349e24b789ad138005aeccb968615b3ed3278d257a866058c65557eb85bb419
158c9599f5310708e34c67ba1f72241b28e0b5633dec9e786fd6031a95da6d3d
aad1ff40ea61134acab0e1c14cac166179a15ff1b34890cd6f5ebf8d3d6ab2a2
1d6628a6cd66f3dd7f3377ee1c30e8a92cedb1d40f5a121b84e5ab84a0e19909
5f89b33cedfe3e9f075dd2312b10580dd16b5fb1702fe1f1ce572a792ec9bf91
2e8c1c67fa381e4c84a7e6a42a9c9ad78ad8a9fe2d595ce8b85efb7b94ac207b
5672a32d9ee0867d3ca2f2105bff64df1cc0d21b420c189cdad1d5eead60dbcd
d6fa38225dc4176b1681ca8a755b6813857aa97ef33e9aa2e8ad33a30acab94b
443b28843ef46edf389d28b02cb45b89ec6a871f87f5b8bbeee8bb5e1e609126
3ac5dd621c370ef1fd89c945b220fa1dc5a1ccaf30ef5300034acb5cfdfa3e11
497ac5eb72b62c3db2d5383bc2823bf38596e00d877ec7e9d572a94830f07a0e
791d92ffb559abed9ec0f3266f5e0f2a98a5af1fab714f0b3b1b2548f05ca8b0
a68bc10b645b0b5748702f6db2b275549a5214854c0bc1efcb4259930760aa2f
15d2d7470da66ec434a6da91d444dbc3fc6ebc54b8b4a9d225685b04c7bc4fde
8a954daf417d6a178993a0f95e4834141abba3388c89730e6bfc52320550eac0
841eb644979b3c640761762645c9cd26f9bb46e558eaeb7bf0c2a79e761878f4
11e550c201ee70fb01902b1e84b19a133c0861e170c764db9d8755be67fdcde2
1b304c8a2ae4546bd7958c7f22becaf6b682a5c88b7a01945a952de991b0ef0b
c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16
f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7
4c6650813906ced18f7564f906ea5a033a206cb2c71f244e0d28a04e3f2d7609
d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0
ad4072aa43c0fcac0cc0c5f86147c93fb16707a547d7760407a02be06bf9d8f0
007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594
078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd
fa78ac8f4c94923c7e53a3bf6936b46aff02f7746ee9518460c2d529ea2982d4
85768ff86e86155faadff2443ea1c9656fc479ffa5f0ae90c9b738bf31ff1080
7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67
fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e
4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0
c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a
3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987
7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474
94af3f003d23484a189ce50929f7e11b7cb4d30d149eb23f6650fafd548dd3fd
feeeddd06c6b90360e7adf808b216628c585888af8e8b4179be7bb1a4e1e6994
94d6f5344b79742f145659d00c8e6d7113741ced8930b855dd6161b222f3e6c3
500a74281de1bc8e6eb4e08eb8705235f4436ccb209ecaca91fe4ad43a869015
486d063b3d47cd17e561a7ebba200fa0bbd3212057bd13294e36cf0e76c062d7
e54e6afbb7aef8a09455ad1c546fda176e67037fe95869bb1d0967db2d937617
9c351c1e11a2e25b53edd78ca7bf03bd0c6afd2d0bfbeb5dad6cbe8f24edbd5c
48da1fa982cffab890ae643f4301ffa65949883ae6e6bbb746857a07b9485ef5
d39e417bda2e1e9b7f79fa8e974fdc6e06e82d3969eb8125d1274046b69b7dae
b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72
37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72
661b2c9879d7ae68512f820689f2198fdc2d71288ed0a6e747a0ae3f4a27f176
f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510
74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3
75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835
0a0eebfca8553e921339c90b0060ceb6adcbc5f747696b1abecd376f50283911
079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a
f9de98bb8b3a6918df525169f13fdb4f2a0389025b2d39c33c129c4c877cc356
6b4372f45d14a2f2b5d64d153e31b65436936921bceeeb8b01585f71a8c0e1bf
95a53f6f1269cbfa5dd44e1d53d1206f33ba9fbdf18fc34ce68facbb84529a99
8d34477674ccda710d5acd22a1ea3ce7c9e818d7b6d3b19200c896fcf42f5b4b
a51d05aad64836fbca131477091f1a0ad80d1759387af35adc3861f9e0ac96cf
3f6feb2ff90be022f4b11b4e4be46768ce735fa4fda2fc731232fd1105a109da
3f7dbeb177934d53205b93a27b9f4262fe0f46aaf090326cb8e2069d90d0414c
bb5095f3df2c1e76c9a61fb57333d4468e2d6877eab3e0aa85afe1182d526aee
1ce99f60292aa8808687010e53feff56ab3af5af3d725d8a9008dd4a1cf252cb
70c558209d7201e690991be17a01c6ef7f5b14775f2cfb288f0abafa43187fe2
3acf15dfd8e4a0fbe7404c2f8aadda1cff0aba5c058f5b5c3481bb44d8ff5b64
fea10c485839f80cc78106c2ef1d4a3ef70a5a0c208586be219a070bca061d6c
5539d434ee526c3dd170b22ac661ded347391278c129f0f7571d683bdc0fb1db
e0b4936809d8a75b5095ce25dfb12e14c825e9401d941356749bba86a26b6bbb
f9e07becd2faaba0a53f178a513cef474849c4d82a1e69a871c81617db614296
ba7d4ff1cc2d769ba2948268a865164bc1bc977121fbd0b1758bf9dac0c57491
84f54e72011bbefa9480f3b556de2739efdd2910018230990ac5a1b580ff4993
875bd63d55887f2611478eb446b54ee75506c6e0bfaac84985570e72e68abb27
4cb2a089b9b5c731fa3bca4d3e697271d948fed7882fb6ab86c3ebb3d86ab0ca
fc5b0314dfd53a19bb905de5b758720df8a25857bdd1c5a72e5b1af7d4ff994a
63533c321441c3186976b15172a575eda99ad7ec6a937073b7b36ec45cf3e1f5
f08995b47577c1055a9dba345fec4ef1718e482fb014769e5d29e917837b1aed
da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb
d8befd70003d111bb42cda71b9ccfccbdd39c84f8d57c0420ec123fa86177b42
1909e063ac09b3c109e467f90c7f8e6595c4359529fc7844fadf87e232ebc0ed
e1da4360f80e9b162a84cedd97186bef72db8dcd9b507d1df4d949a8dde978ae
74793488f23a075f3d4e966eeb3d523c152d6fde434a4712a2a700d3db7b65ac
df9bb670d35d73d45a9a0381a06f0db6a4f1010c8cfae26dd1892dc69f151d03
01e7f777e19a70073e6e8d286263b12b59bf8cc9af1e0b0c9fa4244ff63c9dc0
5680eb1ffa1fac4f1c5a78024331ff7dd8982138d89d2df4ec56996b44c9cc99
4728a46d0432b4fa8c56c71597346276a69c9a38842725426a44364cc0655457
39c734ab91b8067c2458a620ce002b8bbe6f0e18176a7d98d022883ec73e67ec
818d5b7ce2bbd0ddcf6693b650106d1770e7ca6aa71b15a79d8906827da0c690
eced2aadf0074e3f52a0d9db1f2ca5d107a3d67be858da503cdbc42bd69b9083
feff1bf844bab637c8574b49864ff122078ca8c15d0eea205657e28587c16eba
4f22748956c9ec725df67a7729730ae3d56f88dc37db966abfc3a7557bbdb69a
a38d77ec66208f83f4065fe43bf51c96b587d2937b0d5f6d1abb1ab973de3751
bbd72c3c688c454beaa2305f36132e1ffab50eacfc33aee3038c1b2e742fcac1
41556fc8255feca7f1ddd424cec3c7e3f9007fea4f810db053a3886b4d7b8ec1
525b609b4fac8d454a86232d28999c3135fb2b3c10961723073f431fd75c2020
a0f0432f815889adb15907adaab5489844a71f5527bb07afb3d37f1a6ef948df
b31a48cc3055c0a4d94234ba2bf0844378550d8966cf0197a2cd140a945c8d33
d6782248f4c374547fa92b0cc3aad3c968de76fffbc8625b0f465f71afb9027b
3993abaf8f1b6758260ab97a7192a4dcce70c41ffb326db7f0e94dffaf647312
c428a3d32085008a396db06460612f02bca60056502f484a8968a6e126454213
bb2153f4393601174d491f9be952ec246a4f77e67b46e0ad7983d7270436b8f1
b0049161819d1b613e9bac0c0ab31c4926013efcb93041f2b8c56f5d34f2336a
4e6eb217528d9643d9a41ea4ef18d97e64d425d5c419738a82081e2577964de5
c4c2a82a7d454bb85fa22f12d2571639c1640ba4a6790d708f4a229f91a7a99b
d3b9e22ed2c64a01688b73c9c654357270e1f8defb2702816b03749507c29b21
a00f90db29e2c261c2b6bb00093c43659b577708e8afff72c97f17d41bb06e2e
6db12ffa41682d32f6717be45b56e1170be90a8c08d6b8c75e4a643032aa71bb
ec8877718f6bace8cef59ee505e0cbed94a2f6531249d0801192b2de127cab85
b86a67a7dea558bd5719148ecc93ecb2c4f9270006ff304d860c866519c8ca15
807f17e494839874f50bc0ba2f65991825199a8e25bb5fad4e8a347bcc48e5c6
ebdc00c1de3f168e1a3750f0561032d9e2c2a1bd745341f970dc1e395695f341
ebbf0823315707c04f814d68d3c3528354b522215ff0768303002115245b9e44
5fce6e4fd13c8a457e073744d51094c40b6bb50b87b3fcad75d14c373eeab9dd
ed29ad4d8d35bc2559a44196300367ef6b073847f7174f61dfa421c9a6d296ac
d623ebd387e46bf8cb0f970d6238d95e5e3226ffce22a987e9565e65753ac603
dbf2476b04ae66c2eb361fdea361c62778286823b60feea32cdbc15d59d024d3
35884e6b675c04af9969b8f158e6ead42a2ce5b5542e7e47facbc8aac437ca9e
d607bfcbe22d2dd7d7a40172c2c5e1680d5d1132c8cab4b2ce51b57ca84fe997
a1f1d8797ffd930f0a16f3a1bd96b58419bb05bcd304a6e4ec2ddc14c664c83c
27fdc3af9ed7993dac237f1fe39ac927a18407068b1359557863fea25b460dd0
a00c57ac2e5b05f6088a431828ccb967db7026b96befb561a68b3628d8ce357a
d931371a9b2d8f6e52279b3d346b07261ec66e832553f80c38542337f37fa998
5e44dddfbb8bcddff6231529beff64d1f5a20be2fde1356dd7a0c4e82a72a468
c91ecca54c0cbdf3f8714d7c92ca6858d4ddb5957ab06f9ed33bb73e3b5f6207
e7cf9ae73751f92a53dbbc41b4939510e23352bf3a942e86b269c72b80cdb63c
SH256 hash:
4e7559a9539caf9238081cc71ca062ac4b5cf35c132ab2cff639f96f71878bb6
MD5 hash:
eee2cbc8116cf91009dcd705456753f4
SHA1 hash:
7119a961d3556cb1c912dec91e40b098b6b57f8e
Link:
https://www.unpac.me/results/7273b483-eaec-495e-92ce-41ce099b3eb2/
SH256 hash:
6c03e3ae592ccc1818f69b790c4fc141059b78fe220206751197b5613f940f9c
MD5 hash:
4602069400b12c71869d9420de15e02d
SHA1 hash:
a51c53780f6a128e41e3badbc397320ca9922c8f
Link:
https://www.unpac.me/results/7273b483-eaec-495e-92ce-41ce099b3eb2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6c03e3ae592c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c03e3ae592ccc1818f69b790c4fc141059b78fe220206751197b5613f940f9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments