MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f0a08f005fcd2ded1fe6124656de735ba04d4b1d353c98440eceaa53140f0be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 13


Intelligence 13 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f0a08f005fcd2ded1fe6124656de735ba04d4b1d353c98440eceaa53140f0be
SHA3-384 hash: 94a04320d6b4c4f342d7adcf74878dd4ca8bbcbd8ff1ca43664f7d23dd958b9f9a8abe5625ce214d52e4ed3f2a1adc03
SHA1 hash: e42c080a17118251bbfcd2e47e21424db7ffb5a6
MD5 hash: ee3a3698449bfdaf042245ae1326b17c
humanhash: item-pizza-black-tennis
File name:EE3A3698449BFDAF042245AE1326B17C.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'572'465 bytes
First seen:2023-11-04 05:50:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:y2G/nvxW3We9qfoMT+47fLkBYvkg4bVIXbS9aZ1pL5VS2xemV:ybA3CfLi4+ukge+XndVbx5
TLSH T128757C017E54CD61F0191233D2AF555887B4AC126AA6E72F7ABA376D25123F33C1CACB
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 00414f4f4f4f4700 (14 x CoinMiner, 12 x RedLineStealer, 12 x NodeLoader)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://172.86.66.137/L1nc0In.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
435
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Msilmamut-9950860-0
Create hunting rule

Win.Packed.Basic-9952747-0
Create hunting rule

Win.Packed.Uztuby-9963900-0
Create hunting rule

Win.Packed.Uztuby-9969968-0
Create hunting rule

Win.Malware.Uztuby-9972880-0
Create hunting rule

Win.Trojan.DarkKomet-9976180-0
Create hunting rule

Win.Trojan.Uztuby-10010740-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Program Files subdirectories
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd cscript dcrat explorer greyware installer lolbin makop overlay packed packed replace schtasks setupapi sfx shdocvw shell32 wscript
Link:
https://www.filescan.io/uploads/6545dbc63dd412119bec1dd3/reports/77de82e3-0ef5-41ec-9723-e53622e6c911/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8
Link:
https://www.hybrid-analysis.com/sample/6f0a08f005fcd2ded1fe6124656de735ba04d4b1d353c98440eceaa53140f0be
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2b6978d3-0256-4187-9d49-f5671243bc91
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1337056
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops PE files to the document folder of the user
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1337056 Sample: 6mA9CZlrAa.exe Startdate: 04/11/2023 Architecture: WINDOWS Score: 100 44 Multi AV Scanner detection for domain / URL 2->44 46 Found malware configuration 2->46 48 Antivirus detection for URL or domain 2->48 50 9 other signatures 2->50 9 6mA9CZlrAa.exe 3 6 2->9         started        12 pOrkwqJthrjlXlDDToOgPtysK.exe 2->12         started        15 schtasks.exe 2->15         started        17 8 other processes 2->17 process3 file4 38 C:\sessionCrtMonitor\sessionperfcommon.exe, PE32 9->38 dropped 40 C:\sessionCrtMonitor\OEIB422QT24DQo7tg8.vbe, data 9->40 dropped 19 wscript.exe 1 9->19         started        66 Antivirus detection for dropped file 12->66 68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 72 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->72 74 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 15->74 signatures5 process6 signatures7 52 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->52 54 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 19->54 56 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->56 22 cmd.exe 1 19->22         started        process8 process9 24 sessionperfcommon.exe 1 8 22->24         started        28 conhost.exe 22->28         started        file10 34 C:\Users\user\Documents\...\dasHost.exe, PE32 24->34 dropped 36 C:\Users\...\pOrkwqJthrjlXlDDToOgPtysK.exe, PE32 24->36 dropped 58 Antivirus detection for dropped file 24->58 60 Multi AV Scanner detection for dropped file 24->60 62 Drops PE files to the document folder of the user 24->62 64 2 other signatures 24->64 30 dasHost.exe 14 2 24->30         started        signatures11 process12 dnsIp13 42 172.86.66.137, 49729, 49730, 49731 M247GB United States 30->42 76 Antivirus detection for dropped file 30->76 78 Multi AV Scanner detection for dropped file 30->78 80 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->80 82 2 other signatures 30->82 signatures14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6f0a08f005fcd2ded1fe6124656de735ba04d4b1d353c98440eceaa53140f0be
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f0a08f005fcd2ded1fe6124656de735ba04d4b1d353c98440eceaa53140f0be/
Threat name:
ByteCode-MSIL.Backdoor.DCRat
Create hunting rule
Status:
Malicious
First seen:
2023-10-31 21:38:00 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n4far4af7tjn5up6mesgk3phgw5ajvfr2nj4tbca5tvkkmka6c7a._file
Verdict:
malicious
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat
Link:
https://tria.ge/reports/231104-gj57mscg3z/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
DCRat payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
42b00dfff36a087a0e7b96741ba7894477adc079685793781131084d8f258d12
MD5 hash:
0ff4a0fdd4f59394ce4f2348c2cb56be
SHA1 hash:
cf38b28aa4e40a39d50bb8f83135d8a4bac476ed
Detections:
dcrat_block_input_plugin
Create hunting rule
Link:
https://www.unpac.me/results/a136fc10-16b5-4760-bd58-975f2e53e8ab/
Parent samples :
6f0a08f005fcd2ded1fe6124656de735ba04d4b1d353c98440eceaa53140f0be
c54d820f7ddabf09562c1913c2099aceff06122699944496f1edf5b58f70eae9
04dfbc17a5d59fe23f729175cc485a86211b55190613d88247386e4baea05534
189a5a34e99c66355da0eb5c04636ac3a06404723cc2de86a22bda42aadeea21
cd652234e4620f37b2c74931cfa9bc463560d38976ea12f384c92c4827366434
b84321d7416c9898a381c39e94867b880aea15a68049795d81888371c70d16c3
6c17baf5dfdc7956459c13eab8e1bd537196f4e012c16a8ed8c9dc9762d6fc2e
4c13d7949070e6361626b855d849afa3e4721b654a7906303bb5933645498c53
377f3033cdfdcf4b2bd6b9c2949abcb8d7973c2ade4115d1c622db274bfac687
34e740ecbaab29c15536abd6409bd10e1880a77eeb8a5a88e787051d4fd916a9
9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
a8aa581a55d93a40301bfe2fcfc548c3d75241303134fdcd585bc8383a65acb9
4690a17fffe8940aab38a0e88ef7fef186a5995e4d00e2d0cccde30ceaafcb9c
dfb61558c4fe802041d53dc777e82106afc9377cf60567e797296b1cd74aa402
3eeb9115c3888d0b1c4cfccc25bb48661b90f308bdcc1ea0c2a56a7030d5c547
9c8b561cf27708f285da964826b1183608e75be698f6b5a4469faea8e535a760
f7873b3d8b8f6cf252b37ad3ee8a57b1754b82acc1d0840184af4ce4c237a0db
e341875335ab0192719a7a17c39dd43fe185be56d7dff52c8434525489523007
94b238a6c0c1757059b32035d7f7908b93a03c95cbcfb5c410380093a4ae3e00
425fea1071b9d17709b1c93a92ce8497bd4d8f42d17bf7f7dc47db9fede0133a
682a4c477758cc6b25d07c284879656f821722910a3eaa3c335afa6d50b79706
770eab290d4e855026a8f93e90190785ce6a5b772d6a46446b91d18bcea950a1
266126ef45c3eb686abbb96bb3dc4427f7772bb48b8e9ad1c502b43c63c92475
0032705a736c09ccb7d06c156ceceee2c5915f486a32df2cd0d00d8393c9e0f2
0714c021b42433c9bfecd7e4c92cff30901e7bea72f0cb499e15b04dbbbf6423
27fb772f0a2179eb3a713bdde7dd8877b3e208cc29743a97be71308309664e91
682282bf621bee4f2a2ec6b574b88f9b45685034fcc4db866e6777706b774bff
cebb491e8af42508a08b3d72e299bb73ce764dbe0697aa86d5e300ff50cfeb69
387d5d85440c9e1db680894c297350c26145221e3986ed01bd3b5bddd8cb923e
284f083103d1c160d9e4721ecce515646ce451a1b7ddf9dd89817904e21a4a2d
087437817d3d61d126cd0ca6d5d6babcd39fb5c85a48b95c023878d124051da4
738f3b29b73ecee8cb2f1439bfb37f537b00fea55329de4d5a9eb556f5124898
9084394a955e7b25bca70b2298e1e3359c5aab5189628b647eba18706ffd67c3
8394ffcfda6873fe25a4fc6546706229cc856e2c8ac1f4af6e038bf163ba5547
753774742cbc7f66f9a6c95adcbbbaaef355bd927533a40b61ec9cc44cecaa3b
e75535592e23584ee41ae9338ea80eb8472ef608af0288c855185617e465341d
0eaabbc6526d245393c83bd7167ce1af1b8ea62565bd24e4071fd5d85b42cba5
821cb2141c54e7f85c771ffb713132c64ab34c42d7dc495d932d4048349ecf19
0a0367e1f2d803ba830f19529ef49bcc840a1703724538006e608621c8d2912c
87f220dad3bbeec6f39ed3e74eaa5b63f91924104b238fd33b4c5d49cc88f1ac
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
de00660d0d96ff67cb8e89a8d8525567327b109bc54b9042e5fdd516dcc0e51a
a5f4363625928d7fb64087212bd9d094972260739b274f44b53bbbd5be6d19b7
1365414d90a8e9a059336e150f9123f59562c2c5b3a354f3d73f882773f04571
0dacdf0e2ae577718cce67a4498ca419da614bf7b536c615528bb6e273717f54
ae869688bec81e7330c9b358632bb49f52c9f0c509f5bdaa68322716226eef8d
d979fd8848a2fe7df6ea8cb353086d8a28d7c2523b5e10222c19285ab40fa5f3
a887c9e1f514d97af106cbc3c0ef35790cc799aefb4d7d68a5e4c7e0eed74bd3
88ca97ed664243845afb3693bcbe5150e3628039e34f99b49df865442b60b4f1
19ab72819e1063bf5e8f6999bc4c68c65aa72fa52b62b9ae9643a5c2ea10c963
22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400
09bbdf5b842a244123b81ba715cd80776f83fcff31994a07376112e3524135c5
32f71ef21a67f318a02518229fa4db7587b6bf021544df3082dcf888c4e49fad
3fa6ddcabcb03763ef1887117e16ebdf0553a1cc2a16b58bdecaba0735d4e60a
b108df3575c8f9c77577486a92b52fe55bfb6508acca68b22250d8e1fc0494fb
dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e
b473ef5a2e4a6af3a8fb6e05a5f337de350ed961465a87525a19074a419071e2
a6a27d9ba682a107558cdb16fcd50ebbe3d112c8dab38e96d5926c522781cc81
2f77a20ba2eacdaf74acc2be52db30061d378a817ea3ac1812ef1c95f23f735e
7238e57350be305f25ca913714b571ee225a658bf5234d9e98cf72e176b8749b
00db2c26608e0e750b9262587d68d19dfd37e45b185a22b9438fb309ceb15cd9
0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53
374290f4bc29e1d5a3295b8f23c281393075beae64db51cd5a5e96c03f9ef8b0
ad3cad3320c96364564203d96cc76ebea925dcc8de447195e0c1addb9f28e7e8
9c8937d1ffc2a8ce23cbaddaa9e8b046d1460fc684d05b609fec3514ab14c39c
25228b9b7646e3a44d0c0458b2d9f4dde89cb36ca52f69ae317edad02678678c
90cd882d4b7aa3939307bcc71bc05d38e600cb22e8984985335df1feac12e44a
4ce4afc5fd856ed5951e35c3efd45fdc03662abf43050fddc564023ef40e6823
cb5bd9dcab7d07c1775ad24d25f72e15b6d62d4c22ce95345ce95632bc68be63
092853fc5c2163fdafef345aff1be3116697804b6f81ef2374422822d1e78bfa
e7f193ed34c9c44b2e7ad602f0abb5eacf9ba78806cac5d8c81a9cf9f1a1477f
cd526b1117e1c22762e6c48441856143ec31f33b8b8efaa13cb3ba37631c5972
633b3cade3eac35d244499864b7951091dc5d8cbac3cb6dd4fa87a214be9c41c
1026da21d95ab9bc3a5dff5163d8029ea6ca3413e586272074105e4727ab1342
de7afeddc29a1d624396c18da80702aa9ab9f8e5212446022a49b7f804252f0e
7cef1a964acbe38f4796b9ddbbd95e3fc19215594b2f3ab74483d58fe4bb93ad
bc8c14e388292845423f694eee8c01accb528d4a8dab6faf396846f08098dfcd
d4a2585b8df04e3a9eff39a5f3cb38f7277d13a1fb2fa46701f25a15f14f3b9e
a3d949b62016bc688520dfe0bf68075ca6666089eea641a62be626aecd1872ef
294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c
71692ef79be48ddd6f27fc7d11d32f58988d833974eca11740c92511b3b6edbf
19e2bde176b68e7b609977a3965b60bb74afc5810781e1545c1dc83beeb64672
5f89b33cedfe3e9f075dd2312b10580dd16b5fb1702fe1f1ce572a792ec9bf91
fcc7ce0c1cf2c3d90bef0d564fcb9ac13631d73dd516a4e32f01ecd3ea9bcda9
d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0
078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd
7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67
3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987
7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474
757ddfaea3c3fe1d283195f096eebe58fb45d87359773e3a53a983d5b78a6f04
661b2c9879d7ae68512f820689f2198fdc2d71288ed0a6e747a0ae3f4a27f176
6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0
079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a
8d34477674ccda710d5acd22a1ea3ce7c9e818d7b6d3b19200c896fcf42f5b4b
3f6feb2ff90be022f4b11b4e4be46768ce735fa4fda2fc731232fd1105a109da
3f7dbeb177934d53205b93a27b9f4262fe0f46aaf090326cb8e2069d90d0414c
c0edb4ab0c1ec04e092eebb05cccc48d35f615c0db2a1e0c4363565586c7e519
70c558209d7201e690991be17a01c6ef7f5b14775f2cfb288f0abafa43187fe2
3acf15dfd8e4a0fbe7404c2f8aadda1cff0aba5c058f5b5c3481bb44d8ff5b64
ce0545657884415ef34e052fcdf36506eee3f33315810fac1b7f7c615f439dcf
5539d434ee526c3dd170b22ac661ded347391278c129f0f7571d683bdc0fb1db
e0b4936809d8a75b5095ce25dfb12e14c825e9401d941356749bba86a26b6bbb
f9e07becd2faaba0a53f178a513cef474849c4d82a1e69a871c81617db614296
bede23ca2e4d3eb802787a7098e718606abd5768e83dd7169b57c05f664a77bf
84f54e72011bbefa9480f3b556de2739efdd2910018230990ac5a1b580ff4993
4cb2a089b9b5c731fa3bca4d3e697271d948fed7882fb6ab86c3ebb3d86ab0ca
6e36e247d18636fd5a1790ec30a2700272016b7b18f92bb5e3afccd3f7850008
5ba161e67deaaeaea044b14dca79b7bea7050bd4ad76582c1e229d794e9d9029
bc4e72a6f1c09c44c778658efec7f0eb4d60d16e43527f72f9e5e98cb51667cd
b61b723de0b59c7c038675f8d76555a4e0e198e0e8234ef939c5f63ae55d58b5
fc5b0314dfd53a19bb905de5b758720df8a25857bdd1c5a72e5b1af7d4ff994a
b7ca17d1cca0c38096119bcc28f57877024c68fe6d9d5f54433c1b02f0352fad
63533c321441c3186976b15172a575eda99ad7ec6a937073b7b36ec45cf3e1f5
da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb
01e7f777e19a70073e6e8d286263b12b59bf8cc9af1e0b0c9fa4244ff63c9dc0
327c974b8d165bfbdc0c4277bd3d68e24b6d55a6d970340662ff78468a9c4e29
5680eb1ffa1fac4f1c5a78024331ff7dd8982138d89d2df4ec56996b44c9cc99
4728a46d0432b4fa8c56c71597346276a69c9a38842725426a44364cc0655457
f35cac13d76f955a715a51f5029ec8e4539004f02a447eec2b84febd7a4f62af
39c734ab91b8067c2458a620ce002b8bbe6f0e18176a7d98d022883ec73e67ec
ee9e68394df17b14d2190d46257445f427bc43d4e02be9f26bf6236b17fe0052
a38d77ec66208f83f4065fe43bf51c96b587d2937b0d5f6d1abb1ab973de3751
06e06f76364f957938f21dcba29b05d17da0597a9e18f3bedc2e0655e84a289f
b58aef4c00cd53ff6c8dbd8dc77106cc4d3c9267dd6a85a60689a7d877d296eb
ff9cc44e996069dfff874a512de5466e2c0ade9bca939ab235041ee301822586
a0f0432f815889adb15907adaab5489844a71f5527bb07afb3d37f1a6ef948df
3993abaf8f1b6758260ab97a7192a4dcce70c41ffb326db7f0e94dffaf647312
b0049161819d1b613e9bac0c0ab31c4926013efcb93041f2b8c56f5d34f2336a
90528e80817e530236ab8110837e1afc510cd1b3a69e90787d8dd00eb471a40a
a00f90db29e2c261c2b6bb00093c43659b577708e8afff72c97f17d41bb06e2e
ec8877718f6bace8cef59ee505e0cbed94a2f6531249d0801192b2de127cab85
9ca2e817ff19e5313105b3b468c5390aff48fabe778333d4d2d045659818e73a
b86a67a7dea558bd5719148ecc93ecb2c4f9270006ff304d860c866519c8ca15
550e199325198e2aeb1c1fe8228a37715962dcad001c447f29f226921e6a9f0e
b0cc835df649b790bf8fde133d284d4bf3b9c6fd65baaa6578f91b9b3fc33b5d
6dcc2f68713b9fd65e7cbd3c987632b67f4db83a27f7c1a4fc7b16b07f7e5306
4b3c55405763bd70c67aa1be3a5ff64ec09c0255d6151e94bfef3b230c295aa0
394fd362a6bc35e1883969937fdabd2acb05cf7226d4366ebfb2ce72566c1776
5e77f11a0205bd6b936833eeb03135df7d6de1d6bd8490e32c6843d89cd9023f
d5de28ab9d6c56d5eacee86451c92836f930ab3f4ff7851b467f4786657b754d
c4fd4ed2f44625ba8af80b9e9751a005de4a3060eab685bb8e3e4b455b90e3ba
107e5d98e41c2de3fc4d8844c85e6ccb2af6d35414a6b958eb39cb3feed64854
a80013d4175fe572cbeadb27d38a4fd397550d2b81532f6d800300c195536597
f2420fdc9492498195a8a0bae43cfbf7c721b18c43b55ccfecf941f06164b154
c91ecca54c0cbdf3f8714d7c92ca6858d4ddb5957ab06f9ed33bb73e3b5f6207
e7cf9ae73751f92a53dbbc41b4939510e23352bf3a942e86b269c72b80cdb63c
SH256 hash:
4e7559a9539caf9238081cc71ca062ac4b5cf35c132ab2cff639f96f71878bb6
MD5 hash:
eee2cbc8116cf91009dcd705456753f4
SHA1 hash:
7119a961d3556cb1c912dec91e40b098b6b57f8e
Link:
https://www.unpac.me/results/a136fc10-16b5-4760-bd58-975f2e53e8ab/
SH256 hash:
9ef12cc649a8aa011bb5c5c51bfa3baef3b6a8ec539c3e43f75c1319bbd45dff
MD5 hash:
46c5b4da39d0b8bf89d31b6fc165534e
SHA1 hash:
657a5314c4c3df7e2d74d0169b78c623095b48b9
Link:
https://www.unpac.me/results/a136fc10-16b5-4760-bd58-975f2e53e8ab/
SH256 hash:
6f0a08f005fcd2ded1fe6124656de735ba04d4b1d353c98440eceaa53140f0be
MD5 hash:
ee3a3698449bfdaf042245ae1326b17c
SHA1 hash:
e42c080a17118251bbfcd2e47e21424db7ffb5a6
Link:
https://www.unpac.me/results/a136fc10-16b5-4760-bd58-975f2e53e8ab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f0a08f005fcd2ded1fe6124656de735ba04d4b1d353c98440eceaa53140f0be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments