MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a4c304b810703f0eb30ae166efb16ff9c1cfb0ebc9db5948e959614a3e49d5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


TVRat


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a4c304b810703f0eb30ae166efb16ff9c1cfb0ebc9db5948e959614a3e49d5d
SHA3-384 hash: fcb7ee2152eda8809f5557c4e6116360bc57560662bf5ce11b9528ca30ad10287961312bce95e5be1a4bdc44fe2f6211
SHA1 hash: cd00b7f70a26a5c5cb1d775cb25fec8827c8309f
MD5 hash: 6bc6b19a38122b926c4e3a5872283c56
humanhash: east-carbon-lake-california
File name:6bc6b19a38122b926c4e3a5872283c56
Download: download sample
Signature TVRat
Create hunting rule
File size:7'246'316 bytes
First seen:2022-01-08 07:24:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 196608:4wAaWs1y8oBH0YHxKg29+H0r7fcm0nHgIEH76:4wc8oiYHxKg2Gm0nH0G
Threatray 13 similar samples on MalwareBazaar
TLSH T17176331BE291AB8FF5C478728AB63151A87F9D3E54C62BF302C09551701B790BA7B39C
File icon (PE):PE icon
dhash icon c4dadadad2f492c2 (25 x GuLoader, 14 x RemcosRAT, 7 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe TVRat

Intelligence

File Origin
# of uploads :
1
# of downloads :
320
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://dogelab.net/1.exe
Verdict:
Malicious activity
Analysis date:
2022-01-07 02:30:54 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/b2de9ee0-ea9a-4e25-9e14-4039be080f50

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217788/
Detection(s):
SecuriteInfo.com.Zum.Androm.1.1011.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Creating a file
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Using the Windows Management Instrumentation requests
DNS request
Setting a single autorun event
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3842/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe expand.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61d93c561c0d769df9d7ccee/reports/e1a64257-62b2-4bef-8d17-7ec65a2c32e7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/df4c69ba-6850-4db2-8d5b-cfffb9f5dbde
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917097
Signature
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Contains functionality to detect virtual machines (IN, VMware)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 549575 Sample: kv0WFRYIxS Startdate: 08/01/2022 Architecture: WINDOWS Score: 100 37 pshzbnb.com 2->37 39 id.xn--80akicokc0aablc.xn--p1ai 2->39 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Antivirus detection for URL or domain 2->53 55 3 other signatures 2->55 8 kv0WFRYIxS.exe 1 56 2->8         started        11 ast.exe 4 2->11         started        13 ast.exe 4 2->13         started        signatures3 process4 file5 23 C:\Users\user\AppData\Local\...\quartz.dll, PE32 8->23 dropped 25 C:\Users\user\AppData\...\vcruntime140.dll, PE32 8->25 dropped 27 C:\Users\user\AppData\Local\...\vcomp140.dll, PE32 8->27 dropped 29 21 other files (none is malicious) 8->29 dropped 15 cmd.exe 1 8->15         started        process6 process7 17 ast.exe 25 4 15->17         started        21 conhost.exe 15->21         started        dnsIp8 31 id.xn--80akicokc0aablc.xn--p1ai 212.193.169.74, 443, 44335, 49780 SAFIB-ASRU Russian Federation 17->31 33 127.0.0.1 unknown unknown 17->33 35 192.168.2.1 unknown unknown 17->35 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->41 43 Contains functionality to detect virtual machines (IN, VMware) 17->43 45 Contain functionality to detect virtual machines 17->45 47 4 other signatures 17->47 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7a4c304b810703f0eb30ae166efb16ff9c1cfb0ebc9db5948e959614a3e49d5d/
Threat name:
Win32.Backdoor.Zegost
Create hunting rule
Status:
Malicious
First seen:
2022-01-07 05:25:39 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjgdas4ba4b7b2zqvylg56yw76obz6yoxso3lfeoswlbji7etvoq._file
Verdict:
malicious
Similar samples:
30a1ae69eb70083e1fe40c28becf7de5ec557705aae764af211f70f87ae5a403
TVRat
51f17dea64515d5a3a1a6b070fa9c5abb08c028ad9d116a49d796e354fcd68d3
TVRat
5e68d9940778502674e10566a87b480c313a9b69ee64d0d62646fff7899f9f0d
TVRat
6aad0a6b01ada93c5561a2d131eba960760dacbd8e998070adc9abbfafe7bace
TVRat
6b52ea913b7eb0e3ece4410ddc5637da7f9dcbf8889302ee7e73fa220ba2c53c
TVRat
b4373e36a5aa7a4ed214da50dc54d3f89503f2cff576d5523b51f1dab202b048
TVRat
bf31d8b83e50a7af3e2dc746c74b85d64ce28d7c33b95c09cd46b9caa4d53cad
TVRat
c05a5e19234c1647076dbbe2c35669e752c506beea33799718713f790064ea8d
TVRat
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence suricata
Link:
https://tria.ge/reports/220108-h8y1asdcbr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
suricata: ET MALWARE SpyAgent C&C Activity (Request)
suricata: ET MALWARE Win32.Spy/TVRat Checkin
Unpacked files
SH256 hash:
1f4bd9c9376fe1b6913baeca7fb6df6467126f27c9c2fe038206567232a0e244
MD5 hash:
b9380b0bea8854fd9f93cc1fda0dfeac
SHA1 hash:
edb8d58074e098f7b5f0d158abedc7fc53638618
Link:
https://www.unpac.me/results/cb8ca1fe-4f70-4251-90fc-738208dfab2b/
SH256 hash:
98f425f30e42e85f57e039356e30d929e878fdb551e67abfb9f71c31eeb5d44e
MD5 hash:
d7778720208a94e2049972fb7a1e0637
SHA1 hash:
080d607b10f93c839ec3f07faec3548bb78ac4dc
Link:
https://www.unpac.me/results/cb8ca1fe-4f70-4251-90fc-738208dfab2b/
SH256 hash:
b7b819dcf3aaed2774cecfa507f9baee47660b18758f7cb718bb5cb2d77947fa
MD5 hash:
5fc727c579f3c3b69ce0eb7f2ec7d48a
SHA1 hash:
4686ade71a45feb36f5f5f48e78bd673f60e45b5
Link:
https://www.unpac.me/results/cb8ca1fe-4f70-4251-90fc-738208dfab2b/
SH256 hash:
e664756ea6bfb01787ee6dfe299f1e1cc52b0453759771124c9359cb3cf79cb4
MD5 hash:
602d953c391a05d2be162a661962c598
SHA1 hash:
794b83002517dca3a017337946d39df55646e3e0
Link:
https://www.unpac.me/results/cb8ca1fe-4f70-4251-90fc-738208dfab2b/
SH256 hash:
269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1
MD5 hash:
34442e1e0c2870341df55e1b7b3cccdc
SHA1 hash:
99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c
Link:
https://www.unpac.me/results/cb8ca1fe-4f70-4251-90fc-738208dfab2b/
SH256 hash:
7b63d791924710c7dff54ddf3aaf68c898a6c059d9053f74b91898e2d1f3df49
MD5 hash:
18404c017730e675ceab9cb61a55d53a
SHA1 hash:
fce151905209399662d8e00cdd4c913a7e0852bb
Link:
https://www.unpac.me/results/cb8ca1fe-4f70-4251-90fc-738208dfab2b/
SH256 hash:
f9ad6fc5c96aca4ca005deda829d9f41d2f2bf803ac360ac2874b6d2d81bddae
MD5 hash:
3407128486e3dac12cc2dd674916e4c6
SHA1 hash:
dae888513117be5e8ae471f34810cc466008d547
Detections:
win_rektloader_auto
Create hunting rule
Link:
https://www.unpac.me/results/cb8ca1fe-4f70-4251-90fc-738208dfab2b/
SH256 hash:
5ab37fce4d0def725ab674abd43477bbb602b625f48dfc88d528a8fda8206011
MD5 hash:
5cc4da4ef43b70cc3d27a327f9b41008
SHA1 hash:
b3fad88a275a03d28def3ba7aa973f8026026050
Link:
https://www.unpac.me/results/cb8ca1fe-4f70-4251-90fc-738208dfab2b/
SH256 hash:
27b615c01ea68c350e86d305d7a344fc46c17f075c9ac07d0d9d07ecf2b87e1f
MD5 hash:
88defc972e6fe078548821ec9a214715
SHA1 hash:
675512ea94e694007784580d6892943c39096145
Link:
https://www.unpac.me/results/cb8ca1fe-4f70-4251-90fc-738208dfab2b/
SH256 hash:
38fa1578d0f7333a0bcffc517c436fa19ca4d028070ad5d4fa5ca7dcc2df1264
MD5 hash:
677b1717bac626ce5d6086791e550a5e
SHA1 hash:
3dad07f4e0ffea692ebdcc465765c737efbd47d3
Link:
https://www.unpac.me/results/cb8ca1fe-4f70-4251-90fc-738208dfab2b/
SH256 hash:
8d4c121cf291c2dc98de6cbb0d7e916a63dbc1d155d908691cc6f34a900b9878
MD5 hash:
4288159640e5dbaf012108fdb0e1f6ba
SHA1 hash:
3889ab7cce242a184524fd175e8bd384b3b4fa3c
Link:
https://www.unpac.me/results/cb8ca1fe-4f70-4251-90fc-738208dfab2b/
SH256 hash:
281f0ba931963f603a9bc20d07ed22f40db5a276c919578086855c6444d22fd1
MD5 hash:
a801a118200f9874298cc64ea1d3b225
SHA1 hash:
138f30acd41031936ea539a8916ea6661ae163c1
Link:
https://www.unpac.me/results/cb8ca1fe-4f70-4251-90fc-738208dfab2b/
SH256 hash:
2b941bf8fccd14db7e0f1787521d7628a599b1805e79bb2b2e34772ef21236a3
MD5 hash:
9de1e55e1db635ff7e5e4214b214277a
SHA1 hash:
013875ba01935e3b8987413cc1c387c1cd4ab385
Link:
https://www.unpac.me/results/cb8ca1fe-4f70-4251-90fc-738208dfab2b/
SH256 hash:
8af2f0205c0e76875b0e191083031545d6e405a25a592f028ee49264ee6fe204
MD5 hash:
099d407bd9d476758bf96ad5c680c8ce
SHA1 hash:
5c868962516b58fd78a108e60f1b0f9d8137e698
Link:
https://www.unpac.me/results/cb8ca1fe-4f70-4251-90fc-738208dfab2b/
SH256 hash:
afd67f96037a4a57ba846658933247e0193e925b5c42330bf5e134357494f15a
MD5 hash:
3a8dc2b0ddf9d3b7c02490ba6275a2bb
SHA1 hash:
a1f9a10d41b717f95ded58e5481c7e52428244da
Link:
https://www.unpac.me/results/cb8ca1fe-4f70-4251-90fc-738208dfab2b/
SH256 hash:
7a4c304b810703f0eb30ae166efb16ff9c1cfb0ebc9db5948e959614a3e49d5d
MD5 hash:
6bc6b19a38122b926c4e3a5872283c56
SHA1 hash:
cd00b7f70a26a5c5cb1d775cb25fec8827c8309f
Link:
https://www.unpac.me/results/cb8ca1fe-4f70-4251-90fc-738208dfab2b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.99
Link:
https://yomi.yoroi.company/submissions/7a4c304b810703f0eb30ae166efb16ff9c1cfb0ebc9db5948e959614a3e49d5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

TVRat

Executable exe 7a4c304b810703f0eb30ae166efb16ff9c1cfb0ebc9db5948e959614a3e49d5d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217788/
  
URLhaus
https://urlhaus.abuse.ch/url/1957140/

Comments


Avatar
zbet commented on 2022-01-08 07:24:29 UTC

url : hxxps://dogelab.net/build.exe