MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fa09dedce556fe7faaf343f399c45b53cc20e54eedb187692de8897e8b50e7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fa09dedce556fe7faaf343f399c45b53cc20e54eedb187692de8897e8b50e7a
SHA3-384 hash: 1eecd7f4260ea2b7eed26cde5a30b7f50f067cbc3e43fd78c6f5ad60a6277b88e7264b2327fd346626e2fd5da01d5a57
SHA1 hash: 993fb46441601abe18d8baabf4e249774f8e5cb0
MD5 hash: cc632610ac5e7dec3356325b38c34914
humanhash: romeo-asparagus-zulu-lion
File name:7fa09dedce556fe7faaf343f399c45b53cc20e54eedb187692de8897e8b50e7a
Download: download sample
File size:1'980'640 bytes
First seen:2021-03-01 18:24:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:mADZb/fK9wE+T+/7KtB/B1xGuL30zTiaJ/GD/z:m6n7E+1Bp1x13AxBGX
Threatray 397 similar samples on MalwareBazaar
TLSH C4952340BAC285B2D07319321A28BA156D7A7D306F245BAFE3D46D2DCB3D5E16224B73
Reporter c3rb3ru5d3d53c2


Avatar
c3rb3ru5d3d53c
@c3rb3ru5d3d53c Live Hunt

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7fa09dedce556fe7faaf343f399c45b53cc20e54eedb187692de8897e8b50e7a
Verdict:
Malicious activity
Analysis date:
2021-03-01 18:30:44 UTC
Tags:
trojan rat backdoor dcrat evasion
Link:
https://app.any.run/tasks/3948a2b8-b5f6-477e-a4f4-d021e87793a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
EnigmaStub
Create hunting rule
Link:
https://www.capesandbox.com/analysis/120364/
Detection(s):
SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Program Files subdirectories
Creating a file in the Windows subdirectories
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/622684
Signature
.NET source code contains in memory code execution
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 360332 Sample: wKyYhGC9pm Startdate: 01/03/2021 Architecture: WINDOWS Score: 100 79 Antivirus detection for dropped file 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 .NET source code contains method to dynamically call methods (often used by packers) 2->83 85 7 other signatures 2->85 13 wKyYhGC9pm.exe 3 6 2->13         started        16 explorer.exe 3 2->16         started        19 LlrdRCfGBenlHVmGK.exe 2->19         started        process3 file4 71 C:\wincommon\nKY3mG3uvgKCe6wOceFr.exe, PE32 13->71 dropped 21 wscript.exe 1 13->21         started        73 Antivirus detection for dropped file 16->73 75 Machine Learning detection for dropped file 16->75 77 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->77 signatures5 process6 process7 23 cmd.exe 1 21->23         started        process8 25 nKY3mG3uvgKCe6wOceFr.exe 6 23->25         started        29 conhost.exe 23->29         started        file9 69 C:\wincommon\netinto.exe, PE32 25->69 dropped 95 Antivirus detection for dropped file 25->95 97 Detected unpacking (changes PE section rights) 25->97 99 Machine Learning detection for dropped file 25->99 101 Hides threads from debuggers 25->101 31 wscript.exe 1 25->31         started        signatures10 process11 process12 33 cmd.exe 1 31->33         started        process13 35 netinto.exe 1 15 33->35         started        39 conhost.exe 33->39         started        file14 61 C:\Windows\SKB\...\RuntimeBroker.exe, PE32 35->61 dropped 63 C:\Users\Default\Saved Games\services.exe, PE32 35->63 dropped 65 C:\Recovery\explorer.exe, PE32 35->65 dropped 67 3 other malicious files 35->67 dropped 87 Antivirus detection for dropped file 35->87 89 Machine Learning detection for dropped file 35->89 91 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 35->91 93 2 other signatures 35->93 41 schtasks.exe 1 35->41         started        43 schtasks.exe 1 35->43         started        45 schtasks.exe 1 35->45         started        47 4 other processes 35->47 signatures15 process16 process17 49 conhost.exe 41->49         started        51 conhost.exe 43->51         started        53 conhost.exe 45->53         started        55 conhost.exe 47->55         started        57 conhost.exe 47->57         started        59 conhost.exe 47->59         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7fa09dedce556fe7faaf343f399c45b53cc20e54eedb187692de8897e8b50e7a/
Threat name:
Win32.Trojan.Rasftuby
Create hunting rule
Status:
Malicious
First seen:
2021-03-01 18:25:07 UTC
AV detection:
22 of 48 (45.83%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1ca9978db84d8cad7f6a8f838e106799352c386cfa3aee2bbefa195e7fabe166
2fd1a2e50342526d203ffdcbf53914350647d8b963c044d55d9061fc7b92923a
4ce7656c38f73b3580594e7850ccc1723340ba789b233c248861b0e08e52d8d4
5fd5abeb26cdc364310d6e88bb4326d6801eba7dfebca2601fb0ad11797acdd6
68313d4b45cc908f541dd581d7b9d1e8ccadcbf205714c12c36b58083ada7345
6b9fc5c25a2b8fdb0b218dbc96f51d59dbf5c486d2bfc39eed32660f3c238bc8
6d833bd671f179c8dfdf89aac0bc77cd7bb49f82a98cbf5d8122a9d47fa98e9f
7fce676b063449eecd1236727598513639a7fd166d6e2f86dce138b97636d572
80536b49ba7399678255e9955b7c82cc8fd86751c5b4553292af23a8e6729bce
f6a307d243c407c27489de37adac83e9205be531cbb4e2cb71545627faf813fd
+ 387 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210301-5ax3f3wqzs/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
d273bd58cf5ad15194054418912d8feaa0916a081993c59a08743fb90f4c38ec
MD5 hash:
1148d3064bc219e3757fff2bf349a061
SHA1 hash:
b3df61121af30a4d67a33c5de6bc768a7c45faab
Link:
https://www.unpac.me/results/bbda66e2-7708-42dd-9536-8be23906a1ab/
SH256 hash:
f65af10aaa016868ce313cc45ff74db57006f4eb8791028f4b9532a19c248e79
MD5 hash:
1fbdfbb63d49d4ff1ffc5842d1f7734c
SHA1 hash:
6dc6b741789bbd74e7e3cda7b89505ed10fd9467
Link:
https://www.unpac.me/results/bbda66e2-7708-42dd-9536-8be23906a1ab/
SH256 hash:
7fa09dedce556fe7faaf343f399c45b53cc20e54eedb187692de8897e8b50e7a
MD5 hash:
cc632610ac5e7dec3356325b38c34914
SHA1 hash:
993fb46441601abe18d8baabf4e249774f8e5cb0
Link:
https://www.unpac.me/results/bbda66e2-7708-42dd-9536-8be23906a1ab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Enigma
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7fa09dedce556fe7faaf343f399c45b53cc20e54eedb187692de8897e8b50e7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseunix
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise UNIX

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.virustotal.com/gui/file/7fa09dedce556fe7faaf343f399c45b53cc20e54eedb187692de8897e8b50e7a/details
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/120364/

Comments