MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90db10771f883300872c930078cf35dfae69cdecc2c7c809b85a64b624389caa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ResolverRAT


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90db10771f883300872c930078cf35dfae69cdecc2c7c809b85a64b624389caa
SHA3-384 hash: c749d44022aa4a66836757747444e7ad8d50872e375a9f2ed9508398329e9d3e37f9469a1f21a44840f00bcf8e9bae87
SHA1 hash: f515ad476e2038ee4ec8c57223da1ab55f7b8701
MD5 hash: de13c09d4facb0e2d02c32ad58c21388
humanhash: mexico-ink-carpet-bravo
File name:SecuriteInfo.com.Win64.MalwareX-gen.29038.1642
Download: download sample
Signature ResolverRAT
Create hunting rule
File size:2'257'408 bytes
First seen:2025-06-09 16:46:19 UTC
Last seen:2025-06-09 17:30:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 69 x LummaStealer, 61 x Rhadamanthys)
ssdeep 49152:/aqzGCemGcsk7+tBqRE3ea1mVWViF0PoPHWf+AU2mp6cVcZYeWnr:SqPEch7+tsO3ea1msiyPofVNQocZDWr
Threatray 295 similar samples on MalwareBazaar
TLSH T179A5337A32D46231E5B5A7F188F6032686B3B8B217B4A1FF2691C4FF5E326911434B17
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter SecuriteInfoCom
Tags:exe ResolverRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
462
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-06-09 15:53:57 UTC
Tags:
lumma stealer loader themida amadey auto-sch botnet unlocker-eject tool auto-reg arch-exec telegram pastebin remote xworm rdp auto generic coinminer miner
Link:
https://app.any.run/tasks/3e66ee89-8c05-4173-b4a7-07f519b45900

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/8129/
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.29038.1642.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684710158bd5d68a12e71a32
Tags:
vmdetect emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Launching a process
Сreating synchronization primitives
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
HEUR/AGEN.1377616
Link:
https://www.hybrid-analysis.com/sample/90db10771f883300872c930078cf35dfae69cdecc2c7c809b85a64b624389caa
Malware family:
Sysinternals
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/63fe16ff-f1fa-4836-8f93-c63c0cc8f2b8
Result
Threat name:
ResolverRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1709979
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates multiple autostart registry keys
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses threadpools to delay analysis
Writes to foreign memory regions
Yara detected ResolverRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1709979 Sample: SecuriteInfo.com.Win64.Malw... Startdate: 09/06/2025 Architecture: WINDOWS Score: 100 63 Multi AV Scanner detection for dropped file 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Yara detected ResolverRAT 2->67 69 3 other signatures 2->69 7 SecuriteInfo.com.Win64.MalwareX-gen.29038.1642.exe 1 19 2->7         started        11 cmd.exe 1 2->11         started        13 cmd.exe 1 2->13         started        process3 file4 35 C:\Users\user\AppData\Local\...\winup.exe, PE32+ 7->35 dropped 37 C:\Users\user\AppData\Local\...\c2r64.dll, PE32+ 7->37 dropped 39 C:\...\api-ms-win-crt-utility-l1-1-0.dll, PE32+ 7->39 dropped 41 14 other files (none is malicious) 7->41 dropped 71 Creates multiple autostart registry keys 7->71 15 winup.exe 1 18 7->15         started        19 winup.exe 11->19         started        21 conhost.exe 11->21         started        23 winup.exe 13->23         started        25 conhost.exe 13->25         started        signatures5 process6 file7 43 C:\Users\user\SystemRootDoc\winup.exe, PE32+ 15->43 dropped 45 C:\Users\user\SystemRootDoc\c2r64.dll, PE32+ 15->45 dropped 47 C:\...\api-ms-win-crt-utility-l1-1-0.dll, PE32+ 15->47 dropped 49 14 other malicious files 15->49 dropped 53 Creates multiple autostart registry keys 15->53 55 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 15->55 27 AddInProcess32.exe 15->27         started        57 Writes to foreign memory regions 19->57 59 Allocates memory in foreign processes 19->59 61 Injects a PE file into a foreign processes 19->61 30 AddInProcess32.exe 2 19->30         started        33 AddInProcess32.exe 23->33         started        signatures8 process9 dnsIp10 73 Uses threadpools to delay analysis 27->73 51 185.149.232.221, 40000, 40001, 40002 UNREAL-SERVERSUS Netherlands 30->51 75 Found many strings related to Crypto-Wallets (likely being stolen) 30->75 signatures11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/90db10771f883300872c930078cf35dfae69cdecc2c7c809b85a64b624389caa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90db10771f883300872c930078cf35dfae69cdecc2c7c809b85a64b624389caa/
Threat name:
Win64.Trojan.Amadey
Create hunting rule
Status:
Suspicious
First seen:
2025-06-09 16:47:09 UTC
File Type:
PE+ (Exe)
Extracted files:
76
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sdnra5y7razqbbzmsmahrtzv36xgttpmyld4qcnyljslmjbytsva._file
Verdict:
malicious
Label(s):
resolverrat
Create hunting rule
unc_loader_044
Create hunting rule
Similar samples:
145289accb8c684e583ca3d99532d64d0a6a40142062e648c65ffd8da070c4c9
ResolverRAT
1ecc353c089e2581af25543adfbcf3d1600d622c5f908a4012e2f73b6d38fc3f
ResolverRAT
2982280afdfbc8b6dd5184297227f7b9dc534430858e3f4844d5a8af15ce403e
ResolverRAT
457c8b3a3be87e9f6268be29ee37e5f5fbc6a6848094416ba1f4c8797c4d7380
ResolverRAT
90db10771f883300872c930078cf35dfae69cdecc2c7c809b85a64b624389caa
ResolverRAT
966b07908a311687894e288fc9dbf410e48c1b10c0f8b08baa8d65b4d7c38c92
ResolverRAT
error
ResolverRAT
f7868fe2fc9c0e91175219fc893e06ea4001e6c1de3ac33552ac85588e1c9f7d
ResolverRAT
+ 285 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/250609-valcrs1xd1/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b2a5fb89-d0e6-4cfd-9f1d-d32a900ec3e5
Unpacked files
SH256 hash:
90db10771f883300872c930078cf35dfae69cdecc2c7c809b85a64b624389caa
MD5 hash:
de13c09d4facb0e2d02c32ad58c21388
SHA1 hash:
f515ad476e2038ee4ec8c57223da1ab55f7b8701
Link:
https://www.unpac.me/results/04e7d9a3-4141-492d-9e83-37b82ecd3d7c/
SH256 hash:
01e3c0aa24ce9f8d62753702df5d7a827c390af5e2b76d1f1a5b96c777fd1a4e
MD5 hash:
3a96f417129d6e26232dc64e8fee89a0
SHA1 hash:
47f9d89ea1694b94f4f8c5558311a915eca45379
Link:
https://www.unpac.me/results/04e7d9a3-4141-492d-9e83-37b82ecd3d7c/
SH256 hash:
0a2073428bee5f1881b068a7a9e3321cbd1f98142233eb8e1d4fe2e2c9813a6f
MD5 hash:
7fa7a9e378e4f60ff7b5bd2e07a78eba
SHA1 hash:
de7efc05b646df01ce9c8dca4055d4a5388e465e
Link:
https://www.unpac.me/results/04e7d9a3-4141-492d-9e83-37b82ecd3d7c/
SH256 hash:
23cc3feed47f0379c22db66a656193fe620c315b085bb13a112e57426e477961
MD5 hash:
4926b936e8ae528df0522c4f785012b0
SHA1 hash:
8185b65d76f065388b22de8113eddb1789cdaac7
Link:
https://www.unpac.me/results/04e7d9a3-4141-492d-9e83-37b82ecd3d7c/
SH256 hash:
293c76a26fbc0c86dcf5906dd9d9ddc77a5609ea8c191e88bdc907c03b80a3a5
MD5 hash:
53e23e326c11191a57ddf7ada5aa3c17
SHA1 hash:
af60bcca74f5b4b65c2b322ac7a5cedb9609c238
Link:
https://www.unpac.me/results/04e7d9a3-4141-492d-9e83-37b82ecd3d7c/
SH256 hash:
6c86e40c956eb6a77313fa8dd9c46579c5421fa890043f724c004a66796d37a6
MD5 hash:
d76f73be5b6a2b5e2fa47bc39eccdfe5
SHA1 hash:
dfed2b210e65d61bf08847477a28a09b7765e900
Link:
https://www.unpac.me/results/04e7d9a3-4141-492d-9e83-37b82ecd3d7c/
SH256 hash:
7050043b0362c928aa63dd7800e5b123c775425eba21a5c57cbc052ebc1b0ba2
MD5 hash:
5d409d47f9aebd6015f7c71d526028c3
SHA1 hash:
0da61111b1e3dbb957162705aa2dbc4e693efb35
Link:
https://www.unpac.me/results/04e7d9a3-4141-492d-9e83-37b82ecd3d7c/
SH256 hash:
9b05a43fdc185497e8c2cea3c6b9eb0d74327bd70913a298a6e8af64514190e8
MD5 hash:
877c5ff146078466ff4370f3c0f02100
SHA1 hash:
85cf4c4a59f3b0442cdc346956b377bae5b9ca76
Link:
https://www.unpac.me/results/04e7d9a3-4141-492d-9e83-37b82ecd3d7c/
SH256 hash:
bba068f29609630e8c6547f1e9219e11077426c4f1e4a93b712bfba11a149358
MD5 hash:
f440dc5623419e013d07dd1fcd197156
SHA1 hash:
0e717f3ab9ccf1826a61eeccda9551d122730713
Link:
https://www.unpac.me/results/04e7d9a3-4141-492d-9e83-37b82ecd3d7c/
SH256 hash:
bf55134f17b93d8ac4d8159a952bee17cb0c925f5256aa7f747c13e5f2d00661
MD5 hash:
c25321fe3a7244736383842a7c2c199f
SHA1 hash:
427ea01fc015a67ffd057a0e07166b7cd595dcfd
Link:
https://www.unpac.me/results/04e7d9a3-4141-492d-9e83-37b82ecd3d7c/
SH256 hash:
c4ed8f65c5a0dbf325482a69ab9f8cbd8c97d6120b87ce90ac4cba54ac7d377a
MD5 hash:
fe93c3825a95b48c27775664dc54cae4
SHA1 hash:
bae2925776e15081f445fbdd708e0179869b126d
Link:
https://www.unpac.me/results/04e7d9a3-4141-492d-9e83-37b82ecd3d7c/
SH256 hash:
cd5256b2fb46deaa440950e4a68466b2b0ff61f28888383094182561738d10a9
MD5 hash:
afc20d2ef1f6042f34006d01bfe82777
SHA1 hash:
a13adfc0d03bb06d4a8fe7fb4516f3e21258c333
Link:
https://www.unpac.me/results/04e7d9a3-4141-492d-9e83-37b82ecd3d7c/
SH256 hash:
f4163cbc464a82fce47442447351265a287561c8d64ecc2f2f97f5e73bcb4347
MD5 hash:
05af3f787a38ed1974ff3bda3d752e69
SHA1 hash:
c88117f16a0ae4ccb4f3d3c8e733d213de654b04
Link:
https://www.unpac.me/results/04e7d9a3-4141-492d-9e83-37b82ecd3d7c/
SH256 hash:
fab41a942f623590402e4150a29d0f6f918ee096dba1e8b320ade3ec286c7475
MD5 hash:
0d50a16c2b3ec10b4d4e80ffeb0c1074
SHA1 hash:
b81f1639d62dfc7be7ae4d51dd3fae7f29a1a297
Link:
https://www.unpac.me/results/04e7d9a3-4141-492d-9e83-37b82ecd3d7c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90db10771f883300872c930078cf35dfae69cdecc2c7c809b85a64b624389caa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ResolverRAT

Executable exe 90db10771f883300872c930078cf35dfae69cdecc2c7c809b85a64b624389caa

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3559969/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/8129/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments