MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9515dac6a4ff603dec56b68d9644ce438a76273199fa5723b52cb25dda396c59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ResolverRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9515dac6a4ff603dec56b68d9644ce438a76273199fa5723b52cb25dda396c59
SHA3-384 hash: 374c457f90be98c34f86fda81fc725c0193f496cd832860be90a0e472d9da76ec518a149b665e7c8cf9bae12bb5d6ad6
SHA1 hash: a196dd3206ba5c71897baa8a9457c51f8373e14b
MD5 hash: 35ad76c6d4d996ce3a6a594f93aadc09
humanhash: nevada-thirteen-yellow-nuts
File name:9515dac6a4ff603dec56b68d9644ce438a76273199fa5723b52cb25dda396c59.bin
Download: download sample
Signature ResolverRAT
Create hunting rule
File size:11'477'584 bytes
First seen:2025-05-10 11:58:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1212c4aec26dcaa919edad5f9bd3122f (1 x ResolverRAT)
ssdeep 196608:/flclSbaBsmbRcq6peJ+Ha3+vmFGVKL1AJ:/fldbaBsS7636uO48LQ
Threatray 16 similar samples on MalwareBazaar
TLSH T166C6AD19A3E504A1E86BDB34CA25C333DAB47DA25635C10F055CF6C52F73A628B2F726
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon f0f0ecece8e0e4f8 (1 x ResolverRAT)
Reporter JaffaCakes118
Tags:exe ResolverRAT signed

Code Signing Certificate

Organisation:Crystal It Solution Sp. z o.o.
Issuer:SSL.com EV Code Signing Intermediate CA RSA R3
Algorithm:sha256WithRSAEncryption
Valid from:2025-04-16T19:13:09Z
Valid to:2026-04-16T19:13:09Z
Serial number: 5cb4d1450feaffd4c060859910e62c33
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 430413795b2c12c4a6fc9cb840e5ed41348c88a543646d24103bb6be40b9e5ef
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
494
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
9515dac6a4ff603dec56b68d9644ce438a76273199fa5723b52cb25dda396c59.bin
Verdict:
Malicious activity
Analysis date:
2025-05-10 09:53:22 UTC
Tags:
stealer rat asyncrat remote purehvnc
Link:
https://app.any.run/tasks/2a84cee5-d26b-419b-b3d0-3f78423a8636

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.MalwareX-gen.2369.19050.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681f4057e16384d6a703692d
Tags:
autorun spawn shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Launching a process
Creating a process with a hidden window
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context crypto expand fingerprint lolbin masquerade microsoft_visual_cc msbuild packed remote signed
Link:
https://www.filescan.io/uploads/681f3f8cc7418694c8a860b9/reports/2c9711b5-e263-42a0-b285-978974e14fb0/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9515dac6a4ff603dec56b68d9644ce438a76273199fa5723b52cb25dda396c59
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a8bab4a-946c-4822-b9d3-54fbec9a688d
Result
Threat name:
PureCrypter, ResolverRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1686702
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Detected PureCrypter Trojan
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected ResolverRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1686702 Sample: oYVqrUtlwo.exe Startdate: 10/05/2025 Architecture: WINDOWS Score: 64 49 Suricata IDS alerts for network traffic 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected ResolverRAT 2->53 55 3 other signatures 2->55 7 oYVqrUtlwo.exe 1 3 2->7         started        11 oYVqrUtlwo.exe 2->11         started        13 oYVqrUtlwo.exe 2->13         started        15 oYVqrUtlwo.exe 2->15         started        process3 file4 43 C:\Users\user\StartupItems\oYVqrUtlwo.exe, PE32+ 7->43 dropped 45 C:\Users\...\oYVqrUtlwo.exe:Zone.Identifier, ASCII 7->45 dropped 65 Found many strings related to Crypto-Wallets (likely being stolen) 7->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 7->67 69 Writes to foreign memory regions 7->69 17 jsc.exe 2 7->17         started        21 schtasks.exe 1 7->21         started        71 Multi AV Scanner detection for dropped file 11->71 73 Allocates memory in foreign processes 11->73 75 Injects a PE file into a foreign processes 11->75 23 schtasks.exe 1 11->23         started        25 jsc.exe 3 11->25         started        27 schtasks.exe 1 13->27         started        29 jsc.exe 2 13->29         started        31 schtasks.exe 1 15->31         started        33 jsc.exe 2 15->33         started        signatures5 process6 dnsIp7 47 176.65.139.51, 49730, 56001 PALTEL-ASPALTELAutonomousSystemPS Germany 17->47 57 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 17->57 59 Found many strings related to Crypto-Wallets (likely being stolen) 17->59 61 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->61 63 4 other signatures 17->63 35 conhost.exe 21->35         started        37 conhost.exe 23->37         started        39 conhost.exe 27->39         started        41 conhost.exe 31->41         started        signatures8 process9
Score:
28%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/9515dac6a4ff603dec56b68d9644ce438a76273199fa5723b52cb25dda396c59
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9515dac6a4ff603dec56b68d9644ce438a76273199fa5723b52cb25dda396c59/
Threat name:
Win64.Trojan.GenSteal
Create hunting rule
Status:
Malicious
First seen:
2025-05-10 03:22:51 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=suk5vrve75qd33cww2gzmrgoiofhmjzrth5foi5vfszf3wrznrmq._file
Verdict:
malicious
Label(s):
resolverrat
Create hunting rule
Similar samples:
2037a021ebdbb489ac08f09e6e724412d666ade3dd13d1a13d7e0140203205e9
ResolverRAT
2e62cd8e6e7145c27411f2a48be6b23dd80d03bed1b9e1baaa51b651bd9172b3
ResolverRAT
61959baf831b4d2542347c0a7545eef5faaa387b3c9a1bc57f6481d994e245e3
ResolverRAT
a52df1ec9a3db746a5753efd4cf559b9a11979c792cf1238f9f97de1fca49a81
ResolverRAT
error
ResolverRAT
facf9cf0e986ba43f6317457ccb711e45c06e279c08ed4bbafc77c6a5e6d0b60
ResolverRAT
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/250510-n5rppsdm7v/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7e815b03-268c-4ac1-85cb-bca162ef20c2
Unpacked files
SH256 hash:
9515dac6a4ff603dec56b68d9644ce438a76273199fa5723b52cb25dda396c59
MD5 hash:
35ad76c6d4d996ce3a6a594f93aadc09
SHA1 hash:
a196dd3206ba5c71897baa8a9457c51f8373e14b
Link:
https://www.unpac.me/results/fe069996-6a45-49f8-bd07-d014923ffc75/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9515dac6a4ff/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9515dac6a4ff603dec56b68d9644ce438a76273199fa5723b52cb25dda396c59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ResolverRAT

Executable exe 9515dac6a4ff603dec56b68d9644ce438a76273199fa5723b52cb25dda396c59

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::RevertToSelf
NCRYPT_APIUses NCrypt APIncrypt.dll::NCryptImportKey
ncrypt.dll::NCryptOpenKey
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::ImpersonateLoggedOnUser
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenThreadToken
KERNEL32.dll::VirtualAllocExNuma
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetDiskFreeSpaceExW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleTextAttribute
KERNEL32.dll::GetConsoleScreenBufferInfo
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
VERSION.dll::GetFileVersionInfoSizeW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptCreateHash
bcrypt.dll::BCryptDecrypt
bcrypt.dll::BCryptDestroyHash
bcrypt.dll::BCryptDestroyKey
bcrypt.dll::BCryptEncrypt
bcrypt.dll::BCryptExportKey
WIN_CRYPT_APIUses Windows Crypt APICRYPT32.dll::CertAddCertificateContextToStore
CRYPT32.dll::CertAddCertificateLinkToStore
CRYPT32.dll::CertCreateCertificateChainEngine
CRYPT32.dll::CertDuplicateCertificateContext
CRYPT32.dll::CertEnumCertificatesInStore
CRYPT32.dll::CertFindCertificateInStore
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::FreeAddrInfoW
WS2_32.dll::FreeAddrInfoExW
WS2_32.dll::GetAddrInfoW
WS2_32.dll::GetAddrInfoExW
WS2_32.dll::GetNameInfoW
WS2_32.dll::WSAConnect

Comments