MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a32a3ad86f79de103387c8a3da630c1d288d9827912a4afc45165cedddf82d32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ResolverRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a32a3ad86f79de103387c8a3da630c1d288d9827912a4afc45165cedddf82d32
SHA3-384 hash: 7670e1b16b8422811e90ecc88dd0c77722a229504254d3fc09d7f48f28b866021c83d795effe66504e08982460589cb9
SHA1 hash: 20bc9f5a2e7d7bc7370b135ced6c797a39c331d7
MD5 hash: 23afafad5bf2bd916a914d0cb957ad4e
humanhash: princess-lemon-blossom-table
File name:23afafad5bf2bd916a914d0cb957ad4e.exe
Download: download sample
Signature ResolverRAT
Create hunting rule
File size:325'120 bytes
First seen:2025-07-07 13:17:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:ZSi1rh5YkOnw1OBI2D7ew6q9r4m6JYiGR7FMbD782xwtRd++yhDqfl:T13Yk6BIU7Gm6OiGhFQBw5++yAfl
Threatray 309 similar samples on MalwareBazaar
TLSH T181642318DAAC5730D6974A3F04E69B1CCAF5C2884DB5EB15B44F280D3B46F53C693672
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe ResolverRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
22
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2025-07-03_a5372f2e84c481779220c969f817bfdd_black-basta_cobalt-strike_luca-stealer_satacom_vidar
Verdict:
Malicious activity
Analysis date:
2025-07-03 14:16:46 UTC
Tags:
auto-reg python pyinstaller stealer netreactor purehvnc
Link:
https://app.any.run/tasks/706b59b4-ba1e-4efd-951e-979579aadc14

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12678/
Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686bc8e5900df8e7f868372a
Tags:
asyncrat dropper virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 net_reactor obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/686bc8e20737c4165a9240a5/reports/232089ac-2bb1-4a1e-bac6-893e7fb811df/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/a32a3ad86f79de103387c8a3da630c1d288d9827912a4afc45165cedddf82d32
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0212d970-cdc6-4d4d-b99e-6b2aeeba393d
Result
Threat name:
PureCrypter, ResolverRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1730092
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Detected PureCrypter Trojan
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Suricata IDS alerts for network traffic
Tries to harvest and steal Bitcoin Wallet information
Yara detected ResolverRAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a32a3ad86f79de103387c8a3da630c1d288d9827912a4afc45165cedddf82d32
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PE (Portable Executable) SOS: 0.86 Win 32 Exe x86
Link:
https://app.malva.re/file/23afafad5bf2bd916a914d0cb957ad4e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a32a3ad86f79de103387c8a3da630c1d288d9827912a4afc45165cedddf82d32/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-07-01 11:47:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=umvdvwdpphpbam4hzcr5uyymduui3gbhsevev7cfczoo3xpyfuza._file
Verdict:
malicious
Label(s):
resolverrat
Create hunting rule
Similar samples:
11038fee1fb700d5d0482c7dbdaecababedddbd5049d471205849ebe2d97ae09
ResolverRAT
1ecc353c089e2581af25543adfbcf3d1600d622c5f908a4012e2f73b6d38fc3f
ResolverRAT
374c270caa42b3ba1a0b31c33a47fe590c38ef8997845d48ae3fb8a575f7d608
ResolverRAT
40b7bdf78cfa9be46ccbe9279bcdb909c62f9df037c63d6d7cacff7edba41e47
ResolverRAT
9981f433a0c08809fb3e0f31e3d20fb59e66df0f3b3c62100a7af11f770c583a
ResolverRAT
a32a3ad86f79de103387c8a3da630c1d288d9827912a4afc45165cedddf82d32
ResolverRAT
c1dca23a37750e7d9ed551b3529cbde04edbc84d066bc8074b1ccdef0c9ebc94
ResolverRAT
error
ResolverRAT
+ 299 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/250707-qjhk1stxdy/
Behaviour
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4ed8da25-5e2c-4cb6-91a4-0669a1f1ef95
Unpacked files
SH256 hash:
a32a3ad86f79de103387c8a3da630c1d288d9827912a4afc45165cedddf82d32
MD5 hash:
23afafad5bf2bd916a914d0cb957ad4e
SHA1 hash:
20bc9f5a2e7d7bc7370b135ced6c797a39c331d7
Link:
https://www.unpac.me/results/54304058-e744-43bf-90e6-f59fdac45217/
SH256 hash:
66627b4c2f438de43d43ddbd36ec28db4dd2e279c82ccad22ea827ae7e07a5fd
MD5 hash:
9dc23e8b5d4eafd7e9366cdce4e79a07
SHA1 hash:
85be0f71543737041821268222e35c97b862d07d
Link:
https://www.unpac.me/results/54304058-e744-43bf-90e6-f59fdac45217/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/a32a3ad86f79de103387c8a3da630c1d288d9827912a4afc45165cedddf82d32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/12678/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments