MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac08903be48df04ee8b744c61a65c8003af729943049cb4d04870854686c93ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac08903be48df04ee8b744c61a65c8003af729943049cb4d04870854686c93ca
SHA3-384 hash: b19e13fdb1391366b26939380cad83a92ece00e619f1ca0e5235443ac4607fcb32555191bbaa690675ed55831ccd6e4d
SHA1 hash: 078ae76a2b2bd974edbe3d8b05fc092d95b61668
MD5 hash: fe12a02585a6ce25746ee2a914377cf1
humanhash: table-jig-mobile-mango
File name:ac08903be48df04ee8b744c61a65c8003af729943049c.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:7'803'519 bytes
First seen:2023-05-07 00:35:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 027ea80e8125c6dda271246922d4c3b0 (10 x njrat, 7 x DCRat, 5 x DarkComet)
ssdeep 98304:qAbiwfZ7n37gA2hX3slpP0FA+uZiQlPjq/+3vzO0Kt/zxcNkHZVd/2sT:qAtZzL2hsE6DZiQlPjq/0zqzxcG5n/28
Threatray 1 similar samples on MalwareBazaar
TLSH T1BB76BF67B712CE68C0CAC571A19797B15B20BC1404B6A3073ADE371E6EB2B402E5D9DF
TrID 52.5% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
39.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
3.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
2.0% (.EXE) Win64 Executable (generic) (10523/12/4)
0.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon d08ed6cc68f0c4f0 (5 x DCRat)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://212.109.195.44/LinuxProtect/53sql/6/1/base7/Python/Video/UploadsPrivateprocessorExternal/VideogameDb.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
Auto-Teleport.exe
Verdict:
Malicious activity
Analysis date:
2023-05-06 18:46:19 UTC
Tags:
loader rat backdoor dcrat stealer
Link:
https://app.any.run/tasks/843ef032-8f4c-4694-a0a1-77dc0a84392d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/387192/
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Uztuby-9937390-0
Create hunting rule

Win.Packed.Basic-9952747-0
Create hunting rule

Win.Malware.Uztuby-9957322-0
Create hunting rule

Win.Packed.Uztuby-9963900-0
Create hunting rule

Win.Packed.Uztuby-9969968-0
Create hunting rule

Win.Malware.Uztuby-9972880-0
Create hunting rule

Win.Trojan.DarkKomet-9976180-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Launching a process
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Creating a file in the Windows subdirectories
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Changing the hosts file
Enabling autorun by creating a file
Unauthorized injection to a system process
Using obfuscated Powershell scripts
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/82867/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
78%
Tags:
anti-debug coinminer evasive greyware keylogger overlay packed packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6456f272c2315c7ec20e34cd/reports/31112c83-d33e-47ce-b306-dfd6508a5270/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/ac08903be48df04ee8b744c61a65c8003af729943049cb4d04870854686c93ca
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5d7eed33-d476-4a71-a379-d2cd25ce5ae4
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1227614
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates files in the system32 config directory
Creates processes via WMI
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Uses cmd line tools excessively to alter registry or file data
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 860578 Sample: ac08903be48df04ee8b744c61a6... Startdate: 07/05/2023 Architecture: WINDOWS Score: 100 83 Snort IDS alert for network traffic 2->83 85 Found malware configuration 2->85 87 Antivirus detection for dropped file 2->87 89 12 other signatures 2->89 9 ac08903be48df04ee8b744c61a65c8003af729943049c.exe 5 2->9         started        12 cmd.exe 2->12         started        15 cmd.exe 2->15         started        17 13 other processes 2->17 process3 file4 61 C:\set_up.exe, PE32+ 9->61 dropped 63 C:\inst.exe, PE32+ 9->63 dropped 65 C:\bibilds.exe, PE32 9->65 dropped 19 bibilds.exe 3 6 9->19         started        23 inst.exe 2 9->23         started        25 set_up.exe 9->25         started        105 Uses cmd line tools excessively to alter registry or file data 12->105 107 Uses powercfg.exe to modify the power settings 12->107 109 Modifies power options to not sleep / hibernate 12->109 27 conhost.exe 12->27         started        33 10 other processes 12->33 29 conhost.exe 15->29         started        35 4 other processes 15->35 111 Creates files in the system32 config directory 17->111 31 conhost.exe 17->31         started        37 3 other processes 17->37 signatures5 process6 file7 53 C:\comagentwin\MssurrogateMonitor.exe, PE32 19->53 dropped 55 C:\...\7vdhN5u9kDYixC23a0w5sHwE4.vbe, data 19->55 dropped 91 Antivirus detection for dropped file 19->91 93 Multi AV Scanner detection for dropped file 19->93 95 Machine Learning detection for dropped file 19->95 39 wscript.exe 1 19->39         started        57 C:\Users\user\AppData\Local\...\pdszfelh.tmp, PE32+ 23->57 dropped 59 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 23->59 dropped 97 Writes to foreign memory regions 23->97 99 Modifies the context of a thread in another process (thread injection) 23->99 101 Found hidden mapped module (file has been removed from disk) 23->101 103 2 other signatures 23->103 41 dialer.exe 23->41         started        43 conhost.exe 23->43         started        signatures8 process9 process10 45 cmd.exe 1 39->45         started        process11 47 MssurrogateMonitor.exe 2 20 45->47         started        51 conhost.exe 45->51         started        file12 67 C:\comagentwin\FXykwJMUJtIe.exe, PE32 47->67 dropped 69 C:\Windows\Tasks\FXykwJMUJtIe.exe, PE32 47->69 dropped 71 C:\Windows\Prefetch\...\FXykwJMUJtIe.exe, PE32 47->71 dropped 73 6 other malicious files 47->73 dropped 75 Antivirus detection for dropped file 47->75 77 Multi AV Scanner detection for dropped file 47->77 79 Machine Learning detection for dropped file 47->79 81 2 other signatures 47->81 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac08903be48df04ee8b744c61a65c8003af729943049cb4d04870854686c93ca/
Threat name:
ByteCode-MSIL.Backdoor.DCRat
Create hunting rule
Status:
Malicious
First seen:
2023-05-02 15:58:15 UTC
File Type:
PE (Exe)
Extracted files:
135
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqejao7erxye52fxitdbuzoiaa5pokmugbe4wtieq4efi2dmspfa._file
Verdict:
malicious
Similar samples:
51b3d59d59b618ade2fa6c244a0055219e718d32aaacbc61bf7ab964d0059b51
DCRat
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat evasion infostealer rat
Link:
https://tria.ge/reports/230507-axw3kaeh6y/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Drops file in Drivers directory
Stops running service(s)
DCRat payload
DcRat
Modifies security service
Process spawned unexpected child process
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
ced608d5f5826533e8b2df84558a3c460ba46ae716a15f99e4b4b67fbc06c106
MD5 hash:
6eb8cc11833900eae9eab4125de7dc55
SHA1 hash:
ac475d0a76ed27798bebd7b66e5801a3feac9d35
Link:
https://www.unpac.me/results/c4f9b237-da2a-4dd4-b29e-4b55f8353b31/
SH256 hash:
b83d57e34fa87c1fbdbde8f281662f275e015bdfd21cae4dd3893273d91876e3
MD5 hash:
b148192abfe1bfa9532294df43db0a28
SHA1 hash:
9f1304898ba231fda0ecf55204f5277d064cb668
Link:
https://www.unpac.me/results/c4f9b237-da2a-4dd4-b29e-4b55f8353b31/
Parent samples :
c77f97d66580abf03cf332242848689969e9957747a9fcc21dfe7a2ac1237b0d
189a5a34e99c66355da0eb5c04636ac3a06404723cc2de86a22bda42aadeea21
cd652234e4620f37b2c74931cfa9bc463560d38976ea12f384c92c4827366434
b84321d7416c9898a381c39e94867b880aea15a68049795d81888371c70d16c3
4c13d7949070e6361626b855d849afa3e4721b654a7906303bb5933645498c53
377f3033cdfdcf4b2bd6b9c2949abcb8d7973c2ade4115d1c622db274bfac687
34e740ecbaab29c15536abd6409bd10e1880a77eeb8a5a88e787051d4fd916a9
9e7a70da8b8fbd3193c3a9c10cb1b120802a8ef88e4e1c4c03945cd87dc0dd2f
942ce9bb5178d33eb90530cb614c3857f6b76723548e2e2865655072f47ecc62
66c9abad6488aa8867643b6c417c458ae6978ad86d4fa30ee40bd1f90683433c
e6e4997c4d3b458b12715acf42f18421e60121dcbb461476ecdc487d5caa5284
dfb61558c4fe802041d53dc777e82106afc9377cf60567e797296b1cd74aa402
3eeb9115c3888d0b1c4cfccc25bb48661b90f308bdcc1ea0c2a56a7030d5c547
54de552295e919218a7d43a1d0114bae169a79a1963113d615fd8bce428b385d
9c8b561cf27708f285da964826b1183608e75be698f6b5a4469faea8e535a760
e5ceb36a479f4affece79593a04374e43b3619ab38e64b1b36a76b25a149baff
65d59cc441cd33c09cc1d83f3097da96414b23480d94ee0bf74477aa0f012588
e341875335ab0192719a7a17c39dd43fe185be56d7dff52c8434525489523007
669634a33853f70175e367b9519b29e5ac57ddeb412884c004875344ad2b5165
7d9ec2e09c8559b1d695569da5f16b9a6edd54c38526b91d458ca5c43c401761
2774262a54ea6008d5b508f4d95eb811bd5d7dc50e1c0659d016ab33d966e729
85fa3bba1c836ac87b3bede3666032cf869ac536095b22cd661ad930f631bb87
425fea1071b9d17709b1c93a92ce8497bd4d8f42d17bf7f7dc47db9fede0133a
53f5687e99cd9f17ea56728183c0e8c32e8825efd4c92c3a62278613c5a8d0ba
266126ef45c3eb686abbb96bb3dc4427f7772bb48b8e9ad1c502b43c63c92475
17154764e83a28a94dd2d6d0250d641c9e1284ecd7b6def2302f640728bdc102
8d719797d54ade99d81bc37270540ae77d665a7a11322fbd7cc6821033ee55f5
c4ec5d7b7a9bf60de2c201ebaca15ef8da3590033d4abc42fa402bcd2e5abd79
486a172f5e53e60a401aafcd42ea3ff43474f7fc728408fbcc74993e3327a823
0bcb6a2a0bc53d7f8123dc77302edaaa382ac3f3b1124187277df169bee3b11d
a93149d4911689487366f8b17fa9d5d4f3ecc43e7e75daeb28786e41a9712797
27fb772f0a2179eb3a713bdde7dd8877b3e208cc29743a97be71308309664e91
cebb491e8af42508a08b3d72e299bb73ce764dbe0697aa86d5e300ff50cfeb69
78e05cedaa8ac3d3361793ab8b19b6ba2147ea99cd6e406720e90dc5474fcda0
46380b549b3208615eddf824e872735af7f7463dd35d17db1f57bb3c9fb05499
2098a5c58be76612a56e5dc768ecffac4d8ca0c90f98d089838f299b5cc2990d
284f083103d1c160d9e4721ecce515646ce451a1b7ddf9dd89817904e21a4a2d
087437817d3d61d126cd0ca6d5d6babcd39fb5c85a48b95c023878d124051da4
738f3b29b73ecee8cb2f1439bfb37f537b00fea55329de4d5a9eb556f5124898
0a0367e1f2d803ba830f19529ef49bcc840a1703724538006e608621c8d2912c
ca834f0de0a8eb1fa2beda59fc7a5dc9879886f9a066d6065ef621506b43590f
87f220dad3bbeec6f39ed3e74eaa5b63f91924104b238fd33b4c5d49cc88f1ac
5d3aa443debb15bdf756b94980e0a6bcbef950edd72941905f70eded5238590c
de00660d0d96ff67cb8e89a8d8525567327b109bc54b9042e5fdd516dcc0e51a
c272d027197eb4f77e23f4dd1882c2cc211e5eee6034bb05d8bcfc24b57d1e95
5a5a46af90193d8362d2a18fe8ca308e7ed5402b59827c887d5ef10b3fe4578f
1365414d90a8e9a059336e150f9123f59562c2c5b3a354f3d73f882773f04571
0dacdf0e2ae577718cce67a4498ca419da614bf7b536c615528bb6e273717f54
0b4aa6685967ac49d493aa595578c445dd75bf839dc95aa48604825c1eef0ee9
3fa6ddcabcb03763ef1887117e16ebdf0553a1cc2a16b58bdecaba0735d4e60a
b108df3575c8f9c77577486a92b52fe55bfb6508acca68b22250d8e1fc0494fb
a6a27d9ba682a107558cdb16fcd50ebbe3d112c8dab38e96d5926c522781cc81
7238e57350be305f25ca913714b571ee225a658bf5234d9e98cf72e176b8749b
533c1f6d82962094e076116e5eaf643dd440eff83861ccf26334bc553fb6d129
5a089053f785fbdc6e6d11d32a6e74c9e5af34a6b3be078e867b0fe18833a7b6
258424cd8a701639a5ba89800e9e425463ab6219ce8435a37ea3c28b9b181ffa
0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53
374290f4bc29e1d5a3295b8f23c281393075beae64db51cd5a5e96c03f9ef8b0
ad3cad3320c96364564203d96cc76ebea925dcc8de447195e0c1addb9f28e7e8
38b3c41d485fa638c249ee54c9a3ca358a9eb36e561834d9f7f2fca088da6248
cdb363f810ebeea6e40abc725c14e9bf78a3014559ec32903c15fd7576fcac20
9c8937d1ffc2a8ce23cbaddaa9e8b046d1460fc684d05b609fec3514ab14c39c
25228b9b7646e3a44d0c0458b2d9f4dde89cb36ca52f69ae317edad02678678c
90cd882d4b7aa3939307bcc71bc05d38e600cb22e8984985335df1feac12e44a
4ce4afc5fd856ed5951e35c3efd45fdc03662abf43050fddc564023ef40e6823
cb5bd9dcab7d07c1775ad24d25f72e15b6d62d4c22ce95345ce95632bc68be63
092853fc5c2163fdafef345aff1be3116697804b6f81ef2374422822d1e78bfa
cd526b1117e1c22762e6c48441856143ec31f33b8b8efaa13cb3ba37631c5972
3d6b02a65aea0bc97ccae6bd8ca5a6f46f10e02715ab4f70ac8d292e1a221aef
de7afeddc29a1d624396c18da80702aa9ab9f8e5212446022a49b7f804252f0e
7cef1a964acbe38f4796b9ddbbd95e3fc19215594b2f3ab74483d58fe4bb93ad
a3d949b62016bc688520dfe0bf68075ca6666089eea641a62be626aecd1872ef
cccb59dbcce9a68ffed699333477bba15ef02b19de9e5a345eed09e87440fc28
294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c
1683c3759dd64d42623510c28230a23c9b999f12d5b63f2cb02f9eaf769f45a6
5f89b33cedfe3e9f075dd2312b10580dd16b5fb1702fe1f1ce572a792ec9bf91
af20afbe249de8d37ecdae69670fdced02fdfbbfdf7a1f2810e7628b52e29e4c
a68bc10b645b0b5748702f6db2b275549a5214854c0bc1efcb4259930760aa2f
fcc7ce0c1cf2c3d90bef0d564fcb9ac13631d73dd516a4e32f01ecd3ea9bcda9
0c0b4ee3d14fa4db0bc8268ed908480dd3b977fa3c98bcb930a52fc2839d35b4
d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0
007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594
078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd
7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67
c8ea81ec0afa16e1e7c0bc325396be024c993479765a9e4ad26b29d83bbfb01a
3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987
7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474
661b2c9879d7ae68512f820689f2198fdc2d71288ed0a6e747a0ae3f4a27f176
f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510
74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3
6c29d8bad383d0c43571ca79bb4887596c18c54053e174bb4d551a717ac33dc0
75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835
5a47bbdd5a87677ce485cfa5eae97ce572dae896ec0fb306f8b4a2ad8d5f856c
0a0eebfca8553e921339c90b0060ceb6adcbc5f747696b1abecd376f50283911
079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a
8d34477674ccda710d5acd22a1ea3ce7c9e818d7b6d3b19200c896fcf42f5b4b
2ea69f49817149fb5d008a79ac6975b890d949aa57708f3cb76fa15d8ce3f106
32137cf4d6060f5047dcee2185431bcfcd3fa5b244d63050410a4448df737b38
3f6feb2ff90be022f4b11b4e4be46768ce735fa4fda2fc731232fd1105a109da
3f7dbeb177934d53205b93a27b9f4262fe0f46aaf090326cb8e2069d90d0414c
1ce99f60292aa8808687010e53feff56ab3af5af3d725d8a9008dd4a1cf252cb
70c558209d7201e690991be17a01c6ef7f5b14775f2cfb288f0abafa43187fe2
3acf15dfd8e4a0fbe7404c2f8aadda1cff0aba5c058f5b5c3481bb44d8ff5b64
fea10c485839f80cc78106c2ef1d4a3ef70a5a0c208586be219a070bca061d6c
ce0545657884415ef34e052fcdf36506eee3f33315810fac1b7f7c615f439dcf
5539d434ee526c3dd170b22ac661ded347391278c129f0f7571d683bdc0fb1db
0d9d5a151e1cc28b6f79bfde2adc3bbf34f16b21303a647230a932e54624759e
8f22bfcfe5137aec0a8c659e08c604acbfa1ab64e85a05b2ad99a2995afae0db
e0b4936809d8a75b5095ce25dfb12e14c825e9401d941356749bba86a26b6bbb
f9e07becd2faaba0a53f178a513cef474849c4d82a1e69a871c81617db614296
4533579ade22cae8ab3bf23355133ca9d148328aefb35a543661f818e6af1a1b
bef3edd51fd9d18caaf806dc73b6d31554c805af50228e47c1543c00b81fe083
bede23ca2e4d3eb802787a7098e718606abd5768e83dd7169b57c05f664a77bf
fc5b0314dfd53a19bb905de5b758720df8a25857bdd1c5a72e5b1af7d4ff994a
da479ac3683eb1b6cc8cee9967b33d7a299fb551b9a8a1ddd5182469de37b2fb
e3e871921dd331a3518688e2527c2d5f8178c61e86c287414022fc8ad1fedef0
74793488f23a075f3d4e966eeb3d523c152d6fde434a4712a2a700d3db7b65ac
01e7f777e19a70073e6e8d286263b12b59bf8cc9af1e0b0c9fa4244ff63c9dc0
327c974b8d165bfbdc0c4277bd3d68e24b6d55a6d970340662ff78468a9c4e29
5680eb1ffa1fac4f1c5a78024331ff7dd8982138d89d2df4ec56996b44c9cc99
4728a46d0432b4fa8c56c71597346276a69c9a38842725426a44364cc0655457
f35cac13d76f955a715a51f5029ec8e4539004f02a447eec2b84febd7a4f62af
39c734ab91b8067c2458a620ce002b8bbe6f0e18176a7d98d022883ec73e67ec
818d5b7ce2bbd0ddcf6693b650106d1770e7ca6aa71b15a79d8906827da0c690
eced2aadf0074e3f52a0d9db1f2ca5d107a3d67be858da503cdbc42bd69b9083
feff1bf844bab637c8574b49864ff122078ca8c15d0eea205657e28587c16eba
4f22748956c9ec725df67a7729730ae3d56f88dc37db966abfc3a7557bbdb69a
a38d77ec66208f83f4065fe43bf51c96b587d2937b0d5f6d1abb1ab973de3751
41556fc8255feca7f1ddd424cec3c7e3f9007fea4f810db053a3886b4d7b8ec1
525b609b4fac8d454a86232d28999c3135fb2b3c10961723073f431fd75c2020
a0f0432f815889adb15907adaab5489844a71f5527bb07afb3d37f1a6ef948df
b31a48cc3055c0a4d94234ba2bf0844378550d8966cf0197a2cd140a945c8d33
3993abaf8f1b6758260ab97a7192a4dcce70c41ffb326db7f0e94dffaf647312
bb2153f4393601174d491f9be952ec246a4f77e67b46e0ad7983d7270436b8f1
b0049161819d1b613e9bac0c0ab31c4926013efcb93041f2b8c56f5d34f2336a
4e6eb217528d9643d9a41ea4ef18d97e64d425d5c419738a82081e2577964de5
c4c2a82a7d454bb85fa22f12d2571639c1640ba4a6790d708f4a229f91a7a99b
a00f90db29e2c261c2b6bb00093c43659b577708e8afff72c97f17d41bb06e2e
ec8877718f6bace8cef59ee505e0cbed94a2f6531249d0801192b2de127cab85
9ca2e817ff19e5313105b3b468c5390aff48fabe778333d4d2d045659818e73a
b86a67a7dea558bd5719148ecc93ecb2c4f9270006ff304d860c866519c8ca15
d31183ab1c4b40cd810613950b57e160aaf5ed3653e94a118bbfd1004aafee8d
17eabc9a47c7be45b7f3fe07bb5b172facdf56eec68519cc6f4a46b425911d74
550e199325198e2aeb1c1fe8228a37715962dcad001c447f29f226921e6a9f0e
b0cc835df649b790bf8fde133d284d4bf3b9c6fd65baaa6578f91b9b3fc33b5d
6dcc2f68713b9fd65e7cbd3c987632b67f4db83a27f7c1a4fc7b16b07f7e5306
d5de28ab9d6c56d5eacee86451c92836f930ab3f4ff7851b467f4786657b754d
ebbf0823315707c04f814d68d3c3528354b522215ff0768303002115245b9e44
d607bfcbe22d2dd7d7a40172c2c5e1680d5d1132c8cab4b2ce51b57ca84fe997
a1f1d8797ffd930f0a16f3a1bd96b58419bb05bcd304a6e4ec2ddc14c664c83c
c91ecca54c0cbdf3f8714d7c92ca6858d4ddb5957ab06f9ed33bb73e3b5f6207
e7cf9ae73751f92a53dbbc41b4939510e23352bf3a942e86b269c72b80cdb63c
SH256 hash:
270e4c9c272e76b067e85727fbd871ff65edc0ef837a9b80cfed84252203ffbd
MD5 hash:
c9618d3d5ba243b024fe41223ef625be
SHA1 hash:
626d260a95fbf0b8b2ace91b64d0c7aa294616bf
Link:
https://www.unpac.me/results/c4f9b237-da2a-4dd4-b29e-4b55f8353b31/
SH256 hash:
8e70b153c0c449b40027879028371cf86d0755b2fa86f380f33c1579a2873c46
MD5 hash:
bfbc04b2441b9609e1704ffa781d2514
SHA1 hash:
2b271bb94d6217130c0ebb1d1dc4eb56224198c8
Link:
https://www.unpac.me/results/c4f9b237-da2a-4dd4-b29e-4b55f8353b31/
SH256 hash:
e16d31256434834519f0fc54095f9a5e03700adaba2e51a75dad1ab581441323
MD5 hash:
1edd3839f47ae345890b4dc71ba6cfe5
SHA1 hash:
0b6593476cd3f7a7292c1e5f63e137aebb147708
Link:
https://www.unpac.me/results/c4f9b237-da2a-4dd4-b29e-4b55f8353b31/
SH256 hash:
ac08903be48df04ee8b744c61a65c8003af729943049cb4d04870854686c93ca
MD5 hash:
fe12a02585a6ce25746ee2a914377cf1
SHA1 hash:
078ae76a2b2bd974edbe3d8b05fc092d95b61668
Link:
https://www.unpac.me/results/c4f9b237-da2a-4dd4-b29e-4b55f8353b31/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ac08903be48d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac08903be48df04ee8b744c61a65c8003af729943049cb4d04870854686c93ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/387192/

Comments