MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ace00c4aa0c763c44c1821d87307262587d88aa3446bbff35c8816eb4a340623. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ResolverRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ace00c4aa0c763c44c1821d87307262587d88aa3446bbff35c8816eb4a340623
SHA3-384 hash: 4b4415a8ec9f4499e5e20bbc014925c4b470afe1ca8838abf1ed9601ee1ef8db7830ef083cfe627f53559daa31e44b97
SHA1 hash: 8931c4cba2ff3bd29281ee86ddb3f62772d63149
MD5 hash: 2e6e2f37187fc0cf8ac73501b02a613b
humanhash: skylark-ten-beryllium-king
File name:IMG_36313.js
Download: download sample
Signature ResolverRAT
Create hunting rule
File size:20'281 bytes
First seen:2025-08-16 22:38:59 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 384:pjtP2z+UZX6qkPmgAAGUQLiYtq3jgPoI74s/xz5+xpe2ibYWIDajrUmFyjF8Kbgg:pjR2z+UZXzkRAAGUQLiYw3j+rUmFyjFF
Threatray 1'793 similar samples on MalwareBazaar
TLSH T134920D4E5D03043289332F3E5F17544AEF6B052789298A40BFCCCAA5AFB565183B9F6D
Magika javascript
Reporter smica83
Tags:js ResolverRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a108a28fd55a79c52819fd
Tags:
ransomware obfuscate xtreme
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm base64 fingerprint
Link:
https://www.filescan.io/uploads/68a108a6abfbaec318240cf0/reports/01266547-d972-4527-9a8c-800fc5946228/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ace00c4aa0c763c44c1821d87307262587d88aa3446bbff35c8816eb4a340623
Result
Threat name:
Remcos, AsyncRAT, Dacic, DcRat, PureLog
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1758629
Signature
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates processes via WMI
Detected Remcos RAT
Found malware configuration
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Register Wscript In Run Key
Sigma detected: Remcos
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Dacic
Yara detected DcRat
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1758629 Sample: IMG_36313.js Startdate: 17/08/2025 Architecture: WINDOWS Score: 100 84 kalelsianoass.dynuddns.net 2->84 86 base64txtdownload.xyz 2->86 88 4 other IPs or domains 2->88 116 Sigma detected: Register Wscript In Run Key 2->116 118 Suricata IDS alerts for network traffic 2->118 120 Found malware configuration 2->120 126 27 other signatures 2->126 14 wscript.exe 1 2->14         started        17 wscript.exe 2->17         started        19 wscript.exe 2->19         started        21 svchost.exe 1 1 2->21         started        signatures3 122 Uses dynamic DNS services 84->122 124 Performs DNS queries to domains with low reputation 86->124 process4 dnsIp5 150 Suspicious powershell command line found 14->150 152 Wscript starts Powershell (via cmd or directly) 14->152 154 Bypasses PowerShell execution policy 14->154 158 2 other signatures 14->158 24 powershell.exe 14 16 14->24         started        156 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->156 28 powershell.exe 17->28         started        30 powershell.exe 19->30         started        94 127.0.0.1 unknown unknown 21->94 signatures6 process7 dnsIp8 96 files.catbox.moe 108.181.20.35, 443, 49715 ASN852CA Canada 24->96 132 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 24->132 134 Writes to foreign memory regions 24->134 136 Injects a PE file into a foreign processes 24->136 32 MSBuild.exe 2 4 24->32         started        37 conhost.exe 24->37         started        39 MSBuild.exe 28->39         started        41 conhost.exe 28->41         started        43 MSBuild.exe 28->43         started        45 MSBuild.exe 30->45         started        47 conhost.exe 30->47         started        signatures9 process10 dnsIp11 80 kalelsianoass.dynuddns.net 142.202.191.102, 49723, 49726, 8848 DYNUUS Reserved 32->80 74 C:\Users\user\AppData\...\Rem-hidden-new.vbs, Unicode 32->74 dropped 106 Contains functionality to bypass UAC (CMSTPLUA) 32->106 108 Contains functionalty to change the wallpaper 32->108 110 Contains functionality to steal Chrome passwords or cookies 32->110 114 2 other signatures 32->114 49 cmd.exe 1 32->49         started        112 Detected Remcos RAT 39->112 file12 signatures13 process14 signatures15 98 Suspicious powershell command line found 49->98 100 Wscript starts Powershell (via cmd or directly) 49->100 52 powershell.exe 3 10 49->52         started        55 conhost.exe 49->55         started        process16 signatures17 128 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 52->128 57 wscript.exe 1 3 52->57         started        process18 file19 76 C:\Users\user\AppData\Local\...\174992150.vbs, ASCII 57->76 dropped 78 C:\Users\user\AppData\Local\...\174992150.ps1, Unicode 57->78 dropped 138 Suspicious powershell command line found 57->138 140 Wscript starts Powershell (via cmd or directly) 57->140 142 Windows Shell Script Host drops VBS files 57->142 144 2 other signatures 57->144 61 wscript.exe 1 57->61         started        signatures20 process21 signatures22 146 Suspicious powershell command line found 61->146 148 Wscript starts Powershell (via cmd or directly) 61->148 64 powershell.exe 15 13 61->64         started        process23 dnsIp24 82 base64txtdownload.xyz 198.54.115.2, 443, 49728, 49731 NAMECHEAP-NETUS United States 64->82 102 Writes to foreign memory regions 64->102 104 Injects a PE file into a foreign processes 64->104 68 MSBuild.exe 64->68         started        72 conhost.exe 64->72         started        signatures25 process26 dnsIp27 90 148.113.165.11, 4090, 49729 GOOGLE-PRIVATE-CLOUDUS United States 68->90 92 geoplugin.net 178.237.33.50, 49730, 80 ATOM86-ASATOM86NL Netherlands 68->92 130 Detected Remcos RAT 68->130 signatures28
Score:
77%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ace00c4aa0c763c44c1821d87307262587d88aa3446bbff35c8816eb4a340623
Verdict:
Malware
YARA:
2 match(es)
Tags:
Base64 Block Contains Base64 Block DeObfuscated PowerShell Powershell: Hidden Execution
Link:
https://app.malva.re/file/2e6e2f37187fc0cf8ac73501b02a613b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ace00c4aa0c763c44c1821d87307262587d88aa3446bbff35c8816eb4a340623/
Verdict:
Malicious
Threat:
Family.ASYNCRAT
Link:
https://tip.neiki.dev/file/ace00c4aa0c763c44c1821d87307262587d88aa3446bbff35c8816eb4a340623
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-16 22:39:30 UTC
File Type:
Text (JavaScript)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vtqaysvay5r4itayehmhgbzgewd5rcvdirv37424ralowsruayrq._file
Verdict:
malicious
Label(s):
dcrat
Create hunting rule
Similar samples:
0d46041811e6b9c5ab4039459b7bdff6a7f02c4d0d4a65fdf316152c72657309
ResolverRAT
26a381a2e4138ae291d9d69acdf89b32e3765bc4b3027f0e7c98d7e8169600db
ResolverRAT
270f45d4dadced58852636cd091aa5ba0ca1e54f412ac17d8e807b2e1db1de5c
ResolverRAT
39c1ee41196d067d7f6ecc9d30e813ac5946f8c63dc4175948770967c74ba592
ResolverRAT
58f594c518e9fdb8834536ca003f068ef18cd17dfa7638651631f22713fa9041
ResolverRAT
5aaf4b6c19dad8ba41498a225bb4c2ca87f0c4793f1512f07dca3fd6bac1031c
ResolverRAT
990e7934749f9549244866e11d35990aa0b2002aeb95e1339b0a10c610d404c2
ResolverRAT
c59cf133700b2304326538d8ed9a3a6cde6b30579d627e87483517dbeeb3399e
ResolverRAT
d25591f0627f988edceb12fdadef30e4a856b1fa016f10043cdf2379ac234b2c
ResolverRAT
d7c2934b23d03ce5bd00a576024299eb70e3f60f5dab8bf65c1f7aacf419df9f
ResolverRAT
error
ResolverRAT
+ 1'783 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion execution
Link:
https://tria.ge/reports/250816-2k5ygshl3v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Command and Scripting Interpreter: JavaScript
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Modifies trusted root certificate store through registry
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ace00c4aa0c763c44c1821d87307262587d88aa3446bbff35c8816eb4a340623

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule
Rule name:SUSP_PowerShell_Base64_Decode
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments