MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd7fa0e585fcc126483caa9f5c738d0c213e3326f132e47c69d942eeb9ef1345. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


EagleRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd7fa0e585fcc126483caa9f5c738d0c213e3326f132e47c69d942eeb9ef1345
SHA3-384 hash: e59e14cd74933908fce9b9aab493e9bcbb4a4a538b5a1de5ca280395c27a05f6a5c17ad1330d86d84a25a12215cd3328
SHA1 hash: d59494cc6a114951c9affc0d280d39f7ee429412
MD5 hash: bcf010a0ac126b82c429d6b1e05e0904
humanhash: jersey-violet-fruit-burger
File name:Proteggiti12.exe
Download: download sample
Signature EagleRAT
Create hunting rule
File size:83'456 bytes
First seen:2023-03-18 11:19:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'672 x AgentTesla, 19'489 x Formbook, 12'212 x SnakeKeylogger)
ssdeep 1536:/s3y2R2T619NzucB2VJtLE933X80VMYEwduOrIDxBHCs0h:6qTE3zucB2Vg38jfwMOa3Cxh
Threatray 84 similar samples on MalwareBazaar
TLSH T1988302228FE9BA73F13F10B22533D5185237DE569FA3872F0889A17EF9539099714670
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter r3dbU7z
Tags:EagleRAT exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Proteggiti12.exe
Verdict:
Malicious activity
Analysis date:
2023-03-18 11:19:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6c4caac5-35ec-4fc0-88c5-b61c5cabdb8d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/375280/
Detection(s):
Win.Packed.Razy-7334624-0
Create hunting rule

ditekSHen.INDICATOR.Packed.NyanXCAT-CSharpLoader.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Launching a process
Creating a file
Сreating synchronization primitives
Enabling the 'hidden' option for recently created files
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult clipbanker comodo darkkomet nanocore packed razy
Link:
https://www.filescan.io/uploads/64159e642fbc9ad18a02f694/reports/ed41445a-3f2e-4f09-868a-9058903a976e/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla.Azorult
Link:
https://www.hybrid-analysis.com/sample/cd7fa0e585fcc126483caa9f5c738d0c213e3326f132e47c69d942eeb9ef1345
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f39c9ca-7118-407e-b879-797c166d5c16
Result
Threat name:
Eagle RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1196577
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to register a low level keyboard hook
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Yara detected Eagle Monitor RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd7fa0e585fcc126483caa9f5c738d0c213e3326f132e47c69d942eeb9ef1345/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2023-03-18 11:20:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zv72bzmf7tasmsb4vkpvy44nbqqt4mzg6ezoi7dj3fbo5oppcncq._file
Verdict:
malicious
Similar samples:
05249fcd98f01828420b86e78380f69db13a1ad67db3c42ab7a16132c1c416ed
EagleRAT
414e3a7b25f16b78c015a7fd44667a0fd809b399e713f12f48b331693c4bb41f
EagleRAT
5b92c0a0aa9d10ab77c04faf26284bd52acfd32c7fc25920e3f97356355a7aa7
EagleRAT
a55eab37d43283d5cfdce9dfc9a717a18b4999a9349126beacc9cc45b7205db4
EagleRAT
b6aeeb48c380448318a8be097518f993fa9aee6aa980e5e0392ef554f46b8602
EagleRAT
ba898920304b05e3f56ae021c837a8486b9fd065b46435d075b68a01e0d8b1e6
EagleRAT
cc9b364a6a458623314de7744897e0845793213ef6dcc31521842455a5399d19
EagleRAT
d033baa14faa7ebfc3eee9b3900a6a3851ddb738ea27a09c6408011cbc6464df
EagleRAT
+ 74 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230318-nfenvaca82/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Unpacked files
SH256 hash:
7ef97f7b90bde9fc6aafc1d7acde3901554cd7a72d03fd33e23b4fdb25165f0a
MD5 hash:
bb8fdffa6627040c401b1512fa885d58
SHA1 hash:
cab9cd363222bd553b80d52cb6e93774b798f7bc
Link:
https://www.unpac.me/results/f2b65d7f-9007-424a-90ac-112676ede97f/
SH256 hash:
39dc2885c042dcf15512fd5d87e4cb0e18ca88e068511d7bef028a18fd1bea37
MD5 hash:
7a3060763e409236b042bdb9a3002462
SHA1 hash:
7c8bb9ec144822a871ab0ebcb45db4f853964408
Link:
https://www.unpac.me/results/f2b65d7f-9007-424a-90ac-112676ede97f/
SH256 hash:
358794c8c1d093911cc8dd3095c3044da4bb0a39e9f5b709669dea75df460e6d
MD5 hash:
ccf6099ed8280ca2f10e597ed024c5a5
SHA1 hash:
e0119db2ac18ff1d362a109c26091fd4d10fd82e
Link:
https://www.unpac.me/results/f2b65d7f-9007-424a-90ac-112676ede97f/
SH256 hash:
ec12f438658dde93e68a6ddf8538dbf07f3e8a6b3c45bbad011f26ae71feae77
MD5 hash:
3493ba5311523f895dcf4be7a0ef0706
SHA1 hash:
07d79a6cc92438421b5f021af572dac142c0e2b3
Link:
https://www.unpac.me/results/f2b65d7f-9007-424a-90ac-112676ede97f/
SH256 hash:
cd7fa0e585fcc126483caa9f5c738d0c213e3326f132e47c69d942eeb9ef1345
MD5 hash:
bcf010a0ac126b82c429d6b1e05e0904
SHA1 hash:
d59494cc6a114951c9affc0d280d39f7ee429412
Link:
https://www.unpac.me/results/f2b65d7f-9007-424a-90ac-112676ede97f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cd7fa0e585fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd7fa0e585fcc126483caa9f5c738d0c213e3326f132e47c69d942eeb9ef1345

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_NyanXCat_CSharpLoader
Create hunting rule
Author:ditekSHen
Description:Detects .NET executables utilizing NyanX-CAT C# Loader
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

EagleRAT

Executable exe cd7fa0e585fcc126483caa9f5c738d0c213e3326f132e47c69d942eeb9ef1345

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/375280/
  
URLhaus
https://urlhaus.abuse.ch/url/2576458/

Comments