MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0c18b8e222e3b9c09c05145bab139b63e010ba754f4ff688ee71ac69697a402. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MilleniumRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0c18b8e222e3b9c09c05145bab139b63e010ba754f4ff688ee71ac69697a402
SHA3-384 hash: f5634e4b9b329ad25d2b7c4ade2ad9729e54180dec82a14babb82b0f5412a8223b4a2ffc3c1bd9170e2dcb5ca79b13c1
SHA1 hash: e4db77c1248591ba12160223e028004ffd3366d3
MD5 hash: 98ae932a21fee19c4b51ffa7abd4cec1
humanhash: salami-happy-one-batman
File name:hacn.exe
Download: download sample
Signature MilleniumRAT
Create hunting rule
File size:12'925'322 bytes
First seen:2024-03-01 14:20:47 UTC
Last seen:2024-03-01 14:21:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1af6c885af093afc55142c2f1761dbe8 (49 x PythonStealer, 40 x BlankGrabber, 14 x LunaLogger)
ssdeep 393216:pDfDoc6GPqN4aMrNyAj/05dNhFx1MmWg:pb7Hqiaa4AjEVxGm
TLSH T12DD6339065E404F4E8F6EB7EDD512355E0F2B812C320EE979B7887A25E037B19D76382
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon cde9f171f1b288b8 (1 x MilleniumRAT)
Reporter firarglobal
Tags:exe MilleniumRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
317
Origin country :
TR TR
Vendor Threat Intelligence
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin overlay packed packed pyinstaller pyinstaller
Link:
https://www.filescan.io/uploads/65e1e45306f9ec0811a96376/reports/640527aa-2e01-4569-b2fa-403cb2a61b5a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d0c18b8e222e3b9c09c05145bab139b63e010ba754f4ff688ee71ac69697a402
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a059bf6f-8ca7-47ee-afc1-6d6e14fc7609
Result
Threat name:
Discord Token Stealer, Millenuim RAT, Xm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1401452
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to capture screen (.Net source)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Found hidden mapped module (file has been removed from disk)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Stops critical windows services
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Discord Token Stealer
Yara detected Millenuim RAT
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1401452 Sample: hacn.exe Startdate: 01/03/2024 Architecture: WINDOWS Score: 100 108 raw.githubusercontent.com 2->108 110 pool.hashvault.pro 2->110 112 ip-api.com 2->112 122 Snort IDS alert for network traffic 2->122 124 Malicious sample detected (through community Yara rule) 2->124 126 Antivirus detection for dropped file 2->126 128 21 other signatures 2->128 12 hacn.exe 13 2->12         started        15 updater.exe 2->15         started        18 cmd.exe 1 2->18         started        20 3 other processes 2->20 signatures3 process4 file5 96 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 12->96 dropped 98 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 12->98 dropped 100 C:\Users\user\AppData\Local\Temp\...\s.exe, PE32 12->100 dropped 106 8 other files (7 malicious) 12->106 dropped 22 hacn.exe 12->22         started        102 C:\Windows\Temp\wxyubnjmnlae.tmp, PE32+ 15->102 dropped 104 C:\Windows\Temp\gqxqtdeqxchk.sys, PE32+ 15->104 dropped 168 Writes to foreign memory regions 15->168 170 Modifies the context of a thread in another process (thread injection) 15->170 172 Adds a directory exclusion to Windows Defender 15->172 174 2 other signatures 15->174 24 dialer.exe 15->24         started        27 dialer.exe 15->27         started        36 2 other processes 15->36 30 conhost.exe 18->30         started        32 sc.exe 1 18->32         started        38 4 other processes 18->38 34 conhost.exe 20->34         started        40 7 other processes 20->40 signatures6 process7 dnsIp8 42 cmd.exe 1 22->42         started        132 Injects code into the Windows Explorer (explorer.exe) 24->132 134 Writes to foreign memory regions 24->134 136 Allocates memory in foreign processes 24->136 142 2 other signatures 24->142 45 svchost.exe 24->45 injected 47 svchost.exe 24->47 injected 114 142.202.242.43, 443, 49731 1GSERVERSUS Reserved 27->114 138 Query firmware table information (likely to detect VMs) 27->138 140 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 27->140 signatures9 process10 signatures11 158 Stops critical windows services 42->158 49 s.exe 5 42->49         started        53 conhost.exe 42->53         started        process12 file13 84 C:\ProgramData\setup.exe, PE32+ 49->84 dropped 86 C:\ProgramData\main.exe, PE32 49->86 dropped 120 Multi AV Scanner detection for dropped file 49->120 55 setup.exe 3 49->55         started        59 main.exe 14 12 49->59         started        signatures14 process15 dnsIp16 88 C:\Users\user\AppData\...\wxyubnjmnlae.tmp, PE32+ 55->88 dropped 90 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 55->90 dropped 144 Machine Learning detection for dropped file 55->144 146 Writes to foreign memory regions 55->146 148 Modifies the context of a thread in another process (thread injection) 55->148 156 3 other signatures 55->156 62 dialer.exe 55->62         started        116 ip-api.com 208.95.112.1, 49729, 49732, 49748 TUT-ASUS United States 59->116 118 raw.githubusercontent.com 185.199.111.133, 443, 49730, 49733 FASTLYUS Netherlands 59->118 92 C:\Users\user\AppData\Roaming\...\Update.exe, PE32 59->92 dropped 94 C:\Users\user\AppData\...\sqlite.interop.dll, PE32+ 59->94 dropped 150 Multi AV Scanner detection for dropped file 59->150 152 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 59->152 154 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 59->154 65 cmd.exe 59->65         started        file17 signatures18 process19 signatures20 160 Contains functionality to inject code into remote processes 62->160 162 Writes to foreign memory regions 62->162 164 Allocates memory in foreign processes 62->164 166 3 other signatures 62->166 67 lsass.exe 62->67 injected 70 winlogon.exe 62->70 injected 72 svchost.exe 62->72 injected 74 dwm.exe 62->74 injected 76 conhost.exe 65->76         started        78 tasklist.exe 65->78         started        80 find.exe 65->80         started        82 7 other processes 65->82 process21 signatures22 130 Writes to foreign memory regions 67->130
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d0c18b8e222e3b9c09c05145bab139b63e010ba754f4ff688ee71ac69697a402
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0c18b8e222e3b9c09c05145bab139b63e010ba754f4ff688ee71ac69697a402/
Threat name:
Win64.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-02-23 16:17:55 UTC
File Type:
PE+ (Exe)
Extracted files:
290
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2dayxdrcfy5zycoakfc3vmjzwy7acc5hkt2p62eo44nmnfuxuqba._file
Verdict:
malicious
Result
Malware family:
milleniumrat
Create hunting rule
Score:
  10/10
Tags:
family:milleniumrat evasion persistence pyinstaller rat spyware stealer
Link:
https://tria.ge/reports/240301-rnz7asgh76/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates processes with tasklist
Modifies data under HKEY_USERS
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Stops running service(s)
MilleniumRat
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
d0c18b8e222e3b9c09c05145bab139b63e010ba754f4ff688ee71ac69697a402
MD5 hash:
98ae932a21fee19c4b51ffa7abd4cec1
SHA1 hash:
e4db77c1248591ba12160223e028004ffd3366d3
Detections:
PyInstaller
Create hunting rule
Link:
https://www.unpac.me/results/d43621e8-d8be-4739-bad0-7421179804d8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d0c18b8e222e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0c18b8e222e3b9c09c05145bab139b63e010ba754f4ff688ee71ac69697a402

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MilleniumRAT

Executable exe d0c18b8e222e3b9c09c05145bab139b63e010ba754f4ff688ee71ac69697a402

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments