MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d50231ce3a97198df82ea52b14c0953a7e02bac5311eba123c5d39e71000598f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	d50231ce3a97198df82ea52b14c0953a7e02bac5311eba123c5d39e71000598f
SHA3-384 hash:	db0b4b42995f5ae78f0ca6cbb0c4372bf48ab1de269622fb74d4ecdc582133e885a312892d0b531301fcd63102d0c8ec
SHA1 hash:	66dfa782474e01e834c6fb6b8f863769de92968b
MD5 hash:	05828a6473e9116ddc4ec48e5e222924
humanhash:	bakerloo-cat-mars-lima
File name:	File Explorer.bin
Download:	download sample
File size:	886'272 bytes
First seen:	2022-07-16 11:36:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep	12288:ZMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V982YyX+:ZnsJ39LyjbJkQFMhmC+6GD9u
Threatray	67 similar samples on MalwareBazaar
TLSH	T1F4157B32F2924037D5765A398C5F93A44C3ABF512E38691E3BE43E4D5E7938928D42E3
TrID	92.9% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 1.9% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.4% (.EXE) Win64 Executable (generic) (10523/12/4) 1.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 0.6% (.EXE) Win32 Executable (generic) (4505/5/1)
dhash icon	204cb27169b21428 (1 x njrat, 1 x DarkComet)
Reporter	KdssSupport
Tags:	exe

KdssSupport

Uploaded with API

Intelligence

File Origin

# of uploads :

# of downloads :

347

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

S500RAT.exe

Verdict:

Malicious activity

Analysis date:

2022-07-16 07:28:29 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/9dcc7d07-e80a-485b-bb80-957a7a979656

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/291194/

Detection(s):

PUA.Win.Packer.D1s1g-1

PUA.Win.Packer.D1s1g-2

PUA.Win.Packer.D1s1g-5

Win.Trojan.Emotet-9850453-0

Win.Trojan.Generic-9936029-0

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL

Win.Malware.Delf-6899401-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Creating a file

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Moving a recently created file

Searching for the window

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Moving a file to the %temp% directory

Modifying an executable file

DNS request

Sending an HTTP GET request

Creating a file in the %AppData% directory

Sending a UDP request

Launching a process

Creating a process with a hidden window

Sending a custom TCP request

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Infecting executable files

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/26343/overview

Behaviour

MalwareBazaar

CheckCmdLine

Gathering data

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/924de24c-24f6-429c-84fe-134f818680f0

Result

Threat name:

Unknown

Detection:

malicious

Classification:

expl.evad.troj

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1033689

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d50231ce3a97198df82ea52b14c0953a7e02bac5311eba123c5d39e71000598f/

Threat name:

Win32.Backdoor.DarkComet

Status:

Malicious

First seen:

2022-07-16 11:37:26 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2ubddtr2s4my36bouuvrjqevhj7afowfgepluer4lu46oeaalghq._file

Verdict:

malicious

1e3d5369ea28851f7013099f82d535b12e3e88c72ae190fdf571fb9beb9e0ace

a4b821d0cadc92c344c8b60f5290a5e5520fd1fb3813b88c529c48d285b72c63

a4bdfb7869d435589479e095b8d0c9c2b8f987bd3a8c961424376f18c31c650f

ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4

dd23a9dd9ad1c9be3580c478179915bfcc79a23bc49161f49ee08111ceab57eb

f57a62e80191b398066c5d3f39bb2a8f7a4badc614bff7591b6f1a19977ce38a

+ 57 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/220716-nq59jsbeg2/

Behaviour

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Adds Run key to start application

Looks up external IP address via web service

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

d50231ce3a97198df82ea52b14c0953a7e02bac5311eba123c5d39e71000598f

MD5 hash:

05828a6473e9116ddc4ec48e5e222924

SHA1 hash:

66dfa782474e01e834c6fb6b8f863769de92968b

Link:

https://www.unpac.me/results/978b3785-04ef-4aab-a723-ee01fc90d723/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d50231ce3a97198df82ea52b14c0953a7e02bac5311eba123c5d39e71000598f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	MALWARE_Win_AsyncRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AsyncRAT

Rule name:	vbaproject_bin Create hunting rule
Author:	CD_R0M_
Description:	{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe d50231ce3a97198df82ea52b14c0953a7e02bac5311eba123c5d39e71000598f

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/291194/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample