MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da23dacc9e28905b0cc9f0724e182e8963525162b177d023c0c859e8fee09d43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments 1

SHA256 hash:	da23dacc9e28905b0cc9f0724e182e8963525162b177d023c0c859e8fee09d43
SHA3-384 hash:	0fc229b766bcef89d2b4a9a04cef07693ce15619b452f3b84e79f7d13774be6dc4dfe99f4c5d907576adbfdaf7bbbbd1
SHA1 hash:	27f58eddb916966ce16e5dbd2599ff6946580573
MD5 hash:	0ab2da9543b860c72f6eaeaa41bb3cf1
humanhash:	montana-queen-earth-lima
File name:	pscgen.exe
Download:	download sample
File size:	11'718'144 bytes
First seen:	2021-05-20 15:58:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d74d76c7011bfcc0cc1ebcb319809a31 (3 x ValleyRAT, 1 x CobaltStrike)
ssdeep	196608:Ut5wA0MhC/W3q+09iq2pPeMBTX1QFhjwt25HnutfdwghxZdI8eVoGQW+/of:+BlABlh2pzOHutKqTdI8eVoPg
Threatray	41 similar samples on MalwareBazaar
TLSH	D2C63324FA50059EF4AB10364929D13AF9BBB6450369C04F42DCA2B20F93BE6B57D7F4
Reporter	Anonymous
Tags:	exe

Anonymous

Might be DiscordRAT
Retrieved from https://www101.zippyshare.com/v/Yamhw8lP/file.html

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a file

Deleting a recently created file

Sending a UDP request

Using the Windows Management Instrumentation requests

DNS request

Sending a custom TCP request

Running batch commands

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/da23dacc9e28905b0cc9f0724e182e8963525162b177d023c0c859e8fee09d43/

Threat name:

Win64.Trojan.Fuery

Status:

Malicious

First seen:

2021-05-03 02:50:43 UTC

AV detection:

8 of 29 (27.59%)

Threat level:

5/5

Verdict:

malicious

2fb7c093711d15951d5345cdf0ba45305986f318118a58762e164bf9d5a2459a

54c91df7deaeaf52b3e9cb09480781c6929da68c64aa6298989b5e06e659e482

7ce97f4056638942e117d1ea5be336c817d9f56b6548cc220ddf9f7e36db915c

92285ce83adc2f13208ec62a3122123124b68e7783cb1744418699aec29089c8

a267a87d74e15c2b281f4268cf1e3d7e5c5586cf856549528e42d9436e04c9b9

c5d7a3c8c888745918daccb78552062e6d840f00cdb7fc1980c4f1f700f488c5

e4d74735b0fe22e977c622d8bcd6de638ebbb71aaaace38a0a924fc514131e18

fb7e3d141ff3851b74b24c265fd94db17a9571bb6686fe2f47bd12d053d88309

fed02796762f63978094ad4b21b1952948cea78281abb55ba58bbb7886531ea1

+ 31 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

pyinstaller

Link:

https://tria.ge/reports/210520-qjva5qrxvj/

Behaviour

Suspicious use of WriteProcessMemory

Loads dropped DLL

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/da23dacc9e28905b0cc9f0724e182e8963525162b177d023c0c859e8fee09d43

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_File_pyinstaller Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)
Description:	Detect PE file produced by pyinstaller
Reference:	https://isc.sans.edu/diary/21057

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-20 16:01:05 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
1) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
2) [C0032.005] Data Micro-objective::Adler::Checksum
3) [C0060] Data Micro-objective::Compression Library
4) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0046] File System Micro-objective::Create Directory
7) [C0048] File System Micro-objective::Delete Directory
8) [C0047] File System Micro-objective::Delete File
9) [C0051] File System Micro-objective::Read File
10) [C0052] File System Micro-objective::Writes File
11) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
12) [C0040] Process Micro-objective::Allocate Thread Local Storage
13) [C0017] Process Micro-objective::Create Process
14) [C0041] Process Micro-objective::Set Thread Local Storage Value
15) [C0018] Process Micro-objective::Terminate Process