MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de8904daf0c5ec9ad4225fc8a4f9b3b66fd2de5d18b0cb3bfb94bb8b7ef7f969. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 12


Intelligence 12 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de8904daf0c5ec9ad4225fc8a4f9b3b66fd2de5d18b0cb3bfb94bb8b7ef7f969
SHA3-384 hash: 2a5f873ef45e7eae87b08dd476337de8933ca38976e0abe562d339a7de6c7a1bc0d2c5351b1932f7e2bd8ce89430a065
SHA1 hash: 0be1f442c957e4e5fc5253be099f705b5ee80630
MD5 hash: c95c64e92050393503b9ffb080c2af86
humanhash: skylark-echo-iowa-fish
File name:de.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'907'364 bytes
First seen:2023-10-04 11:28:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:u2G/nvxW3WieCVU5Lsj26Yfv66b/zlf1v/4/fFQB7O/4G3chNcpwiCo91qUVRddl:ubA3jVWXv3b/Zd42I4GchjiCURNTLD
Threatray 1'359 similar samples on MalwareBazaar
TLSH T1EC95AD017E46CA21F4191633C2AF865447B1AC102AE6F31B7EBD376D95223937C1EADB
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter 0x746f6d6669
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Win.Packed.Msilmamut-9950860-0
Create hunting rule

Win.Packed.Basic-9952747-0
Create hunting rule

Win.Packed.Uztuby-9963900-0
Create hunting rule

Win.Packed.Uztuby-9969968-0
Create hunting rule

Win.Malware.Uztuby-9972880-0
Create hunting rule

Win.Trojan.DarkKomet-9976180-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Adding an exclusion to Microsoft Defender
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm cmd cscript dcrat explorer greyware lolbin overlay packed packed replace schtasks setupapi shdocvw shell32 wscript
Link:
https://www.filescan.io/uploads/651d4c80be42b2ac8e5a2c22/reports/86036f2e-8bc1-490d-a2ea-977ee019d541/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8.Gen;Trojan.Uztuby
Link:
https://www.hybrid-analysis.com/sample/de8904daf0c5ec9ad4225fc8a4f9b3b66fd2de5d18b0cb3bfb94bb8b7ef7f969
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eeb61c54-9124-45e3-ba70-0af6c48aa45f
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1319397
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1319397 Sample: de.exe Startdate: 04/10/2023 Architecture: WINDOWS Score: 100 68 cj77911.tw1.ru 2->68 72 Multi AV Scanner detection for domain / URL 2->72 74 Found malware configuration 2->74 76 Antivirus detection for URL or domain 2->76 78 12 other signatures 2->78 11 de.exe 3 6 2->11         started        14 ZMkYhUAHTHJSUlwwZ.exe 2->14         started        17 schtasks.exe 2->17         started        19 25 other processes 2->19 signatures3 process4 file5 62 C:\...\bridgehypersession.exe, PE32 11->62 dropped 64 C:\...behaviorgraphLv7BNPqCqrZbVSS32YTrknsLd.vbe, data 11->64 dropped 21 wscript.exe 1 11->21         started        90 Antivirus detection for dropped file 14->90 92 Multi AV Scanner detection for dropped file 14->92 94 Machine Learning detection for dropped file 14->94 signatures6 process7 signatures8 80 Windows Scripting host queries suspicious COM object (likely to drop second stage) 21->80 24 cmd.exe 1 21->24         started        process9 process10 26 bridgehypersession.exe 7 14 24->26         started        30 conhost.exe 24->30         started        file11 54 C:\...\ZMkYhUAHTHJSUlwwZ.exe, PE32 26->54 dropped 56 C:\Users\Public\...\ZMkYhUAHTHJSUlwwZ.exe, PE32 26->56 dropped 58 C:\Recovery\ZMkYhUAHTHJSUlwwZ.exe, PE32 26->58 dropped 60 2 other malicious files 26->60 dropped 82 Antivirus detection for dropped file 26->82 84 Multi AV Scanner detection for dropped file 26->84 86 Creates an undocumented autostart registry key 26->86 88 4 other signatures 26->88 32 ZMkYhUAHTHJSUlwwZ.exe 26->32         started        36 powershell.exe 19 26->36         started        38 powershell.exe 19 26->38         started        40 5 other processes 26->40 signatures12 process13 dnsIp14 66 cj77911.tw1.ru 5.23.50.27, 49832, 49836, 49837 TIMEWEB-ASRU Russian Federation 32->66 70 Multi AV Scanner detection for dropped file 32->70 42 conhost.exe 36->42         started        44 conhost.exe 38->44         started        46 conhost.exe 40->46         started        48 conhost.exe 40->48         started        50 conhost.exe 40->50         started        52 conhost.exe 40->52         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de8904daf0c5ec9ad4225fc8a4f9b3b66fd2de5d18b0cb3bfb94bb8b7ef7f969/
Threat name:
ByteCode-MSIL.Trojan.Uztuby
Create hunting rule
Status:
Malicious
First seen:
2023-10-03 19:17:36 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
23 of 34 (67.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=32eqjwxqyxwjvvbcl7ekj6ntwzx5fxs5dcymwo73ss5yw7xx7fuq._file
Verdict:
malicious
Similar samples:
1459c0d3b21302701c9ca344942daaaf1f3f4b8d03037d8e7571f599e11b0148
DCRat
3403bac5c539f75b944da6960af9f9347f9665ad9ac578266602c0bc8b7e5dc7
DCRat
8d83d815077aa7c96a570c46b8e2ec694decf201cd3e4d9c0d6c6bae55285f52
DCRat
af5e28fe88fbb4392ef658ecd2dfdcaccb25734bfff693fa6aca6b03565d0ab8
DCRat
be15d47389920ab9637eefc24bbf6c191607013a3d2608c1243a377aacb5d4ce
DCRat
deb4782f354f05d5ec28658ce35227e8ad5d1242260bd7cb2df5a90b84e25481
DCRat
df9e5ceb75c0d9781e09d9230210033645e89e79c5cb6ec5709fba052bc3e641
DCRat
+ 1'349 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer persistence rat spyware stealer
Link:
https://tria.ge/reports/231004-nlj6hsdb55/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
DCRat payload
DcRat
Modifies WinLogon for persistence
Process spawned unexpected child process
Unpacked files
SH256 hash:
cbbe80dcabba2df45df029d7bb84d17dcb7724619ca0bc13ffb465570190e80b
MD5 hash:
ababbb0abe7c6704cff11f808518040e
SHA1 hash:
84ef5b22de49b75222209e8c624e3029e30d0c95
Detections:
dcrat_usbspread
Create hunting rule
Link:
https://www.unpac.me/results/774b2ad6-802e-4f43-8282-ec99f7731978/
SH256 hash:
00c4dfb468931e8093799960e80df63c62f8d9c8fc8080bed1e2a895508f2f41
MD5 hash:
e44c996d06420b5919dc0fcaf79001eb
SHA1 hash:
2dae379f9cad12399a6fc0023aef3e727f3b6480
Detections:
dcrat_system_restore_points_cleaner
Create hunting rule
Link:
https://www.unpac.me/results/774b2ad6-802e-4f43-8282-ec99f7731978/
SH256 hash:
a6eeb0c6b0b290ad79c1e3ffdf8a73701e02b46bd125a4c4e1fee9ca71f116a9
MD5 hash:
ad4e35679281e575e1f75f77c30808df
SHA1 hash:
291262af52d2f9bc6208995934d2944718213c16
Detections:
dcrat_telegram_notifier
Create hunting rule
Link:
https://www.unpac.me/results/774b2ad6-802e-4f43-8282-ec99f7731978/
Parent samples :
fa0934b4cd8d37bcc91ba65e2db078bdaa55cde955894a8413a8ef1bb4b35220
014b0d47ca7cdce7a4f862bbe7bcaf626d3524d1d1883bc3d9967a268b3174ed
de8904daf0c5ec9ad4225fc8a4f9b3b66fd2de5d18b0cb3bfb94bb8b7ef7f969
d14caa68b3176ca4bde4b434eecd00ec121d9c649f73d1ba6510730cda54eb05
fd4ac5261b3f8357ad4e1f5fbee2e3f3e9e2a6cc0f8c1c61f1a840d8b54fe28c
3eeb9115c3888d0b1c4cfccc25bb48661b90f308bdcc1ea0c2a56a7030d5c547
9c8b561cf27708f285da964826b1183608e75be698f6b5a4469faea8e535a760
c3f98fcf5d25e5f8347c5884b6c41d4efa8a7fe63ebc84ff02025f2c87359dbd
29c5d4ad5e177cc1163dadb38683e01b79fba8b9a0ab0a5128a1956ad801e798
7803d28b1cfcb0c4f3a63515fea88508357e02dc2ee982f7ff1f0c2f40af3649
f2ea08890e2043e272efd3f728c3a129807097c24024730154a24fe7269d3fc9
1365414d90a8e9a059336e150f9123f59562c2c5b3a354f3d73f882773f04571
3e5c92ebdbc350c5d12d8a684ae957f570f9fed8c4099415f1d9206c910886a5
22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400
d5ac904ea7afae96375fecfe74458e4aaa46f375edb12b950b23825e2ded11ae
2849878b8913c66392f6202039c1d38e2b7061daec60947671795f1e1cd63db5
3fa6ddcabcb03763ef1887117e16ebdf0553a1cc2a16b58bdecaba0735d4e60a
b108df3575c8f9c77577486a92b52fe55bfb6508acca68b22250d8e1fc0494fb
5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db
7238e57350be305f25ca913714b571ee225a658bf5234d9e98cf72e176b8749b
6b415af659470e76f2e7fd163dc72d040746e6aaa4da4503fe8946675dffe25c
3592f60e97f29ab2d4e60ed3604d154c4455f59c318723aa0d25dd6a5c255f66
1177a24b2539e173f4f9d25c0f3e43a22d23ec64b562a86b4b7ef65741734067
c70d55541b3f4e3efd575c748443c01726e38a6c2e5e20f52a3191ed39548e8c
533c1f6d82962094e076116e5eaf643dd440eff83861ccf26334bc553fb6d129
5a089053f785fbdc6e6d11d32a6e74c9e5af34a6b3be078e867b0fe18833a7b6
258424cd8a701639a5ba89800e9e425463ab6219ce8435a37ea3c28b9b181ffa
0b80872ae84d5a7de900b51596d85e09361774ae22cd577ec4898b4350737a53
a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1
54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88
12b1d0212363628cb57d2379017b94d6bf91029b37b2dcee592a564952855694
ad3cad3320c96364564203d96cc76ebea925dcc8de447195e0c1addb9f28e7e8
38b3c41d485fa638c249ee54c9a3ca358a9eb36e561834d9f7f2fca088da6248
131c1efa923313555608e90d97f0a2d8fdf3fbe4695397278ca391009148f9ac
50c66cf3605ee26dae74c33756b2d2b9622d2c1610b5a002a916821729018d28
cdb363f810ebeea6e40abc725c14e9bf78a3014559ec32903c15fd7576fcac20
371427ad07be3f9c39773c3c0c4b95c86f63dc2e427835565b159f3686818bd0
23f8f5fa14be58995db500b8506fde23f21f469a76912178b7934c354b3ce712
90cd882d4b7aa3939307bcc71bc05d38e600cb22e8984985335df1feac12e44a
4ce4afc5fd856ed5951e35c3efd45fdc03662abf43050fddc564023ef40e6823
86c845b26ff1a36147c647ba50a1cf1ef62c829bcd432bb6ffb6d167532da7c6
34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710
47159fe5dc5b2812344f7ec698e318cef30ec35f4425fd386ee8a7856cdaa646
88f80fbe352e5778eb8a9d0cb508c888d8a3c88c676455c5a5dc6348f7a427b1
7fa58fd303e55a23ae5e9a068fbdb9866ab2a3d199a9b5d49893b7a972f321b3
092853fc5c2163fdafef345aff1be3116697804b6f81ef2374422822d1e78bfa
e7f193ed34c9c44b2e7ad602f0abb5eacf9ba78806cac5d8c81a9cf9f1a1477f
6ad806c1234b782cd3a54e146cf02463424fa67c1a3e962c2f43ca10398178b4
7224bbcf3bd6d87e1071cb7e0fb9777796401bf5dd8e8f1875ce5e21ccce8d8e
984326f043144d68f6fd2fbd6748495970ea175eb7353211d6a9e2efef5438ac
de7afeddc29a1d624396c18da80702aa9ab9f8e5212446022a49b7f804252f0e
a3d949b62016bc688520dfe0bf68075ca6666089eea641a62be626aecd1872ef
cccb59dbcce9a68ffed699333477bba15ef02b19de9e5a345eed09e87440fc28
294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c
1353ef9da4acb986188b6aae8930ecd1618afc282c4f9d6a85b7f07412d93efd
1683c3759dd64d42623510c28230a23c9b999f12d5b63f2cb02f9eaf769f45a6
8a542076ec9b9522127f2c63954f51720b7a933e701a902c853e8abb37bad7e0
71692ef79be48ddd6f27fc7d11d32f58988d833974eca11740c92511b3b6edbf
6cb8969c2e226f0597598198992dd4afd52d70ac83c187852d3cd872dd6b7a0d
19e2bde176b68e7b609977a3965b60bb74afc5810781e1545c1dc83beeb64672
b88dfd2c66e3965d55bb3e8317e75628b73aa1b789f1ff405dbd421d8510148f
5524ccb07590eff8d27d9807cebede9c67da9189af8dc5055d4df5ec72b89580
e412cff14b15f8734935b193a36c5a4d72957c2976899b8ffeb27cd0f68b6146
158c9599f5310708e34c67ba1f72241b28e0b5633dec9e786fd6031a95da6d3d
af0e7981166891af0e066bc0eb1fb73ae36ba339e05e40510a526385b48ad00d
791d92ffb559abed9ec0f3266f5e0f2a98a5af1fab714f0b3b1b2548f05ca8b0
e23b924ff1c1b8a67aebc3b98711c63e12832e2bdd41ff8a52b15685bfabfc6d
fcc7ce0c1cf2c3d90bef0d564fcb9ac13631d73dd516a4e32f01ecd3ea9bcda9
5f8decf2562bf8f3cf1a82adbf6df031f6899f4efd944f4baf58bbd1ef458531
ba30eaf70b11268accb528ce65cea53a3ec811d2e368e4a3d19ebdfaf02cc233
c200cf3b7b2a80ea464716618af0d4f99588347d106c3bcea19773d760205e16
f0e26d840e7cb41461066f723eb501e4444764f66d3712ea877c456dbcedc4f7
4c6650813906ced18f7564f906ea5a033a206cb2c71f244e0d28a04e3f2d7609
d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0
007c244b9dac3fecd6d8df49314f664afaa4c1c823574108f77189c2925e9594
078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd
85768ff86e86155faadff2443ea1c9656fc479ffa5f0ae90c9b738bf31ff1080
0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8
7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67
94d6f5344b79742f145659d00c8e6d7113741ced8930b855dd6161b222f3e6c3
b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd
cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67
e54e6afbb7aef8a09455ad1c546fda176e67037fe95869bb1d0967db2d937617
7676e27b7a9afde332f828b3375bcefa5dbe8cb92c274b167b140a22ead8131d
05c4814add59df3a27d840a1494002ac0b0e49aa9348229bd9f438d87e3e56c1
00564ed0e7500f4ed88ae136b1c140425556bf536c6bd8c6c74b7d9665d6fe20
661b2c9879d7ae68512f820689f2198fdc2d71288ed0a6e747a0ae3f4a27f176
f62010b7a1b10bb8cc3bcdfa7e4c96e4acc5e792d670916e0fd7372288a28510
74b7f7ab11694433db9e6f10265127cb9ab239983f0442d6aea1a475713018e3
75e9a0ab3a75f42cdae23e971e2f34f447aeed1bc9b0adf11d47cd2dc04a0835
91a5d06a6ddc1dbc0d573871082b21c0ef5d260987d760bff9b1d19966d0c32d
0a0eebfca8553e921339c90b0060ceb6adcbc5f747696b1abecd376f50283911
079172ddcc7b1086b9bf972b21d0d579dbff695fde14811165a986efe322873a
394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617
121d462ca9f33798e076d069ec6b84c5ae0573bbaac8df8dd78efbb7041bd30b
52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288
8d34477674ccda710d5acd22a1ea3ce7c9e818d7b6d3b19200c896fcf42f5b4b
2ea69f49817149fb5d008a79ac6975b890d949aa57708f3cb76fa15d8ce3f106
32137cf4d6060f5047dcee2185431bcfcd3fa5b244d63050410a4448df737b38
3f6feb2ff90be022f4b11b4e4be46768ce735fa4fda2fc731232fd1105a109da
3f7dbeb177934d53205b93a27b9f4262fe0f46aaf090326cb8e2069d90d0414c
70c558209d7201e690991be17a01c6ef7f5b14775f2cfb288f0abafa43187fe2
3acf15dfd8e4a0fbe7404c2f8aadda1cff0aba5c058f5b5c3481bb44d8ff5b64
ce0545657884415ef34e052fcdf36506eee3f33315810fac1b7f7c615f439dcf
5539d434ee526c3dd170b22ac661ded347391278c129f0f7571d683bdc0fb1db
8f22bfcfe5137aec0a8c659e08c604acbfa1ab64e85a05b2ad99a2995afae0db
e0b4936809d8a75b5095ce25dfb12e14c825e9401d941356749bba86a26b6bbb
f9e07becd2faaba0a53f178a513cef474849c4d82a1e69a871c81617db614296
4533579ade22cae8ab3bf23355133ca9d148328aefb35a543661f818e6af1a1b
bede23ca2e4d3eb802787a7098e718606abd5768e83dd7169b57c05f664a77bf
5ba161e67deaaeaea044b14dca79b7bea7050bd4ad76582c1e229d794e9d9029
fc5b0314dfd53a19bb905de5b758720df8a25857bdd1c5a72e5b1af7d4ff994a
63533c321441c3186976b15172a575eda99ad7ec6a937073b7b36ec45cf3e1f5
f08995b47577c1055a9dba345fec4ef1718e482fb014769e5d29e917837b1aed
e3e871921dd331a3518688e2527c2d5f8178c61e86c287414022fc8ad1fedef0
01e7f777e19a70073e6e8d286263b12b59bf8cc9af1e0b0c9fa4244ff63c9dc0
ba53acdb7d2c6ab550ec8696242a76ef562ca7da24c39656184d7e5333838177
f35cac13d76f955a715a51f5029ec8e4539004f02a447eec2b84febd7a4f62af
ce4f0de3346625b38371d6e608e7f1dce0e078e3c307ffc7ea793f8443a25e9a
75162536c16046734b4d39d6f66a17a502ab3f7763727a0172e80a6d3b0eb27a
4f22748956c9ec725df67a7729730ae3d56f88dc37db966abfc3a7557bbdb69a
a38d77ec66208f83f4065fe43bf51c96b587d2937b0d5f6d1abb1ab973de3751
41556fc8255feca7f1ddd424cec3c7e3f9007fea4f810db053a3886b4d7b8ec1
5a7e59ae0fa4917f94ff223e8499130923a02b0f0f6a39a02fe38dbde3a26e47
462662fa78d865d05b8ab25d9e3df1f033d3af7822055deacfcec845c8c7c9d1
a11e40b54e8ad5e3d24d075395267181f8cf0e12034bc2d38cfbd8a5dddc2b31
525b609b4fac8d454a86232d28999c3135fb2b3c10961723073f431fd75c2020
a0f0432f815889adb15907adaab5489844a71f5527bb07afb3d37f1a6ef948df
b31a48cc3055c0a4d94234ba2bf0844378550d8966cf0197a2cd140a945c8d33
4e6eb217528d9643d9a41ea4ef18d97e64d425d5c419738a82081e2577964de5
90528e80817e530236ab8110837e1afc510cd1b3a69e90787d8dd00eb471a40a
c4c2a82a7d454bb85fa22f12d2571639c1640ba4a6790d708f4a229f91a7a99b
a00f90db29e2c261c2b6bb00093c43659b577708e8afff72c97f17d41bb06e2e
9ca2e817ff19e5313105b3b468c5390aff48fabe778333d4d2d045659818e73a
dc5f62878c3764af000c4f1fe93a837744ff28a37f312856cb1cc4c320d1f1ad
b86a67a7dea558bd5719148ecc93ecb2c4f9270006ff304d860c866519c8ca15
550e199325198e2aeb1c1fe8228a37715962dcad001c447f29f226921e6a9f0e
b0cc835df649b790bf8fde133d284d4bf3b9c6fd65baaa6578f91b9b3fc33b5d
5fce6e4fd13c8a457e073744d51094c40b6bb50b87b3fcad75d14c373eeab9dd
ed29ad4d8d35bc2559a44196300367ef6b073847f7174f61dfa421c9a6d296ac
d623ebd387e46bf8cb0f970d6238d95e5e3226ffce22a987e9565e65753ac603
d607bfcbe22d2dd7d7a40172c2c5e1680d5d1132c8cab4b2ce51b57ca84fe997
883deea17e26a18bb9c6a8d5184f6d4d326b84d16c3d43589fb4a7287bfb0dca
a1f1d8797ffd930f0a16f3a1bd96b58419bb05bcd304a6e4ec2ddc14c664c83c
ab8fbd127119c511a07082e0966dc9e70e8e8e01a2f054ae3d2f39752ff4fdb8
43bf0e585ed703c5aa53e6a74b04e2b3c10a3a7708889a5d823c7f84e29c2aab
96f8492fd115abf7134203668cd31f428efbc1d75edb9c6f26aaf8201e19950e
7d406ea4f3c94f86228662495df35517c89df991b672eb804d5ec796fa0a2a63
3c9a5d90d37ba18c0ff3a4e6461cabdf1de6a3eee8890a39e68a1549c433c7e0
f0c19bca34ec10ca7f3057c3ecccc0a4b2d8f21fa163c1149ca8d15fa9918703
f2420fdc9492498195a8a0bae43cfbf7c721b18c43b55ccfecf941f06164b154
a323ea7dbcedc67d2e78d657ba7cbbab7feaef3702a5fd3baf42738b8eb40692
c91ecca54c0cbdf3f8714d7c92ca6858d4ddb5957ab06f9ed33bb73e3b5f6207
e7cf9ae73751f92a53dbbc41b4939510e23352bf3a942e86b269c72b80cdb63c
ff42ccd0615ed68fd5f182a4b960d81c342f9bc66a4cfc604b6c59db8d34d9ac
SH256 hash:
cfee71819392779f8b9f228c2601ff9a89b36c9f3bf56350cedc35bbf957f4a9
MD5 hash:
f08e3c698a78d36cf2205af33d9c8c41
SHA1 hash:
6fa3afdf39c1904e5117906fa2941c9658686779
Link:
https://www.unpac.me/results/774b2ad6-802e-4f43-8282-ec99f7731978/
SH256 hash:
de8904daf0c5ec9ad4225fc8a4f9b3b66fd2de5d18b0cb3bfb94bb8b7ef7f969
MD5 hash:
c95c64e92050393503b9ffb080c2af86
SHA1 hash:
0be1f442c957e4e5fc5253be099f705b5ee80630
Link:
https://www.unpac.me/results/774b2ad6-802e-4f43-8282-ec99f7731978/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/de8904daf0c5ec9ad4225fc8a4f9b3b66fd2de5d18b0cb3bfb94bb8b7ef7f969

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments