MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eaf4c919002576a1aa5c7729d2f953d8c0fcc2c4d34b3597ec15c207ef026e05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eaf4c919002576a1aa5c7729d2f953d8c0fcc2c4d34b3597ec15c207ef026e05
SHA3-384 hash: b5c61556807e005ee83de6f4bb1d9b05a4b9b127970af40b9bdd11c1578546c1d70e55ba706b021520e04eb61e964d5e
SHA1 hash: 7167d5a0d37f76bb94da3f718e0dd8a38b9578dd
MD5 hash: 4d8fa4b52519363f3bc86927e6008ad4
humanhash: eighteen-arizona-ack-robert
File name:RUSH.bin
Download: download sample
File size:2'869'760 bytes
First seen:2020-08-04 12:44:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:6nsHyjtk2MYC5GDKnsHyjtk2MYC5GDwX9MW5gcK0wLwec4kDUDAz+FhkGH3R:6nsmtk2arnsmtk2aTX9MW5gNXLSDUDvu
Threatray 143 similar samples on MalwareBazaar
TLSH 91D5C032B2D19437D1731A3D9C6BA3A5983ABE511E38754E3BF81E4C4F3D68229252D3
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38656/
Detection(s):
PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Moving a recently created file
Searching for the window
Sending a UDP request
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Modifying an executable file
Deleting a recently created file
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Infecting executable files
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad.troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/409383
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Contains functionality to detect sleep reduction / modifications
Creates HTML files with .exe extension (expired dropper behavior)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Injects files into Windows application
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 256968 Sample: RUSH.exe Startdate: 04/08/2020 Architecture: WINDOWS Score: 72 69 xred.mooo.com 2->69 85 .NET source code contains potential unpacker 2->85 87 May check the online IP address of the machine 2->87 89 Machine Learning detection for sample 2->89 91 8 other signatures 2->91 10 RUSH.exe 6 2->10         started        14 EXCEL.EXE 2->14         started        16 Synaptics.exe 2->16         started        signatures3 process4 file5 63 C:\Users\user\AppData\Roaming\RUSH.exe, PE32 10->63 dropped 65 C:\Users\user\...\Discord Token Grabber.exe, PE32 10->65 dropped 67 C:\Users\user\AppData\Local\...\RUSH.exe.log, ASCII 10->67 dropped 103 Machine Learning detection for dropped file 10->103 18 RUSH.exe 1 5 10->18         started        22 Discord Token Grabber.exe 2 10->22         started        105 Injects files into Windows application 14->105 signatures6 process7 file8 41 C:\Users\user\Desktop\._cache_RUSH.exe, PE32 18->41 dropped 43 C:\ProgramData\Synaptics\Synaptics.exe, PE32 18->43 dropped 45 C:\ProgramData\Synaptics\RCXB42C.tmp, PE32 18->45 dropped 93 Machine Learning detection for dropped file 18->93 24 Synaptics.exe 77 18->24         started        29 ._cache_RUSH.exe 5 18->29         started        47 C:\...\._cache_Discord Token Grabber.exe, PE32 22->47 dropped 31 ._cache_Discord Token Grabber.exe 15 3 22->31         started        signatures9 process10 dnsIp11 71 freedns.afraid.org 50.23.197.93, 49733, 80 SOFTLAYERUS United States 24->71 73 googlehosted.l.googleusercontent.com 216.58.214.193, 443, 49731, 49732 GOOGLEUS United States 24->73 81 13 other IPs or domains 24->81 51 C:\Users\user\Documents\JSDNGYCOWY\~$cache1, PE32 24->51 dropped 53 C:\Users\user\Desktop\RUSH.exe, PE32 24->53 dropped 55 C:\Users\user\AppData\Local\...\f1aqs7LO.exe, PE32 24->55 dropped 61 2 other malicious files 24->61 dropped 95 Drops PE files to the document folder of the user 24->95 97 Creates HTML files with .exe extension (expired dropper behavior) 24->97 99 Machine Learning detection for dropped file 24->99 101 Contains functionality to detect sleep reduction / modifications 24->101 57 C:\RUSH.exe, PE32+ 29->57 dropped 59 C:\dmw.exe, PE32 29->59 dropped 33 RUSH.exe 29->33         started        36 dmw.exe 29->36         started        75 wtfismyip.com 95.217.228.176, 443, 49717 HETZNER-ASDE Germany 31->75 77 discordapp.com 162.159.135.233, 443, 49718 CLOUDFLARENETUS United States 31->77 79 192.168.2.1 unknown unknown 31->79 file12 signatures13 process14 signatures15 83 Machine Learning detection for dropped file 33->83 38 WerFault.exe 33->38         started        process16 file17 49 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 38->49 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eaf4c919002576a1aa5c7729d2f953d8c0fcc2c4d34b3597ec15c207ef026e05/
Threat name:
Win32.Backdoor.DarkComet
Create hunting rule
Status:
Malicious
First seen:
2020-07-02 07:02:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
68
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
11bb82f7c883a05b89d4fd0e021234961b3572bec6aa86778a7a6226bb29f80e
1a64802e01d94712cb6daf8339296b78cf0a7a81251e80937d01d975b31938dc
1f3a78fa36bc0741a38e82e73ea0a214ef806c0d968c70b99aa71c73864be656
1fcaa27a62475fa8f5d48a2f248fbcc881298f6cc5fc7a38a81f7919daf55587
20e8dace516d8039ecfdd1f1bcaad184699af4bc2e0bfc4583d9278e8520d695
3f7579a12e92960bfe46af7ea9bc9ac716c374b214e1f03c5f9fb504708ea63f
422761ce807ba569d378b3130493e84a531d310d1ed8e0559d6313fdf91cd5b0
6f5240f06d00e3e80bff2c8d6ffbc6920dd48cbec8e22c2311cdaf61b2566789
c445dc773bc72d404351def240ad9558f5a3a27820b254aa6ad3196618755d2b
cc2b08321b878470cfe66fac7816daf654f4f83f9f86a4f8d9fc7f253c68b989
+ 133 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200804-fy16knxghj/
Behaviour
NSIS installer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkComet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eaf4c919002576a1aa5c7729d2f953d8c0fcc2c4d34b3597ec15c207ef026e05

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/38656/

Comments