MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fae6dc998bb8a42b608d9a01e8a8e1ce38cb922e36a232190f9491707026cd70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 13

Intelligence 13 IOCs YARA 6 File information Comments

SHA256 hash:	fae6dc998bb8a42b608d9a01e8a8e1ce38cb922e36a232190f9491707026cd70
SHA3-384 hash:	e8e3afb01c77af5257b827c138c7c1ef9cb291ef27b1bdefb77b67856b5f8aeaed027a1cbd81349a86f62f97d3ea5871
SHA1 hash:	4ceb9ba17e73bbac4f352d40574ca12129e732f5
MD5 hash:	c935eaa77a4e2a2176cf8c5b65c59289
humanhash:	uncle-bluebird-virginia-monkey
File name:	tg.bin_1758442576.exe
Download:	download sample
File size:	427'520 bytes
First seen:	2025-12-06 15:11:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2ac29b9a5552466e33223f8c3f0a9886 (1 x DCRat)
ssdeep	6144:f16Zc7rYXqR4mdO3Dt4a6/ePsDj3B/GvU7ke3GVfx:f16cHrimWDt4pDj3B/PQj
Threatray	37 similar samples on MalwareBazaar
TLSH	T14794E732B4C8D5A4F187D8B21C15D996CE1379438FF2294B77CA7F5E072A0580EE369A
TrID	48.7% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	skocherhan
Tags:	exe pttphddopp-oss-cn-hongkong-aliyuncs-com

skocherhan

https://pttphddopp.oss-cn-hongkong.aliyuncs.com/zh/tg.bin_1758442576.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

tg.bin_1758442576.exe

Verdict:

No threats detected

Analysis date:

2025-12-06 15:17:21 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8307d501-d6c6-4775-9679-570e42dcfe28

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/42738/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=693447e1c61465c74cbc0078

Tags:

shellcode virus

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug dcrat dfsvc lolbin microsoft_visual_cc mikey mmc

Link:

https://www.filescan.io/uploads/693447e9d12d1c79d42a120c/reports/398f605b-760c-4d27-ac33-2c82b3f745c6/overview

Verdict:

Malicious

Labled as:

Mikey.Generic

Link:

https://www.hybrid-analysis.com/sample/fae6dc998bb8a42b608d9a01e8a8e1ce38cb922e36a232190f9491707026cd70

Verdict:

Malicious

File Type:

dll x64

First seen:

2025-10-05T04:33:00Z UTC

Last seen:

2025-10-19T04:28:00Z UTC

Hits:

~100

Detections:

VHO:Trojan.Win32.Sdum.gen VHO:Backdoor.Win32.Androm.gen Backdoor.Win32.DcRat.uv

Link:

https://opentip.kaspersky.com/fae6dc998bb8a42b608d9a01e8a8e1ce38cb922e36a232190f9491707026cd70/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/3adaff09-fabe-4720-a71e-bf592e64db73

Score:

94%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/fae6dc998bb8a42b608d9a01e8a8e1ce38cb922e36a232190f9491707026cd70

Verdict:

inconclusive

YARA:

7 match(es)

Tags:

Executable Html PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/c935eaa77a4e2a2176cf8c5b65c59289

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fae6dc998bb8a42b608d9a01e8a8e1ce38cb922e36a232190f9491707026cd70/

Verdict:

Malicious

Threat:

VHO:Backdoor.Win32.Androm

Link:

https://tip.neiki.dev/file/fae6dc998bb8a42b608d9a01e8a8e1ce38cb922e36a232190f9491707026cd70

Threat name:

Win64.Trojan.DCRat

Status:

Malicious

First seen:

2025-10-07 08:21:29 UTC

File Type:

PE+ (Dll)

Extracted files:

AV detection:

17 of 23 (73.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7ltnzgmlxcscwyentia6rkhbzy4mxerog2rdegipssixa4bgzvya._file

Verdict:

malicious

Label(s):

unc_loader_078

1ead277b73239b1e41be4c70c1bf9b850a9e99dcce938356b1a54b1f5ea1a61e

66cee30a999770e51c8a80b6aa279607cbbb27bb581bf8763421777559869281

aad0a60cb86e3a56bcd356c6559b92c4dc4a1a960f409fb499cf76c9b5409fdb

c2c68123486badda33b199b00beb3c098a067469593a371fdd54f2b6a2b03814

ca1bdc88420ca628f2f29fb4e32e3b3a3cda6b93a6e060f626eae5b6a3cc57e1

eae00f35df37b967e5876281d5ef6dd2c46516c59381d93078ab16278c5e1712

error

fae6dc998bb8a42b608d9a01e8a8e1ce38cb922e36a232190f9491707026cd70

+ 27 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

adware defense_evasion spyware

Link:

https://tria.ge/reports/251206-slggvafs9f/

Behaviour

Kills process with taskkill

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Drops file in Windows directory

Executes dropped EXE

Badlisted process makes network request

Downloads MZ/PE file

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/15c5e920-b35b-4492-92af-eb5ae4dee28a

Unpacked files

SH256 hash:

fae6dc998bb8a42b608d9a01e8a8e1ce38cb922e36a232190f9491707026cd70

MD5 hash:

c935eaa77a4e2a2176cf8c5b65c59289

SHA1 hash:

4ceb9ba17e73bbac4f352d40574ca12129e732f5

Link:

https://www.unpac.me/results/8915482f-84b5-44ad-aae0-7a5f96e90c34/

Malware family:

zgRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fae6dc998bb8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fae6dc998bb8a42b608d9a01e8a8e1ce38cb922e36a232190f9491707026cd70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_Kimsuky_APT_Malware Create hunting rule
Author:	daniyyell
Description:	Detects Kimsuky APT malware delivery technique using a malicious MMC console file

Rule name:	dgaaga Create hunting rule
Author:	Harshit
Description:	Detects suspicious PowerShell or registry activity

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_detect_tls_callbacks Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

0345c0cca8c8aed856ebff1d423163c4cc578f4e3e96a84c72eecdeba4b4b014

exe fae6dc998bb8a42b608d9a01e8a8e1ce38cb922e36a232190f9491707026cd70

(this sample)

Dropped by

SHA256 0345c0cca8c8aed856ebff1d423163c4cc578f4e3e96a84c72eecdeba4b4b014

Cape

https://www.capesandbox.com/analysis/42738/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample