MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7d01ed2aca68c7c4bd345a7a0bf360c252464f3e6fc7751617981f3c33c152a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	d7d01ed2aca68c7c4bd345a7a0bf360c252464f3e6fc7751617981f3c33c152a
SHA3-384 hash:	f8b15e7033f7f0639b5d9e7133609b1e14399ea40ec9dc555786f284fba25f871697d46bc5b8965c2680431eb991a186
SHA1 hash:	c7c2f7133c0bb3211bc3bcf3d073af4fb37dd67d
MD5 hash:	aa38bcecdf7452699db062e25aaae1b4
humanhash:	delaware-hotel-oxygen-oxygen
File name:	aa38bcecdf7452699db062e25aaae1b4.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	4'691'456 bytes
First seen:	2023-04-15 15:44:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ef21ee89c7469c699a67e52a11310e0c (1 x DCRat)
ssdeep	98304:8fI2gwP/DiOkA0G+m8HqhjKlepE6rHWhwGTJKAZyjX0cYCtLuFHnn2LVlOlfHXwe:8fI2hmBA0SGmsToIyjX0cYCtCJP/gM09
Threatray	158 similar samples on MalwareBazaar
TLSH	T10B26BE31BD80C0A2F7D33238891BF23ABAED557906BF31C713909E18396758E571966B
TrID	32.2% (.EXE) Win64 Executable (generic) (10523/12/4) 20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.4% (.EXE) Win16 NE executable (generic) (5038/12/1) 13.7% (.EXE) Win32 Executable (generic) (4505/5/1) 6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	DCRat exe RAT

Intelligence

File Origin

# of uploads :

# of downloads :

265

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

aa38bcecdf7452699db062e25aaae1b4.exe

Verdict:

Suspicious activity

Analysis date:

2023-04-15 15:49:23 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2e067990-e72c-4930-ac25-e60af8298e4d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/382446/

Detection(s):

SecuriteInfo.com.DeepScan.Generic.ShellCode.Donut.Marte.2.37890627.8960.19658.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Сreating synchronization primitives

Sending a custom TCP request

Creating a file in the Windows directory

Using the Windows Management Instrumentation requests

Creating a file in the %temp% directory

Creating a process from a recently created file

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/79759/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckScreenResolution

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

donut greyware keylogger shell32.dll

Link:

https://www.filescan.io/uploads/643ac681d7442971e960e2c7/reports/e47b55b0-73dd-42b8-b60b-161368cef940/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/d7d01ed2aca68c7c4bd345a7a0bf360c252464f3e6fc7751617981f3c33c152a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/600843ed-7876-4799-a0c9-a5ee1a9be68c

Result

Threat name:

AsyncRAT, DcRat

Detection:

malicious

Classification:

troj

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1214373

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AsyncRAT

Yara detected DcRat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d7d01ed2aca68c7c4bd345a7a0bf360c252464f3e6fc7751617981f3c33c152a/

Threat name:

ByteCode-MSIL.Exploit.DonutMarte

Status:

Malicious

First seen:

2023-04-11 06:35:16 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

13 of 37 (35.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=27ib5uvmu2ghys6tiwt2bpzwbqssizht436houlbpga7hqz4cuva._file

Verdict:

malicious

Label(s):

asyncrat

DCRat

1d430c6c2ff0fe3461375292d8198cdc07e07a1bcbed0d71f1ecc9d77c5ab756

DCRat

6a57409b5f4d0ae13167353c059ddf4b9fe7920647a119a70438dae02a35586e

DCRat

8120a70642e26c40705aa7de3368bdf4059f700d6c119bd3225ed7eb82f17d50

DCRat

be289dc615b1aaf7535a509e05f3786b743ae23aaa5bd39ee00ddc98160ed53c

DCRat

d46e5210bfb02e60f5bfafc60fd5614571e714c897cbf47dff2441365679e256

DCRat

d6b3bc537987b07272a130118ffed33553c9cbfdbdc7b835048725bee0cfdb28

DCRat

+ 148 additional samples on MalwareBazaar

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat botnet:default botnet:group rat

Link:

https://tria.ge/reports/230415-s63wksef32/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Drops file in Windows directory

Async RAT payload

AsyncRat

Malware Config

C2 Extraction:

193.200.134.9:9969
43.154.97.109:1981

Unpacked files

SH256 hash:

e14fc28a32dc5d55ba51fce0029d022a2375b583b922853db999fbabe391ea7c

MD5 hash:

9cd91e417de7c1b3d5d0f0540a0c7702

SHA1 hash:

400284a3089b550cd53a0c95ec65fed6a6ab0018

Detections:

DCRat

Link:

https://www.unpac.me/results/0d6959bc-e71f-4b28-ac49-e114d9b5faa7/

SH256 hash:

d7d01ed2aca68c7c4bd345a7a0bf360c252464f3e6fc7751617981f3c33c152a

MD5 hash:

aa38bcecdf7452699db062e25aaae1b4

SHA1 hash:

c7c2f7133c0bb3211bc3bcf3d073af4fb37dd67d

Link:

https://www.unpac.me/results/0d6959bc-e71f-4b28-ac49-e114d9b5faa7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d7d01ed2aca68c7c4bd345a7a0bf360c252464f3e6fc7751617981f3c33c152a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/382446/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample