MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05963059249f086c08d8487b82e08f4e6ba91ec4391484cf2bf54258aa2e6a64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05963059249f086c08d8487b82e08f4e6ba91ec4391484cf2bf54258aa2e6a64
SHA3-384 hash: cad2ac44e8bf24910e9a3be1cef57cec9e444fbce33a0f4bfb07da89b3365f3345009e4359fd1ff74da3c2fa6333acba
SHA1 hash: 984697307d4c5f9ff36286a0ad743d26bc685973
MD5 hash: 7d8e9f911abd4a98855ba0ac37ae9396
humanhash: charlie-equal-low-foxtrot
File name:7d8e9f911abd4a98855ba0ac37ae9396.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:729'600 bytes
First seen:2022-03-03 09:41:10 UTC
Last seen:2022-03-24 06:00:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash afec26099e3f11d466913b19e228f448 (1 x DCRat)
ssdeep 12288:ta4LrXpPMxl/685yWqOn4g9p1dE651HrNNgqGK/lGRgOUqmq9kR6lhKXJ/DZgcxm:1I/6hOX5WqGK/cRgOnmq9g6Gacx6mSp
Threatray 1'689 similar samples on MalwareBazaar
TLSH T127F423516A47E208D2621AF37F3EFB170322375674C8CBB1FE91752BB8A04D8766146E
File icon (PE):PE icon
dhash icon 0e2933985921528c (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe RAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/246909/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07c2f14a-01a0-4c50-9b39-b02254b34cd2
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/950140
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05963059249f086c08d8487b82e08f4e6ba91ec4391484cf2bf54258aa2e6a64/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-13 04:04:34 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
29 of 42 (69.05%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=awldawjet4egycgyjb5yfyepjzv2shwehekijtzl6vbfrkronjsa._file
Verdict:
malicious
Similar samples:
09b9283286463b35ea2d5abfa869110eb124eb8c1788eb2630480d058e82abf2
DCRat
44caf98e5ae6e4c45d0c49f0ec2ba8e833e806e74c5b3cde1b48d440f873d97a
DCRat
55ded456339aef89e7d891f0c7f494c11d8983233106d64069bc767ab06ceb71
DCRat
57933bc5c60de83fddbc7a2c6522e6481c9e684e342fed86a4c38bf08c4a6b0f
DCRat
6ccf16f1d1a495de9f5e7c1b60dd09da612ba2355887ebeb56cc1cacb5d64a5e
DCRat
72660328d491a37b99ae219252eccab4dfd568329fbb72e512167b239ba2c190
DCRat
ddfd59739281a6a3312661a1da66a6ca9a7007ce4c00675220a5c5b1b6f95a3f
DCRat
e09771f1dba3b7dae3164b716b7b7e7ece24ab94244ca27a731a1856d4820f4e
DCRat
e3c2d04c155b63a71d10e42a3c81199a6627a60363e3c978228ab14a8897bf9d
DCRat
+ 1'679 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220303-lpcjqsadb3/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
5e601df630e7814b2c12199c0bc5859c4de2ddc1ec5129360d771fc20a05449e
MD5 hash:
b6f16523210b958acf8bbb2a8fb97396
SHA1 hash:
a083d0ceb2bac95d165b8269ca7d977205f989b5
Link:
https://www.unpac.me/results/6b9f497f-c962-4910-b711-78623a02e1ec/
SH256 hash:
b4ab141d37f913c1f05049ec62e4296ec3017dbe153d2477b5b0b49aef736e4b
MD5 hash:
b6f22a1ad4f64ac13ce434a449908e20
SHA1 hash:
149dd3ea1dac986a6631173bb4eb6fed470172cc
Link:
https://www.unpac.me/results/6b9f497f-c962-4910-b711-78623a02e1ec/
SH256 hash:
cc0b9ecd9c9613e5e1c240d25c1f295e0e20e3e93a995f8d805072119cbb71a3
MD5 hash:
7545f6a1369e4056b06928d19890800b
SHA1 hash:
ba6b99fabe3729734bc40f85c58cf377512485cd
Link:
https://www.unpac.me/results/6b9f497f-c962-4910-b711-78623a02e1ec/
SH256 hash:
05963059249f086c08d8487b82e08f4e6ba91ec4391484cf2bf54258aa2e6a64
MD5 hash:
7d8e9f911abd4a98855ba0ac37ae9396
SHA1 hash:
984697307d4c5f9ff36286a0ad743d26bc685973
Link:
https://www.unpac.me/results/6b9f497f-c962-4910-b711-78623a02e1ec/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/05963059249f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.36
Link:
https://yomi.yoroi.company/submissions/05963059249f086c08d8487b82e08f4e6ba91ec4391484cf2bf54258aa2e6a64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:MALWARE_Win_DCRat
Create hunting rule
Author:ditekSHen
Description:DCRat payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 05963059249f086c08d8487b82e08f4e6ba91ec4391484cf2bf54258aa2e6a64

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2072363/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2072523/
  
URLhaus
https://urlhaus.abuse.ch/url/2072646/
  
URLhaus
https://urlhaus.abuse.ch/url/2073024/
Cape
Cape
https://www.capesandbox.com/analysis/246909/
  
URLhaus
https://urlhaus.abuse.ch/url/2073418/
  
URLhaus
https://urlhaus.abuse.ch/url/2073299/

Comments