MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19aceb2fba23c1cdd7451020026c37be2790f50c7ebd7d6ac8a1c536c0866683. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19aceb2fba23c1cdd7451020026c37be2790f50c7ebd7d6ac8a1c536c0866683
SHA3-384 hash: d85254bb8eadca9a66240b6f6319ddd73ecd3f0604486e166de1ad75f1df72c9b8eb7a44c80151d655082016c5b3f6ad
SHA1 hash: 59796bff9a3d4840260d2c1c8db20ec95d35d840
MD5 hash: 7d401cf63d2d3b7faf241597aa304da6
humanhash: two-finch-nevada-echo
File name:SecuriteInfo.com.Variant.Zusy.534733.10706.2650
Download: download sample
Signature DCRat
Create hunting rule
File size:5'396'872 bytes
First seen:2024-01-29 16:27:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:+vxwik2jqiC8Mv4ESW9VRRLHH5qzK2eJM/pZPfd4uq8vxGlHUvIBWYZUtcMfJqH9:cxw8Lst
TLSH T10F469C243CFB505DA173FF966FECB9EADD9EF6622509646B104103078B12E80EE5293D
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
423
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473475/
Detection(s):
SecuriteInfo.com.Variant.Zusy.534733.10706.2650.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Loading a suspicious library
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP POST request
Creating a window
Searching for synchronization primitives
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade overlay packed
Link:
https://www.filescan.io/uploads/65b7d22040cbb80fe048a751/reports/740bc1a4-d013-475c-a895-b58906f089d3/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/19aceb2fba23c1cdd7451020026c37be2790f50c7ebd7d6ac8a1c536c0866683
Result
Verdict:
MALICIOUS
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ee1acfbe-2e39-4204-ad9a-42d85ace9c1b
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1382845
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1382845 Sample: SecuriteInfo.com.Variant.Zu... Startdate: 29/01/2024 Architecture: WINDOWS Score: 100 42 139207cm.nyashmyash.top 2->42 50 Snort IDS alert for network traffic 2->50 52 Antivirus detection for URL or domain 2->52 54 Antivirus detection for dropped file 2->54 56 12 other signatures 2->56 8 SecuriteInfo.com.Variant.Zusy.534733.10706.2650.exe 4 39 2->8         started        signatures3 process4 file5 34 C:\Users\user\Desktop\yXuGZpkk.log, PE32 8->34 dropped 36 C:\Users\user\Desktop\yOWGpDRn.log, PE32 8->36 dropped 38 C:\Users\user\Desktop\wVHYEGgp.log, PE32 8->38 dropped 40 22 other malicious files 8->40 dropped 58 Drops PE files to the user root directory 8->58 12 cmd.exe 1 8->12         started        signatures6 process7 signatures8 60 Uses ping.exe to sleep 12->60 62 Uses ping.exe to check the status of other devices and networks 12->62 15 OfficeClickToRun.exe 14 501 12->15         started        20 conhost.exe 12->20         started        22 PING.EXE 1 12->22         started        24 chcp.com 1 12->24         started        process9 dnsIp10 44 139207cm.nyashmyash.top 104.21.81.246, 49738, 49739, 49742 CLOUDFLARENETUS United States 15->44 46 172.67.166.50, 49906, 50012, 80 CLOUDFLARENETUS United States 15->46 26 C:\Users\user\Desktop\wpUQPydN.log, PE32 15->26 dropped 28 C:\Users\user\Desktop\qXWJkalX.log, PE32 15->28 dropped 30 C:\Users\user\Desktop\pJnjAEda.log, PE32 15->30 dropped 32 17 other malicious files 15->32 dropped 48 Tries to harvest and steal browser information (history, passwords, etc) 15->48 file11 signatures12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/19aceb2fba23c1cdd7451020026c37be2790f50c7ebd7d6ac8a1c536c0866683
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/19aceb2fba23c1cdd7451020026c37be2790f50c7ebd7d6ac8a1c536c0866683/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2024-01-29 16:28:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dgwowl52epa43v2fcaqae3bxxytzb5imp26x22wiuhctnqegm2bq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/240129-tym1tseac4/
Behaviour
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
683610df29e047f070c879641b702708595e93cfea8a56f2d78c29ddc340f283
MD5 hash:
eea93903bbab73ca628943eb56c09c86
SHA1 hash:
4d345dda51e9e88d2fcf49b946bfb75c135b635b
Detections:
INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
Link:
https://www.unpac.me/results/7e81a71e-5839-4e27-8011-2648c3565c21/
SH256 hash:
19aceb2fba23c1cdd7451020026c37be2790f50c7ebd7d6ac8a1c536c0866683
MD5 hash:
7d401cf63d2d3b7faf241597aa304da6
SHA1 hash:
59796bff9a3d4840260d2c1c8db20ec95d35d840
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/7e81a71e-5839-4e27-8011-2648c3565c21/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dot Ransomware
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/19aceb2fba23c1cdd7451020026c37be2790f50c7ebd7d6ac8a1c536c0866683

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 19aceb2fba23c1cdd7451020026c37be2790f50c7ebd7d6ac8a1c536c0866683

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2753114/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/473475/

Comments