MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23ee526e580c811c5c75fbec313bc74b601952acaa0bd80b3771021b44545205. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23ee526e580c811c5c75fbec313bc74b601952acaa0bd80b3771021b44545205
SHA3-384 hash: 390acb6de19e0aed20bb5089d0701ef25f6d7917578f8e44641a5f3de60e88c5a6b05939ed552e3afee1b8029b915a83
SHA1 hash: d0e53fd29dd31e69b1771fab78ca1673287f34fe
MD5 hash: 0193a19db1d3e5c28f0ab50788fbce68
humanhash: east-red-william-blue
File name:0193a19db1d3e5c28f0ab50788fbce68.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'114'112 bytes
First seen:2023-03-02 12:31:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:u2G/nvxW3WieCiQhFUmWdec6oQIy6bWUPXoFx:ubA3jVKbYcU6bWUK
Threatray 1'734 similar samples on MalwareBazaar
TLSH T1883539017E44CA11F0191673C2EF464847B4ED102BA6E36B7EB9776E55223A3BC1DACB
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0193a19db1d3e5c28f0ab50788fbce68.exe
Verdict:
Suspicious activity
Analysis date:
2023-03-02 12:46:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8bf96c91-e4f9-4913-be72-45b12c39fd7f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/371191/
Detection(s):
Win.Packed.Basic-9952747-0
Create hunting rule

Win.Malware.Uztuby-9957322-0
Create hunting rule

Win.Packed.Uztuby-9963900-0
Create hunting rule

Win.Packed.Uztuby-9969968-0
Create hunting rule

Win.Malware.Uztuby-9972880-0
Create hunting rule

Win.Trojan.DarkKomet-9976180-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/640097462ea6b36966305ef1/reports/8ee6b713-b6f8-45ff-8f8e-42a6c075d991/overview
Verdict:
Malicious
Labled as:
EyePyramid.15;Trojan.Uztuby.Generic
Link:
https://www.hybrid-analysis.com/sample/23ee526e580c811c5c75fbec313bc74b601952acaa0bd80b3771021b44545205
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a1569b8e-e02c-4d35-a6a0-29a0fcf06cc4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
45 / 100
Link:
https://www.joesandbox.com/analysis/1185736
Signature
Antivirus detection for dropped file
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23ee526e580c811c5c75fbec313bc74b601952acaa0bd80b3771021b44545205/
Threat name:
ByteCode-MSIL.Backdoor.DCRat
Create hunting rule
Status:
Malicious
First seen:
2023-03-02 12:35:38 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=epxfe3sybsaryxdv7pwdco6hjnqbsuvmvif5qczxoebbwrcukicq._file
Verdict:
malicious
Similar samples:
0e1d2795ac86e08da62a7d43e2ae5addcd402d3a368d61bdbfdca7db3ff95f0c
DCRat
69fe48085adbdddad61cc902d20304d27c783e77362d17874b5f90d9bad7586c
DCRat
714c5eb4cd05c58cc1f3f3e542a74e5f34c6e563973ca88b849ff068a6fbd5c4
DCRat
7d189b2a56282e1e2d02e850477ce9634e2340e3506875d2dfe759db232f4cf7
DCRat
a1a3d07b7d2a764011affbede324e5f01590697e110a1c934d21c3627d3d1484
DCRat
ba532af8694c6cb7ed64a3967366e9356082f1038e7983f7829ad94f55bb0cf6
DCRat
dafbbe6e52942066d89d35dfb6c20b8247d51e38d56cc4425dfd2c0d51f3360f
DCRat
df746a212d5795845b348cb0b001c1e94c77a9e1462bc088d1e91997cb4ef078
DCRat
+ 1'724 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat rat
Link:
https://tria.ge/reports/230302-pqnj6sch63/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Unpacked files
SH256 hash:
23ee526e580c811c5c75fbec313bc74b601952acaa0bd80b3771021b44545205
MD5 hash:
0193a19db1d3e5c28f0ab50788fbce68
SHA1 hash:
d0e53fd29dd31e69b1771fab78ca1673287f34fe
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/91b43998-76b2-4995-b512-1cdcfae3c3af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/23ee526e580c811c5c75fbec313bc74b601952acaa0bd80b3771021b44545205

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:win_xorist_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.xorist.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 23ee526e580c811c5c75fbec313bc74b601952acaa0bd80b3771021b44545205

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2454760/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/371191/

Comments