MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152
SHA3-384 hash: 02e97de20cc57ab29cf23af86dc6955533c44fac33b145398300595d4b228107d62cd5bd6de63e1eef9a8b84f0c98982
SHA1 hash: 22a13d9bacb8dcf04eb0260999f75fed68d21d0a
MD5 hash: 7fbdb2f5c7830894d0436a8291e1231f
humanhash: pizza-whiskey-apart-nine
File name:25BC30AFA69D34B938949F1F75A41A142636603A71607.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:545'280 bytes
First seen:2023-01-27 17:15:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'658 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 12288:KqnOG4bunLVYAN2ehGtdd3vzQ2JzgW8Lntk:K+OG4bcYAnhGl3U2Jz
Threatray 4'661 similar samples on MalwareBazaar
TLSH T1F8C47C1527E8AA25F1BF5B78D4F069AEC775B56273A3EF4F058112C90923740DD80B2B
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://178.250.156.87/Develop/Jabber/MsTeams/userbd/production/_RequestprocessbaseUniversal.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
Install.exe
Verdict:
Malicious activity
Analysis date:
2021-06-24 05:18:05 UTC
Tags:
evasion trojan rat backdoor dcrat
Link:
https://app.any.run/tasks/a96bf4fa-c04e-4468-bc7d-e02af63f80e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/357572/
Detection(s):
Win.Packed.Uztuby-9853721-0
Create hunting rule

Win.Packed.Uztuby-9864800-0
Create hunting rule

Win.Packed.Uztuby-9869253-0
Create hunting rule

Win.Packed.Uztuby-9873584-0
Create hunting rule

Win.Packed.Basic-9876200-0
Create hunting rule

Win.Packed.Uztuby-9901274-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Creating a file
Launching a process
Creating a file in the system32 subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm cmd.exe dcrat evasive explorer.exe fingerprint hacktool packed quasarrat rat stealer
Link:
https://www.filescan.io/uploads/63d406d2447edb203a017ae6/reports/2853b461-462d-45e2-8818-23f245da117b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a96e80d6-634d-4e9c-aed2-05f8a80b18f1
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1160452
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Schedule system process
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 793188 Sample: 25BC30AFA69D34B938949F1F75A... Startdate: 27/01/2023 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for dropped file 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 12 other signatures 2->53 7 25BC30AFA69D34B938949F1F75A41A142636603A71607.exe 9 22 2->7         started        11 ShellExperienceHost.exe 14 3 2->11         started        14 WmiPrvSE.exe 2 2->14         started        16 13 other processes 2->16 process3 dnsIp4 37 C:\Windows\...\ShellExperienceHost.exe, PE32 7->37 dropped 39 C:\Windows\System32\fontdrvhost\dllhost.exe, PE32 7->39 dropped 41 C:\Windows\SysWOW64\wbem\dot3\WmiPrvSE.exe, PE32 7->41 dropped 43 8 other malicious files 7->43 dropped 63 Creates an undocumented autostart registry key 7->63 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->65 67 Creates multiple autostart registry keys 7->67 77 4 other signatures 7->77 18 dllhost.exe 7 3 7->18         started        21 schtasks.exe 1 7->21         started        23 schtasks.exe 1 7->23         started        25 4 other processes 7->25 45 178.250.156.87, 49699, 49700, 49701 THEFIRST-ASRU Russian Federation 11->45 69 Antivirus detection for dropped file 11->69 71 Multi AV Scanner detection for dropped file 11->71 73 Machine Learning detection for dropped file 11->73 75 System process connects to network (likely due to code injection or exploit) 16->75 file5 signatures6 process7 signatures8 55 Antivirus detection for dropped file 18->55 57 Multi AV Scanner detection for dropped file 18->57 59 Machine Learning detection for dropped file 18->59 61 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->61 27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152/
Threat name:
ByteCode-MSIL.Trojan.Stelega
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 09:37:46 UTC
File Type:
PE (.Net Exe)
AV detection:
34 of 39 (87.18%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ew6dbl5gtu2lsoeut4pxlja2cqtdmyb2ofqh4iyt4dhem6xzgfja._file
Verdict:
malicious
Similar samples:
106c12a3e09c4585808382c93be13f5b60f7cd86e5a28d638d9de5f6662f3609
DCRat
1294a91cd45ed0dc87531245654e961b6aa1b399ca32a33048a04ab7993b16b7
DCRat
1726274f8d2f62b49dabdd53a55efc99c80e88dcffd820aacf73e85c0138f84f
DCRat
7bec76e40704860d38c7b2996b7549ce8d49ea14441ad5d386c07d8859bca63e
DCRat
aca79bb201dac22b64bdae888935645cf27fcbc49411c8972761ef6ed2e3cfd2
DCRat
b21581bd737ea44bd393d6ca73eca7850097a8785041f1bffb01b2c94ae55f81
DCRat
b5b2d5cea424511ac2b41cf9e9a4e47d1b26df12b3edeed7f9f0fe7bf39b085e
DCRat
e1168abd0c24c43423463607b92547d5a2365d7fcbd8e6264f7a1b2f91328d6c
DCRat
+ 4'651 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer persistence rat
Link:
https://tria.ge/reports/230127-vs48ladf9x/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
DCRat payload
DcRat
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
8e1ea5132e2f093ca9d2c2999c5a14f74fab6fc59e043b888d89b02c14519642
MD5 hash:
4eb0939477ecdbc7101b9c6bd269320d
SHA1 hash:
3e8f23c7e524ff13b9565f065af1db1bc2eb0445
Link:
https://www.unpac.me/results/a7ccf7b8-c4cc-4c90-9da8-2acb02911753/
SH256 hash:
25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152
MD5 hash:
7fbdb2f5c7830894d0436a8291e1231f
SHA1 hash:
22a13d9bacb8dcf04eb0260999f75fed68d21d0a
Link:
https://www.unpac.me/results/a7ccf7b8-c4cc-4c90-9da8-2acb02911753/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/25bc30afa69d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/25bc30afa69d34b938949f1f75a41a142636603a71607e2313e0ce467af93152

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:MALWARE_Win_AsyncRAT
Create hunting rule
Author:ditekSHen
Description:Detects AsyncRAT
Rule name:MALWARE_Win_DCRat
Create hunting rule
Author:ditekSHen
Description:DCRat payload
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/357572/

Comments