MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e1c65ba7dcbd574aa70123733a3a6239560de434d0602b693733482555c0b14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e1c65ba7dcbd574aa70123733a3a6239560de434d0602b693733482555c0b14
SHA3-384 hash: 52cded48a76144677a5c3d1225eed8e8a6c136f25e4c3eadf632bbc6585c0e535a4c0fb0a3557da33175e6f1327b0585
SHA1 hash: a2ab39660b2a578a0b5b3b2a6347d8f64025cf77
MD5 hash: 18f57f8f4cebe2fbcf178c66dcdcf108
humanhash: wyoming-vegan-nebraska-equal
File name:18f57f8f4cebe2fbcf178c66dcdcf108
Download: download sample
Signature DCRat
Create hunting rule
File size:1'366'528 bytes
First seen:2022-01-08 07:24:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d7dd6fa75115d9909f747434e40fff68 (173 x RedLineStealer, 10 x DCRat, 1 x CoinMiner.XMRig)
ssdeep 24576:qkGQBGpU1PPHu3sNcGZvmk3SLZgsY6fkidY7UrQ2OYUOkEaHNYK3D8xG4gk8nY:XFVPPHZvlnF3MkidqoDdNay4TY
Threatray 9'654 similar samples on MalwareBazaar
TLSH T15E5533EAE523A76BD41AD7F4A077931FFBC738211C9D92C5FECA17445449A88C18C28D
Reporter zbetcheckin
Tags:32 DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
18f57f8f4cebe2fbcf178c66dcdcf108
Verdict:
Malicious activity
Analysis date:
2022-01-08 07:29:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/45af3fd8-8db2-46ec-bbf6-836cd00ace9b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217789/
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Malware.Enigmaprotector-9874743-0
Create hunting rule

Win.Malware.Enigmaprotector-9881027-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61d93c5702e388f9fdb5a075/reports/a3bd73b6-f69e-4e82-b641-8a9ed97b511d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6fa1a3e9-cc0b-4a9a-99a8-3019a8f7b560
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/917095
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e1c65ba7dcbd574aa70123733a3a6239560de434d0602b693733482555c0b14/
Threat name:
Win32.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2022-01-06 05:40:23 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fyoglot5zpkxjktqci3thi5geokwbxsdjudafnutom2ievk4bmka._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
10ebaf2bf7ab361a6830a43e0c5f292c08c29d76866d499b3a91a547e8af5683
DCRat
25cd127b9d559d6754269ecc116d35be66aca027640bcd71a836567c32b946c5
DCRat
29a5461cca77683d6a47c83eb774235bd0ae092adc58c987e571eeecb3e1cd03
DCRat
38cfb802b835e2f9129680bbcbe93248ad21659931b8230e9c2109b3b496a873
DCRat
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
DCRat
c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1
DCRat
ca5bd676278cfa46a1630e6d98cf4651a3a3b0a7a11fe0e0ca727be261e04e94
DCRat
d432be6fd56140d4e9d3d207020c464277e729fea06bd1c3ef6adb491a772957
DCRat
+ 9'644 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default evasion rat trojan
Link:
https://tria.ge/reports/220108-h8y1asdccj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks whether UAC is enabled
Checks BIOS information in registry
Async RAT payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
AsyncRat
Malware Config
C2 Extraction:
178.20.44.131:6666
wai.dogetaxi.io:6666
wai.squidgame.to:6666
wai.dogelab.net:6666
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/94ec8605-e1cf-44e6-b3c5-ee549af05d9a/
SH256 hash:
c7a3175a1dc3902fd9b658307ac5882b1574cc6fd57845c5868265630d7c1fc3
MD5 hash:
6b525184bfa70dd2ab366ff2ec58ef53
SHA1 hash:
68d7a70790b848c0bec25b686bade99daf31f1d1
Link:
https://www.unpac.me/results/94ec8605-e1cf-44e6-b3c5-ee549af05d9a/
SH256 hash:
2e1c65ba7dcbd574aa70123733a3a6239560de434d0602b693733482555c0b14
MD5 hash:
18f57f8f4cebe2fbcf178c66dcdcf108
SHA1 hash:
a2ab39660b2a578a0b5b3b2a6347d8f64025cf77
Link:
https://www.unpac.me/results/94ec8605-e1cf-44e6-b3c5-ee549af05d9a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e1c65ba7dcbd574aa70123733a3a6239560de434d0602b693733482555c0b14

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:asyncrat
Create hunting rule
Author:jeFF0Falltrades
Rule name:INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
Author:ditekSHen
Description:Detects executables containing the string DcRatBy
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 2e1c65ba7dcbd574aa70123733a3a6239560de434d0602b693733482555c0b14

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/217789/
  
URLhaus
https://urlhaus.abuse.ch/url/1957139/

Comments


Avatar
zbet commented on 2022-01-08 07:24:38 UTC

url : hxxp://dogelab.net/vai.exe