MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36d1497c536921f332a26558c9eff42f6502bf5ffec6710f4b50e35f98e627aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments 1

SHA256 hash:	36d1497c536921f332a26558c9eff42f6502bf5ffec6710f4b50e35f98e627aa
SHA3-384 hash:	5d54ee63a561c6e11519a47c50fe2a2c5d550a1ce1cf5370705e2c4759be58723cbaf84423f2190d4df1c62c29c9d3bf
SHA1 hash:	09efed111ac8119e2360f19aef0a14a2952fe001
MD5 hash:	355f3e43422d9df559f51c8b836a2238
humanhash:	edward-friend-september-glucose
File name:	355f3e43422d9df559f51c8b836a2238
Download:	download sample
Signature	DCRat Create hunting rule
File size:	695'296 bytes
First seen:	2021-08-04 10:10:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:PqnOffPyvfUvAHHXHxWIHRf9QscO86I5pU90AVO2bu:P+OfUnXRWsZ89yOr
Threatray	40 similar samples on MalwareBazaar
TLSH	T1C3E42A242AF96525F17FAF79D5F0689A8B7EB6633753DA4E009103860A23B41DDC073B
Reporter	zbetcheckin
Tags:	32 DCRat exe

Intelligence

File Origin

# of uploads :

# of downloads :

118

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

355f3e43422d9df559f51c8b836a2238

Verdict:

Malicious activity

Analysis date:

2021-08-04 10:11:52 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/acd33247-f7a3-4632-976a-f2bfd7c7e10a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/176281/

Detection(s):

Win.Packed.Uztuby-9853721-0

Win.Packed.Uztuby-9864800-0

Win.Packed.Uztuby-9869253-0

Win.Packed.Uztuby-9873584-0

Win.Packed.Basic-9876200-0

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Using the Windows Management Instrumentation requests

Launching a process

Sending a UDP request

Creating a file in the system32 subdirectories

Creating a file in the Windows subdirectories

Creating a file in the %temp% directory

Deleting a recently created file

Running batch commands

Creating a process with a hidden window

Creating a process from a recently created file

Sending a custom TCP request

Connection attempt

Sending an HTTP GET request

Reading critical registry keys

Creating a window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/87472aef-d0c5-464a-b7a0-ac0f404f3406

Result

Threat name:

DCRat

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/826761

Signature

.NET source code contains very large array initializations

.NET source code contains very large strings

.NET source code references suspicious native API functions

Creates an autostart registry key pointing to binary in C:\Windows

Creates multiple autostart registry keys

Creates processes via WMI

Detected unpacking (overwrites its own PE header)

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Suspicious MsiExec Directory

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected DCRat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/36d1497c536921f332a26558c9eff42f6502bf5ffec6710f4b50e35f98e627aa/

Threat name:

ByteCode-MSIL.Backdoor.LightStone

Status:

Malicious

First seen:

2021-08-04 02:06:57 UTC

File Type:

PE (.Net Exe)

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Verdict:

unknown

DCRat

23b110e0a381abb4d44bd7e2906548429ee426d9463a02af31dc3dd98c044341

DCRat

2f1ba0d2a1aaa17d2a8f8f9f97b9f553b1dc9e7d32039cf36382bddcebbfdaef

DCRat

5c08819a0402013e935fb78e6349ea1a798c53db14e482267deaf183b06dc436

DCRat

bdeb14ad6ce1ac8539d4b937c593ae706826fd3732ad506de5189521eea43643

DCRat

dd9d370fbb04aeef33b7a4e0e633b0613f54e8a971bf506e0efc2ac5de107c20

DCRat

e3df75eda0f3fff88f4ab98a687f7ec50b1adde27dbb1bb0947f96892eebf493

DCRat

+ 30 additional samples on MalwareBazaar

Result

Malware family:

dcrat

Score:

10/10

Tags:

family:dcrat infostealer persistence rat spyware stealer

Link:

https://tria.ge/reports/210804-sa2a5sf1re/

Behaviour

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Drops file in System32 directory

Adds Run key to start application

Reads user/profile data of web browsers

Executes dropped EXE

DCRat Payload

DcRat

Process spawned unexpected child process

Unpacked files

SH256 hash:

e51b088e5b7a726b9541662a2fa65ede5f375326d25d9021f91bbd4f29a46223

MD5 hash:

21111949f5835394aae7b4cb30c505b7

SHA1 hash:

dcd27a61fb05ba94a7edc3a948b56a0bf1e654ff

Link:

https://www.unpac.me/results/78766b11-ea44-40a7-9c57-c100d0d2382f/

SH256 hash:

36d1497c536921f332a26558c9eff42f6502bf5ffec6710f4b50e35f98e627aa

MD5 hash:

355f3e43422d9df559f51c8b836a2238

SHA1 hash:

09efed111ac8119e2360f19aef0a14a2952fe001

Link:

https://www.unpac.me/results/78766b11-ea44-40a7-9c57-c100d0d2382f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/36d1497c536921f332a26558c9eff42f6502bf5ffec6710f4b50e35f98e627aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	MALWARE_Win_AsyncRAT Create hunting rule
Author:	ditekSHen
Description:	Detects AsyncRAT

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

exe 36d1497c536921f332a26558c9eff42f6502bf5ffec6710f4b50e35f98e627aa

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1504916/

Cape

https://www.capesandbox.com/analysis/176281/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2021-08-04 10:10:55 UTC

url : hxxp://194.226.139.141/SessionCrtSvcWinrefCrt.exe