MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36f5fe7322cd2a4abe000cea9be1b4e440e348f13b0dbc61c474ad19622dc727. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36f5fe7322cd2a4abe000cea9be1b4e440e348f13b0dbc61c474ad19622dc727
SHA3-384 hash: a6c1eaac87448e7d5c31c5a8171828ed4a1623711ceedcf5e293e9e5e47a066051ac4c0e8099ba635e68b59703d18f98
SHA1 hash: 6d982f680fbbefba6e33ffec404bec1f4bf6b4f3
MD5 hash: 32a4dbb4eed550eb3861bb36be68e81b
humanhash: september-king-washington-papa
File name:32a4dbb4eed550eb3861bb36be68e81b.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:3'482'212 bytes
First seen:2024-05-20 10:45:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:SyYpOqxkRcdCznR7HjKshyGp2NIsN4SrkxMOoGnlmVskzRxuaAKzbEDu1Q1qiqiR:IzID5yFdS4GQRkaZ0v1qLiraiOG
Threatray 248 similar samples on MalwareBazaar
TLSH T114F533C0C1E4146AEDB8DE746B05D759333B6F4B4E838D681E410D0DECB96C7EE58AA8
TrID 52.9% (.EXE) Win32 Executable (generic) (4504/4/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://759931cm.n9shteam1.top/ToLinuxflower.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
381
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
36f5fe7322cd2a4abe000cea9be1b4e440e348f13b0dbc61c474ad19622dc727.exe
Verdict:
Malicious activity
Analysis date:
2024-05-20 10:46:28 UTC
Tags:
evasion telegram dcrat rat remote darkcrystal
Link:
https://app.any.run/tasks/8da8923a-9eb5-4166-a076-d06892907e6d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Dropper.HawkEye-10027238-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Tags:
Encryption Execution Network Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file
Creating a file in the Program Files subdirectories
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a window
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Loading a suspicious library
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dcrat hawkeye mpress obfuscated overlay packed packed
Link:
https://www.filescan.io/uploads/664b29f1d7fb0506c93e6c22/reports/a0c76378-6037-4c1b-9bfd-017b73249d49/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8
Link:
https://www.hybrid-analysis.com/sample/36f5fe7322cd2a4abe000cea9be1b4e440e348f13b0dbc61c474ad19622dc727
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6568bfef-3a9d-4e76-aa7e-a171e60b6a50
Result
Threat name:
DCRat, PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1444233
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses the Telegram API (likely for C&C communication)
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1444233 Sample: ERsg2wzaD4.exe Startdate: 20/05/2024 Architecture: WINDOWS Score: 100 61 api.telegram.org 2->61 63 759931cm.n9shteam1.top 2->63 65 ipinfo.io 2->65 75 Snort IDS alert for network traffic 2->75 77 Multi AV Scanner detection for domain / URL 2->77 79 Antivirus detection for URL or domain 2->79 83 13 other signatures 2->83 8 ERsg2wzaD4.exe 18 48 2->8         started        13 svchost.exe 2->13         started        signatures3 81 Uses the Telegram API (likely for C&C communication) 61->81 process4 dnsIp5 67 api.telegram.org 149.154.167.220, 443, 49732, 49774 TELEGRAMRU United Kingdom 8->67 69 ipinfo.io 34.117.186.192, 443, 49730, 49731 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->69 45 C:\Users\user\Desktop\zEWBdKpA.log, PE32 8->45 dropped 47 C:\Users\user\Desktop\vAxkmrgJ.log, PE32 8->47 dropped 49 C:\Users\user\Desktop\rJGtevgQ.log, PE32 8->49 dropped 51 29 other malicious files 8->51 dropped 85 Adds a directory exclusion to Windows Defender 8->85 15 cmd.exe 8->15         started        18 powershell.exe 8->18         started        20 powershell.exe 23 8->20         started        22 4 other processes 8->22 71 127.0.0.1 unknown unknown 13->71 file6 signatures7 process8 signatures9 89 Uses ping.exe to sleep 15->89 91 Uses ping.exe to check the status of other devices and networks 15->91 24 oKLpEPMtTcxWqry.exe 15->24         started        43 3 other processes 15->43 93 Loading BitLocker PowerShell Module 18->93 29 conhost.exe 18->29         started        31 WmiPrvSE.exe 18->31         started        33 conhost.exe 20->33         started        35 conhost.exe 22->35         started        37 conhost.exe 22->37         started        39 conhost.exe 22->39         started        41 conhost.exe 22->41         started        process10 dnsIp11 73 759931cm.n9shteam1.top 104.21.22.205, 49739, 49740, 49741 CLOUDFLARENETUS United States 24->73 53 C:\Users\user\Desktop\zTvsMleH.log, PE32 24->53 dropped 55 C:\Users\user\Desktop\yfrkaYiJ.log, PE32 24->55 dropped 57 C:\Users\user\Desktop\vcFBFpeO.log, PE32 24->57 dropped 59 23 other malicious files 24->59 dropped 87 Tries to harvest and steal browser information (history, passwords, etc) 24->87 file12 signatures13
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/36f5fe7322cd2a4abe000cea9be1b4e440e348f13b0dbc61c474ad19622dc727
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36f5fe7322cd2a4abe000cea9be1b4e440e348f13b0dbc61c474ad19622dc727/
Threat name:
ByteCode-MSIL.Backdoor.DCRat
Create hunting rule
Status:
Malicious
First seen:
2024-05-13 18:56:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g32744zczuvevpqabtvjxynu4raogshrhmg3yyoeoswrsyrny4tq._file
Verdict:
malicious
Similar samples:
0266dc2bf6eb73b5ef4770bedecadbffb0c35cd3b17c9a97e39712d92f17d199
DCRat
182a6cf870ad9d09e72bc36669dbd55306e964c11b7c63ebccd5406ae8e8556d
DCRat
4eb2e889aafdbad87d66fad00dabe1fba5c935b9743a7dea3ec5c2def6a0b55c
DCRat
71ecbec4b15ec9793f8eacc1ca8b9dbd773ba8adf7ddfb4cb24e19b794f9455a
DCRat
b1637a25a2959c9a6da241d94d8ddac92f3e542d86dbebdc47c1a06a4f6190a0
DCRat
e065974b0db0079fcc57cf5d209fa267c852772a58a68cee307a72c91d382a8e
DCRat
f449e6978314a4591c2812f0db65927a5664ab82c8af4ed92164665d61e32143
DCRat
+ 238 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution spyware stealer
Link:
https://tria.ge/reports/240520-mtys7sga39/
Behaviour
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/80218aa3-cba1-4920-a9cf-210e5efba556
Unpacked files
SH256 hash:
2cb482991dd1e05319442b8e6c4ed958008b7f20a3b5af605d48918e0056464e
MD5 hash:
6f1359b4ca5ce41bf56fe94c205672a3
SHA1 hash:
705ef238f4c89244777b353b2691a5b1e432e809
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/551eae27-52a8-45d1-b87a-d6db0b0c2c4a/
SH256 hash:
f9ea4d30d903318e9ce5e1934886459744a9905a14e9a80df821447fdecbaac3
MD5 hash:
09d3a16a511c33eb9e181c7c64bf3e85
SHA1 hash:
d77f90c8c7faac173994047aa8d0bc3fc7229978
Link:
https://www.unpac.me/results/551eae27-52a8-45d1-b87a-d6db0b0c2c4a/
SH256 hash:
2b93377ea087225820a9f8e4f331005a0c600d557242366f06e0c1eae003d669
MD5 hash:
d8bf2a0481c0a17a634d066a711c12e9
SHA1 hash:
7cc01a58831ed109f85b64fe4920278cedf3e38d
Link:
https://www.unpac.me/results/551eae27-52a8-45d1-b87a-d6db0b0c2c4a/
SH256 hash:
36f5fe7322cd2a4abe000cea9be1b4e440e348f13b0dbc61c474ad19622dc727
MD5 hash:
32a4dbb4eed550eb3861bb36be68e81b
SHA1 hash:
6d982f680fbbefba6e33ffec404bec1f4bf6b4f3
Link:
https://www.unpac.me/results/551eae27-52a8-45d1-b87a-d6db0b0c2c4a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/36f5fe7322cd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36f5fe7322cd2a4abe000cea9be1b4e440e348f13b0dbc61c474ad19622dc727

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:mpress_2_xx_net
Create hunting rule
Author:Kevin Falcoz
Description:MPRESS v2.XX .NET
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:TeslaCryptPackedMalware
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments