MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44b1eed72ab863bdd9ba6f995cd5673fb875055abf4150baee7802c13bfc7057. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44b1eed72ab863bdd9ba6f995cd5673fb875055abf4150baee7802c13bfc7057
SHA3-384 hash: 9eaf06e9fb30b0fa5a8a94b6b9e37d630f7d80dd5178c16de8c7b422edd2651e6ef9a219f427b0e9469088884fbf7723
SHA1 hash: 084fffa0ae1ea9c5d3dc0729cc9e97ed4de1dc6f
MD5 hash: 827402e477f94227d4e3bbb4e6285397
humanhash: magnesium-fillet-massachusetts-quebec
File name:827402e477f94227d4e3bbb4e6285397.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'032'704 bytes
First seen:2025-02-12 22:25:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:n+zhJHnxzblBGQU5/T4NAKRLmR7HOOBRWC7fYfIMgL4zozSbCWZe:nKJHnxzFU5r4Y7ueL7foIMp0CCse
Threatray 124 similar samples on MalwareBazaar
TLSH T1E42529027E44CE21F00D1633C2EF454C8BB0A9516AA6E72B7DBA376E55163973C0D9EB
TrID 51.8% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
22.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.4% (.EXE) Win64 Executable (generic) (10522/11/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://ct20978.tw1.ru/639249a9.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://ct20978.tw1.ru/639249a9.php https://threatfox.abuse.ch/ioc/1410917/

Intelligence

File Origin
# of uploads :
1
# of downloads :
549
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
827402e477f94227d4e3bbb4e6285397.exe
Verdict:
Malicious activity
Analysis date:
2025-02-12 22:29:50 UTC
Tags:
dcrat rat remote darkcrystal stealer netreactor susp-powershell
Link:
https://app.any.run/tasks/a6d14bcb-9f05-4dd0-ae81-869b0b19e39c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Msilmamut-9950860-0
Create hunting rule

Win.Packed.Uztuby-9963900-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ad1fe04f5583c4c4d88d70
Tags:
phishing autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Program Files subdirectories
Launching many processes
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd cscript dcrat explorer lolbin net_reactor obfuscated obfuscated obfuscated packed prometheus schtasks vbnet
Link:
https://www.filescan.io/uploads/67ad2014991985e0a957c248/reports/39b10da2-1791-45d1-99eb-b124c3835939/overview
Verdict:
Malicious
Labled as:
Ransom.Prometheus.Generic
Link:
https://www.hybrid-analysis.com/sample/44b1eed72ab863bdd9ba6f995cd5673fb875055abf4150baee7802c13bfc7057
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c585c230-84a1-485f-b0c2-e18f2be7dbd3
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1613779
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates processes via WMI
Drops PE files with benign system names
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Schedule system process
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/44b1eed72ab863bdd9ba6f995cd5673fb875055abf4150baee7802c13bfc7057
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44b1eed72ab863bdd9ba6f995cd5673fb875055abf4150baee7802c13bfc7057/
Threat name:
ByteCode-MSIL.Ransomware.Prometheus
Create hunting rule
Status:
Malicious
First seen:
2025-02-09 16:49:19 UTC
File Type:
PE (.Net Exe)
AV detection:
29 of 37 (78.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=isy65vzkxbr33wn2n6mvzvlhh64hkbk2x5avboxopabmco74oblq._file
Verdict:
malicious
Label(s):
dcrat
Create hunting rule
Similar samples:
092853fc5c2163fdafef345aff1be3116697804b6f81ef2374422822d1e78bfa
DCRat
425fea1071b9d17709b1c93a92ce8497bd4d8f42d17bf7f7dc47db9fede0133a
DCRat
e7f193ed34c9c44b2e7ad602f0abb5eacf9ba78806cac5d8c81a9cf9f1a1477f
DCRat
error
DCRat
fcc7ce0c1cf2c3d90bef0d564fcb9ac13631d73dd516a4e32f01ecd3ea9bcda9
DCRat
+ 114 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat discovery infostealer rat
Link:
https://tria.ge/reports/250212-2b4ztszlds/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Downloads MZ/PE file
DCRat payload
DcRat
Dcrat family
Process spawned unexpected child process
Verdict:
Malicious
Tags:
rat dcrat Win.Packed.Msilmamut-9950860-0
YARA:
MAL_EXE_DCRat_Jul_08_2
Link:
https://app.threat.zone/submission/0f0a564f-6c16-46ff-86fe-74b5217ed0e5
Unpacked files
SH256 hash:
c84dea67a6c2545d557a90c1a3e0bb8f98516c839a84449fa163433a7e0de858
MD5 hash:
22258e50376579879e7a14e2e1e6e632
SHA1 hash:
020b6c495704912c8e9b149f6c0c1d11339b42fd
Link:
https://www.unpac.me/results/64bac623-fc8b-4a21-bc78-6bfc924118d7/
SH256 hash:
3e0aa3c28c6ce47b6612c92e3675bb4447871decfdeafc16e2b7ee25f8eb9acd
MD5 hash:
f445b0820abb911510ddc183b5d42a31
SHA1 hash:
3a8f1450e9e8543d4f8eaf1507d51d2e31b59073
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/64bac623-fc8b-4a21-bc78-6bfc924118d7/
Parent samples :
284f083103d1c160d9e4721ecce515646ce451a1b7ddf9dd89817904e21a4a2d
87f220dad3bbeec6f39ed3e74eaa5b63f91924104b238fd33b4c5d49cc88f1ac
1365414d90a8e9a059336e150f9123f59562c2c5b3a354f3d73f882773f04571
22cdd8b1c569a17884bd5ab6d67a77ada1309b849775b3967a91111f3ab0e400
3fa6ddcabcb03763ef1887117e16ebdf0553a1cc2a16b58bdecaba0735d4e60a
b108df3575c8f9c77577486a92b52fe55bfb6508acca68b22250d8e1fc0494fb
dc288149929d93cc33f1edfe82d4b92cb05c5b681e992dc18936df829b2b5e0e
5d78dc803d29fba00eb080a58f1d85c33dbf50834886337083269ca1b5f1c1db
8ce6b9b905b77768b4806c491d303784d9ba8513c4616e07b8f7a75553a0d40f
a6a27d9ba682a107558cdb16fcd50ebbe3d112c8dab38e96d5926c522781cc81
7238e57350be305f25ca913714b571ee225a658bf5234d9e98cf72e176b8749b
6b415af659470e76f2e7fd163dc72d040746e6aaa4da4503fe8946675dffe25c
1177a24b2539e173f4f9d25c0f3e43a22d23ec64b562a86b4b7ef65741734067
533c1f6d82962094e076116e5eaf643dd440eff83861ccf26334bc553fb6d129
5a089053f785fbdc6e6d11d32a6e74c9e5af34a6b3be078e867b0fe18833a7b6
a8733ea13062f65d6aaeb65f8836f9c57bc3c3af7c0d04b94bd072ed2f56b1d1
374290f4bc29e1d5a3295b8f23c281393075beae64db51cd5a5e96c03f9ef8b0
ad3cad3320c96364564203d96cc76ebea925dcc8de447195e0c1addb9f28e7e8
38b3c41d485fa638c249ee54c9a3ca358a9eb36e561834d9f7f2fca088da6248
cdb363f810ebeea6e40abc725c14e9bf78a3014559ec32903c15fd7576fcac20
25228b9b7646e3a44d0c0458b2d9f4dde89cb36ca52f69ae317edad02678678c
23f8f5fa14be58995db500b8506fde23f21f469a76912178b7934c354b3ce712
4ce4afc5fd856ed5951e35c3efd45fdc03662abf43050fddc564023ef40e6823
cb5bd9dcab7d07c1775ad24d25f72e15b6d62d4c22ce95345ce95632bc68be63
092853fc5c2163fdafef345aff1be3116697804b6f81ef2374422822d1e78bfa
e7f193ed34c9c44b2e7ad602f0abb5eacf9ba78806cac5d8c81a9cf9f1a1477f
6ad806c1234b782cd3a54e146cf02463424fa67c1a3e962c2f43ca10398178b4
de7afeddc29a1d624396c18da80702aa9ab9f8e5212446022a49b7f804252f0e
bc8c14e388292845423f694eee8c01accb528d4a8dab6faf396846f08098dfcd
a3d949b62016bc688520dfe0bf68075ca6666089eea641a62be626aecd1872ef
cccb59dbcce9a68ffed699333477bba15ef02b19de9e5a345eed09e87440fc28
294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c
05305ca0ea5b5882c399450974bed845fdc6560a0c5c6a7dfe14daf00f6e9385
1683c3759dd64d42623510c28230a23c9b999f12d5b63f2cb02f9eaf769f45a6
8a542076ec9b9522127f2c63954f51720b7a933e701a902c853e8abb37bad7e0
19e2bde176b68e7b609977a3965b60bb74afc5810781e1545c1dc83beeb64672
5524ccb07590eff8d27d9807cebede9c67da9189af8dc5055d4df5ec72b89580
e412cff14b15f8734935b193a36c5a4d72957c2976899b8ffeb27cd0f68b6146
5f89b33cedfe3e9f075dd2312b10580dd16b5fb1702fe1f1ce572a792ec9bf91
3ac5dd621c370ef1fd89c945b220fa1dc5a1ccaf30ef5300034acb5cfdfa3e11
497ac5eb72b62c3db2d5383bc2823bf38596e00d877ec7e9d572a94830f07a0e
af0e7981166891af0e066bc0eb1fb73ae36ba339e05e40510a526385b48ad00d
e23b924ff1c1b8a67aebc3b98711c63e12832e2bdd41ff8a52b15685bfabfc6d
fcc7ce0c1cf2c3d90bef0d564fcb9ac13631d73dd516a4e32f01ecd3ea9bcda9
8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4
d1a77a1cb9e4123494d9646d4d064289d6c96dd7a1ebde4dc0aab169c42018f0
7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445
078a6edfe74bdca838f020373b45f18d1a89abe276d75eedba8cc4a0e8ac0acd
e52790fad710c0c1b12fbd9ea860621073af0615c796cd4fbd08fb6fb48982ed
0fc310783328a7b162001c9557bbed66e30d45de3ac0362e15f6f28d83ccc7a8
7eb02adb15e19f6a197a641d054d24d133f6d0880afbb8ff53a6629cbc666b67
fcfa3c615b1c3c703e0ebfaf3fa68093b3894f4b9b7b5b37a5283e419f44022e
4a7e93517c69ba331bd816159caa16524903ea49a8a2ea2b01e89f744894e6f0
3490a06a34fbdc0f9d3ae55ff159fe407bf962f67b56bde78a9ad0bb312a1610
3055d261f05a0656b1b92d9fa8ed3a72111a3a5c6d036d13d3d3a304ca99b987
7362f82084bcdf47b0927674ad678f66214e8d4f2783a0b9338ee4eb773c3474
feeeddd06c6b90360e7adf808b216628c585888af8e8b4179be7bb1a4e1e6994
94d6f5344b79742f145659d00c8e6d7113741ced8930b855dd6161b222f3e6c3
b003517c275f4ceb2bc2b54f77849c64818c7d37439201cab1cc2d91e8c66efd
cf2af3301f31bae02df162a5287f7671b353a4d7c704235e84661778a92c0b67
7a50b6909d72e88e6ac537a03602b33e4bb6c066841f066ed4e1ed42d9f77a6b
a3c93f62df949e293b45844f26bdd12f00ac83ca63b595dfa88cda056d9d7be0
014feb184c1838be5b8ca7761e5ddeafb5af92492718f13bcaedf5a736ce6377
b06c1166e2ceeb7def9f3d7efef3f22f2b004b5d36c785a4a4cb443b6e1281de
f41b0826792d64294cb3f67c11513610b4510d8efdf2f7ee66d434e3b7472343
6e333e5b68668934186d53525c24d2ed857c35e36b4d21102d06e52e6890ac5f
524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611
60f6c911f8b8f9579e3958699dcb7fb91ade66f3a9bdd435632c6d18006002c2
394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617
13f24a33b0bda605948ee337aac9f7095faeb536a0c1ba8d221a53af3822eec3
cc92c665e4e26f4bf880e69666f019f9d568533510d8ca3d5e4651c1e121231e
b49adf276a5e055ef1a3685f032701b41be76177f7f9eb85dfac2d33b5fa7c9f
121d462ca9f33798e076d069ec6b84c5ae0573bbaac8df8dd78efbb7041bd30b
7b3cb0689a20b3d447c436253a2f44995562052e7f46094c93c12a375ebea0cb
4d460e49e0c569a7593cd7fd6e3a181b2e25dd7b98bd2906015007bd241b4d86
82aaf8a6c7718e883bf7f9cb3d18a7889a8080227f14f9bc1ce0e9efa77d651b
2f49f91f40825f17a112a2099798b009d70aba693865a858f42e806fec6d5d8d
c3627f7a85532ddd721bc37ed3816ff0197641ff368ed20bd39c19aabeeb97db
8d34477674ccda710d5acd22a1ea3ce7c9e818d7b6d3b19200c896fcf42f5b4b
3f6feb2ff90be022f4b11b4e4be46768ce735fa4fda2fc731232fd1105a109da
3f7dbeb177934d53205b93a27b9f4262fe0f46aaf090326cb8e2069d90d0414c
44b1eed72ab863bdd9ba6f995cd5673fb875055abf4150baee7802c13bfc7057
1ce99f60292aa8808687010e53feff56ab3af5af3d725d8a9008dd4a1cf252cb
70c558209d7201e690991be17a01c6ef7f5b14775f2cfb288f0abafa43187fe2
3acf15dfd8e4a0fbe7404c2f8aadda1cff0aba5c058f5b5c3481bb44d8ff5b64
fea10c485839f80cc78106c2ef1d4a3ef70a5a0c208586be219a070bca061d6c
7482844fa9ea3044100ff708dd43854bf604859d30e1e6f556a7fa55d32323e4
afdeaf8649ee916f5734e9363da47ef0b0174bbbd1fca080e75ce291e2760d9c
d945170cc27804050d9789baaf9e86fcd5c4e130ef4b38cec14e3a833a2cf6f9
e4a9185f0986262e066fdd0a863444e2667b40655df1c7098c605be5bd3ec6e6
62fd8c7e773674a56856b0ed4907df4eb15ac0fb4e4a18fea5b244180c70b575
ce0545657884415ef34e052fcdf36506eee3f33315810fac1b7f7c615f439dcf
5539d434ee526c3dd170b22ac661ded347391278c129f0f7571d683bdc0fb1db
8f22bfcfe5137aec0a8c659e08c604acbfa1ab64e85a05b2ad99a2995afae0db
e0b4936809d8a75b5095ce25dfb12e14c825e9401d941356749bba86a26b6bbb
f9e07becd2faaba0a53f178a513cef474849c4d82a1e69a871c81617db614296
4533579ade22cae8ab3bf23355133ca9d148328aefb35a543661f818e6af1a1b
bef3edd51fd9d18caaf806dc73b6d31554c805af50228e47c1543c00b81fe083
fc5b0314dfd53a19bb905de5b758720df8a25857bdd1c5a72e5b1af7d4ff994a
7dc1fbc080662648b9fbfb4a4bd3ccf782b02ef3ffb1f1c841e5a041109ec7bf
f08995b47577c1055a9dba345fec4ef1718e482fb014769e5d29e917837b1aed
a97a9f96d06d9e06dc3a0b49088553f0f3591e714cd905a6650ae02a28054351
01e7f777e19a70073e6e8d286263b12b59bf8cc9af1e0b0c9fa4244ff63c9dc0
4728a46d0432b4fa8c56c71597346276a69c9a38842725426a44364cc0655457
f35cac13d76f955a715a51f5029ec8e4539004f02a447eec2b84febd7a4f62af
39c734ab91b8067c2458a620ce002b8bbe6f0e18176a7d98d022883ec73e67ec
a38d77ec66208f83f4065fe43bf51c96b587d2937b0d5f6d1abb1ab973de3751
b58aef4c00cd53ff6c8dbd8dc77106cc4d3c9267dd6a85a60689a7d877d296eb
2759f638365196e35d569a12402c45060dc7f262b6d428da7c3bcee43c231742
a0f0432f815889adb15907adaab5489844a71f5527bb07afb3d37f1a6ef948df
3993abaf8f1b6758260ab97a7192a4dcce70c41ffb326db7f0e94dffaf647312
7949b1fd0ad6619b0571cc5811092164829d49c19ab062466497ec8d91fea232
cdbdad075c206d9c7b7507f5896dd87dd3a5df371bbf7113e0255bf9fdcf7ca9
b0049161819d1b613e9bac0c0ab31c4926013efcb93041f2b8c56f5d34f2336a
4e6eb217528d9643d9a41ea4ef18d97e64d425d5c419738a82081e2577964de5
c4c2a82a7d454bb85fa22f12d2571639c1640ba4a6790d708f4a229f91a7a99b
a00f90db29e2c261c2b6bb00093c43659b577708e8afff72c97f17d41bb06e2e
ec8877718f6bace8cef59ee505e0cbed94a2f6531249d0801192b2de127cab85
9ca2e817ff19e5313105b3b468c5390aff48fabe778333d4d2d045659818e73a
dc5f62878c3764af000c4f1fe93a837744ff28a37f312856cb1cc4c320d1f1ad
b86a67a7dea558bd5719148ecc93ecb2c4f9270006ff304d860c866519c8ca15
d31183ab1c4b40cd810613950b57e160aaf5ed3653e94a118bbfd1004aafee8d
17eabc9a47c7be45b7f3fe07bb5b172facdf56eec68519cc6f4a46b425911d74
bd6dd0383aadbfe35d3ff072e5cfe720252fe7b269da1c8248a3750040f72d0d
b97ea2aa74f7242a5c80e11e87484d5e8f293493db33973adce9c1854a734250
ba2d4bb1811b715213b5845997a842f503c822a5500852f14a3ecf68aa320fc2
1570eccae560c58ea44678a7c2c22d1465ea8a9877c6009425d737927ed76920
d540e07cb7ddc6329f581ad9135190552040a7601020a68ac58c4d702821cd24
c0f50b83de6f99d12bd60bf76002162b2216b03645588dd28f33733c285559e5
4e5712fab9aafbdfab1a9e274c5c3ac81aa2edec7881d629a652a63f15de6ee4
d31d3cffc35347c38b0c958b7311d3d6e65c24c0a3ccb91cbcd1df36817850d9
4534074d213942449c22ba14aa2d85c191f955606f70e875fbefda4358cda01b
639434ab2249f233c5b191405f19dfa09d6d87b4939049fe60c6b4d1715afa1d
dbf2476b04ae66c2eb361fdea361c62778286823b60feea32cdbc15d59d024d3
d607bfcbe22d2dd7d7a40172c2c5e1680d5d1132c8cab4b2ce51b57ca84fe997
a1f1d8797ffd930f0a16f3a1bd96b58419bb05bcd304a6e4ec2ddc14c664c83c
dd71110a6b7fb79b2949280611957646f76503f1bda866b06e74b9a74e54dc89
0d02b9160a66ec959cc0b029816c61576581b92070c23ce5e492dcc3987b5554
c4fd4ed2f44625ba8af80b9e9751a005de4a3060eab685bb8e3e4b455b90e3ba
107e5d98e41c2de3fc4d8844c85e6ccb2af6d35414a6b958eb39cb3feed64854
43bf0e585ed703c5aa53e6a74b04e2b3c10a3a7708889a5d823c7f84e29c2aab
96f8492fd115abf7134203668cd31f428efbc1d75edb9c6f26aaf8201e19950e
a80013d4175fe572cbeadb27d38a4fd397550d2b81532f6d800300c195536597
3c9a5d90d37ba18c0ff3a4e6461cabdf1de6a3eee8890a39e68a1549c433c7e0
f0c19bca34ec10ca7f3057c3ecccc0a4b2d8f21fa163c1149ca8d15fa9918703
452896fac3f4fea522f38b7974de9428b372bef3ccd30953ba7e808643312d11
4c940f9d7bd8b2397c93151446cf167acbde7afe5fb29205f3f58bf79d714ea0
43647972490c89b2f54bb84a4abdcf9037cc2f6d0768b9cdad9ec22deb935e11
29a955752a6b382e17a74244825f66d1cba8776f1c47ae908b1e9c9fc88a513d
f2420fdc9492498195a8a0bae43cfbf7c721b18c43b55ccfecf941f06164b154
c91ecca54c0cbdf3f8714d7c92ca6858d4ddb5957ab06f9ed33bb73e3b5f6207
e7cf9ae73751f92a53dbbc41b4939510e23352bf3a942e86b269c72b80cdb63c
47b707ee7aeb49ae4d8e8a7abb7aa067a49f7ec9a804aa7c21d2c563cf2cb50f
SH256 hash:
e8cdb5275b6042080801a634984a1a492baf30133f13072fb4de440c91639f87
MD5 hash:
e963d26096776a0a11af07072c54aabe
SHA1 hash:
add91921f2d666efed97b1974d1e97f8f3299e3e
Link:
https://www.unpac.me/results/64bac623-fc8b-4a21-bc78-6bfc924118d7/
SH256 hash:
44b1eed72ab863bdd9ba6f995cd5673fb875055abf4150baee7802c13bfc7057
MD5 hash:
827402e477f94227d4e3bbb4e6285397
SHA1 hash:
084fffa0ae1ea9c5d3dc0729cc9e97ed4de1dc6f
Link:
https://www.unpac.me/results/64bac623-fc8b-4a21-bc78-6bfc924118d7/
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/44b1eed72ab8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DCRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44b1eed72ab863bdd9ba6f995cd5673fb875055abf4150baee7802c13bfc7057

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments