MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 533c45a3400cceaf13703564aa125c4a17b613ea0964d140be0415d7df4f644b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 13

Intelligence 13 IOCs YARA 29 File information Comments

SHA256 hash:	533c45a3400cceaf13703564aa125c4a17b613ea0964d140be0415d7df4f644b
SHA3-384 hash:	4cb872ac0754a9278f7f567b39cefb7a15f16553eaaec61ee240f63f03855bf96b4f49df4a3e32a58f50082c97cc5c5a
SHA1 hash:	4b0994b910d67990c855b669f4124e6ebbbc0343
MD5 hash:	86f3de7b3546c538291820eb6f1d3d32
humanhash:	one-nineteen-one-sink
File name:	DcRat BacteriaGroup.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	22'643'712 bytes
First seen:	2025-06-05 16:08:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	393216:q/nGTBP+Zw6NLIsFfskh1BmXGR1Bd+/2:q/GTBP+Zlnk0rmoBY
TLSH	T19637BF00FDA4C653D07B5AF6C0B246F597B0AD19EB1287AB15803FAC3AF27457926327
TrID	62.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.0% (.EXE) Win64 Executable (generic) (10522/11/4) 8.5% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 4.7% (.FON) Windows Font (5545/9/1) 4.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
File icon (PE):
dhash icon	1b3b0f1733332b0f (2 x RedLineStealer, 1 x AsyncRAT, 1 x DCRat)
Reporter	burger
Tags:	DCRat exe

Intelligence

File Origin

# of uploads :

# of downloads :

322

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DcRat.zip

Verdict:

Malicious activity

Analysis date:

2023-06-05 15:21:22 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2a9c9bcf-ed63-4b68-80d7-c40a75cfcb68

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DCRat

Link:

https://www.capesandbox.com/analysis/7528/

Detection(s):

Win.Malware.Bulz-9935004-0

Win.Dropper.TrickBot-10007885-0

Win.Keylogger.Marsilia-10040488-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6841bf2907b5e8c1cfe4f126

Tags:

ransomware dropper virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Connection attempt

Searching for synchronization primitives

Launching a service

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context alien base64 crypto keylogger lolbin quasar tiger venomrat wscript

Link:

https://www.filescan.io/uploads/6841c0f9171e01f959373ab4/reports/3e48956c-a137-4d7a-978a-d2960e39ee3a/overview

Verdict:

Malicious

Labled as:

IL:Trojan.MSILZilla

Link:

https://www.hybrid-analysis.com/sample/533c45a3400cceaf13703564aa125c4a17b613ea0964d140be0415d7df4f644b

Result

Threat name:

AsyncRAT, DcRat, KeyLogger

Detection:

malicious

Classification:

troj.spyw

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1707436

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

Yara detected DcRat

Yara detected Keylogger Generic

Behaviour

Behavior Graph:

Download SVG

Score:

91%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/533c45a3400cceaf13703564aa125c4a17b613ea0964d140be0415d7df4f644b

Gathering data

Threat name:

ByteCode-MSIL.Hacktool.CapMouse

Status:

Malicious

First seen:

2022-01-19 02:59:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

202

AV detection:

24 of 36 (66.67%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=km6eli2abthk6e3qgvskues4jil3me7kbfsncqf6aqk5px2pmrfq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250605-tlwgfahm51/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Verdict:

Malicious

Tags:

loader Win.Malware.Bulz-9935004-0

YARA:

Windows_Trojan_Donutloader_f40e3759

Link:

https://app.threat.zone/submission/9d6d9cf5-4e2e-4271-8236-8ef1b5a44ad4

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/533c45a3400cceaf13703564aa125c4a17b613ea0964d140be0415d7df4f644b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AcRat Create hunting rule
Author:	Nikos 'n0t' Totosis
Description:	AcRat Payload (based on AsyncRat)

Rule name:	Base64_decoding Create hunting rule
Author:	iam-py-test
Description:	Detect scripts which are decoding base64 encoded data (mainly Python, may apply to other languages)

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	CHM_File_Executes_JS_Via_PowerShell Create hunting rule
Author:	daniyyell
Description:	Detects a Microsoft Compiled HTML Help (CHM) file that executes embedded JavaScript to launch a messagebox via PowerShell

Rule name:	dcrat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	dcrat_kingrat Create hunting rule
Author:	jeFF0Falltrades

Rule name:	dcrat_rkp Create hunting rule
Author:	jeFF0Falltrades
Description:	Detects DCRat payloads

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_EXE_DcRatBy Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing the string DcRatBy

Rule name:	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL Create hunting rule
Author:	ditekSHen
Description:	Detects executables (downlaoders) containing URLs to raw contents of a paste

Rule name:	Lumma_Stealer_Detection Create hunting rule
Author:	ashizZz
Description:	Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:	https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RC6_Constants Create hunting rule
Author:	chort (@chort0)
Description:	Look for RC6 magic constants in binary
Reference:	https://twitter.com/mikko/status/417620511397400576

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	Rooter Create hunting rule
Author:	Seth Hardy
Description:	Rooter

Rule name:	RooterStrings Create hunting rule
Author:	Seth Hardy
Description:	Rooter Identifying Strings

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Windows_Trojan_Donutloader_f40e3759 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/7528/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample