MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54d7bc30cd4f413106c5b57e5b29ea7ec560fccafdf08a4b8d7182715f4a3f94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54d7bc30cd4f413106c5b57e5b29ea7ec560fccafdf08a4b8d7182715f4a3f94
SHA3-384 hash: dc063cf3c7821840abe263963047dc31ae65512ad8dbb2c5404d52a417270acae5dcd668cc63322c5be620a5c40d4371
SHA1 hash: 2fc25432b9a10c911a238800091fb786454e371e
MD5 hash: 0a3346f8e23808d303382d4b64b8524f
humanhash: yellow-video-hotel-pluto
File name:0a3346f8e23808d303382d4b64b8524f.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'708'544 bytes
First seen:2023-03-26 09:10:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:lTBTsIBMNjnNNOhAe/S0o16wqw1fxocelLqd2HkPPcKbcI6Bw7Azuu0+k+51rFkP:+4lqcKsesqu0Lk9ObVS
Threatray 154 similar samples on MalwareBazaar
TLSH T1F985AC3D39B79AD2C238FA3386E3E520B6BD84923303D959D9D61AC44F412827DCE95D
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://45.137.65.70/privateSecureProton/Test/78requestLocal/UniversalVideoDatalifePublic/8/imageProcessortemporaryMulti/7temp/0/SecurepacketprocessorwindowsWordpress.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
0a3346f8e23808d303382d4b64b8524f.exe
Verdict:
Malicious activity
Analysis date:
2023-03-26 09:11:32 UTC
Tags:
rat backdoor dcrat
Link:
https://app.any.run/tasks/b72ab3eb-8c7b-4cb2-ab85-af7b8e7a360f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/377520/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Launching a process
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed psr.exe ransomx
Link:
https://www.filescan.io/uploads/64200c27d56d0328e7728f39/reports/bb5ce36e-b647-4cde-8f8e-4b734fcae034/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/54d7bc30cd4f413106c5b57e5b29ea7ec560fccafdf08a4b8d7182715f4a3f94
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0cbba43e-4213-43de-bf93-792283747f6f
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1202099
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected DCRat
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 835000 Sample: NUvOjWGLfF.exe Startdate: 26/03/2023 Architecture: WINDOWS Score: 100 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for dropped file 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 13 other signatures 2->60 8 NUvOjWGLfF.exe 3 2->8         started        12 MrYGtxJuQCGejZDREyGJIGCQbFE.exe 14 3 2->12         started        14 schtasks.exe 2->14         started        16 33 other processes 2->16 process3 file4 50 C:\Users\user\AppData\...50UvOjWGLfF.exe.log, ASCII 8->50 dropped 70 Injects a PE file into a foreign processes 8->70 18 NUvOjWGLfF.exe 3 8->18         started        72 Multi AV Scanner detection for dropped file 12->72 signatures5 process6 file7 30 C:\Users\user\AppData\...\bridgesurrogate.exe, PE32 18->30 dropped 32 C:\Users\user\AppData\...\Combrowser.exe, PE32 18->32 dropped 21 Combrowser.exe 1 24 18->21         started        25 bridgesurrogate.exe 1 13 18->25         started        process8 file9 34 C:\...\MrYGtxJuQCGejZDREyGJIGCQbFE.exe, PE32 21->34 dropped 36 C:\...\MrYGtxJuQCGejZDREyGJIGCQbFE.exe, PE32 21->36 dropped 38 C:\Users\...\MrYGtxJuQCGejZDREyGJIGCQbFE.exe, PE32 21->38 dropped 46 7 other malicious files 21->46 dropped 62 Antivirus detection for dropped file 21->62 64 Multi AV Scanner detection for dropped file 21->64 66 Machine Learning detection for dropped file 21->66 27 bridgesurrogate.exe 21->27         started        40 C:\...\MrYGtxJuQCGejZDREyGJIGCQbFE.exe, PE32 25->40 dropped 42 C:\...\MrYGtxJuQCGejZDREyGJIGCQbFE.exe, PE32 25->42 dropped 44 C:\Recovery\MrYGtxJuQCGejZDREyGJIGCQbFE.exe, PE32 25->44 dropped 48 2 other malicious files 25->48 dropped 68 Creates processes via WMI 25->68 signatures10 process11 dnsIp12 52 45.137.65.70, 49697, 49698, 80 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 27->52
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/54d7bc30cd4f413106c5b57e5b29ea7ec560fccafdf08a4b8d7182715f4a3f94/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-03-05 22:35:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ktl3ymgnj5atcbwfwv7fwkpkp3cwb7gk7xyius4nogbhcx2kh6ka._file
Verdict:
malicious
Similar samples:
1eb23606ac29d2eb83bb2ecef63d8258e734d277a69627ea3c349458fc240389
DCRat
1faa876f1399fb2010efd296d79c43f2b7dda0ec087991d542327515a405540c
DCRat
3d9d29b0f45ebf573ef99506d6bf85bb374a7fb138ba44520187851a89993ca2
DCRat
464dcd506637588f1640550f411af1a56a1d9784e61e43e9bcf247b3243211e8
DCRat
8b1fdb4c610d81dea7ea4ac940716e4bfcab7461dc6f426512f3fb65167db86c
DCRat
d56a39deca5258feb3a5d7b7488103e9950adbf25435655cf32050b08986f606
DCRat
+ 144 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat
Link:
https://tria.ge/reports/230326-k5la5saa21/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
DCRat payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
220d910f7ea83c5ee144f095c15a6945121544cc1bc800a68c5992853146297e
MD5 hash:
96b4db438fc8e2e04e75aebd7b2aa79d
SHA1 hash:
8a4248d922395c60f38e83138a805a59a09f3d2b
Link:
https://www.unpac.me/results/ff505249-369a-4d5b-9bd6-0f035bd23ea9/
SH256 hash:
9deb20d484ab344597ef5a400423c649bc53d8994dc7d466b2c1e8f66b960c51
MD5 hash:
0c17b472c8b00ad81698c0de108ad48b
SHA1 hash:
7ac3106bc570427486779188db1d422beedec8ea
Link:
https://www.unpac.me/results/ff505249-369a-4d5b-9bd6-0f035bd23ea9/
SH256 hash:
94c2ba257a21a0eb4527346753abdedc7bb2fe3aa72d20642546994626602129
MD5 hash:
874dcc6be499121b1425bfdff1f8ad46
SHA1 hash:
66f83bedc73876b77e152c604b8214bde86d965e
Link:
https://www.unpac.me/results/ff505249-369a-4d5b-9bd6-0f035bd23ea9/
SH256 hash:
596a56fba80c2f8a8a2e21bc33a9c8b88296dd66f855ba279457760622b29514
MD5 hash:
c68dfa84071a3eb3e1ae60a56a932995
SHA1 hash:
047ff1d7dad620331ce7eb0997bb176ccdbc1ac8
Link:
https://www.unpac.me/results/ff505249-369a-4d5b-9bd6-0f035bd23ea9/
SH256 hash:
270e4c9c272e76b067e85727fbd871ff65edc0ef837a9b80cfed84252203ffbd
MD5 hash:
c9618d3d5ba243b024fe41223ef625be
SHA1 hash:
626d260a95fbf0b8b2ace91b64d0c7aa294616bf
Link:
https://www.unpac.me/results/ff505249-369a-4d5b-9bd6-0f035bd23ea9/
SH256 hash:
e16d31256434834519f0fc54095f9a5e03700adaba2e51a75dad1ab581441323
MD5 hash:
1edd3839f47ae345890b4dc71ba6cfe5
SHA1 hash:
0b6593476cd3f7a7292c1e5f63e137aebb147708
Link:
https://www.unpac.me/results/ff505249-369a-4d5b-9bd6-0f035bd23ea9/
SH256 hash:
54d7bc30cd4f413106c5b57e5b29ea7ec560fccafdf08a4b8d7182715f4a3f94
MD5 hash:
0a3346f8e23808d303382d4b64b8524f
SHA1 hash:
2fc25432b9a10c911a238800091fb786454e371e
Link:
https://www.unpac.me/results/ff505249-369a-4d5b-9bd6-0f035bd23ea9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/54d7bc30cd4f413106c5b57e5b29ea7ec560fccafdf08a4b8d7182715f4a3f94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/377520/

Comments