MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a5e3d70cd466c1fd8b96432c3e547d1219f87562450259393b51780b65a201d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a5e3d70cd466c1fd8b96432c3e547d1219f87562450259393b51780b65a201d
SHA3-384 hash: 16d57d4369f2cc2a3160d91531eec130049e1881372c66b2fb1672899d5ef8bc65f4dbbe6d500d42d20f85df26df6fa5
SHA1 hash: c68350688ae49166da20529076bc6e09ece54972
MD5 hash: ecee2ebd3ec0c0d36f88475532eddbef
humanhash: pluto-may-pasta-hydrogen
File name:file
Download: download sample
Signature DCRat
Create hunting rule
File size:1'529'856 bytes
First seen:2023-05-28 00:39:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 104b87c3fef9c18dcad72b41783c28ec (1 x DCRat, 1 x RedLineStealer)
ssdeep 12288:RajiyzjakY85lAi78xkprnzbBxo0O57I3WkctrO73yvKbXRXy2/xcehJNHtIEwyk:RhmYpiwC7BxLOyWj2F/jzNIEF30
Threatray 7 similar samples on MalwareBazaar
TLSH T191650200B1C2C032E43705354AE0D7B55E3EBD700BA29EEF67A51F7E8F253E18966966
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:DCRat exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc800513317_661653213?hash=5DkafPCDGoDmzXis1nDyj2tvd0Z4w9WveEc17m8z1YP&dl=1Z87Wpkrs0wPTy64SlO4FBqP9zrhWJqmfMZXyNZHbBg&api=1&no_preview=1#cryp125

Intelligence

File Origin
# of uploads :
1
# of downloads :
274
Origin country :
US US
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-05-28 00:42:02 UTC
Tags:
rat backdoor dcrat stealer
Link:
https://app.any.run/tasks/8a6c4cfe-db09-4dba-915d-3b44f449032e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/392693/
Detection(s):
SecuriteInfo.com.Variant.Fugrafa.282092.17139.30621.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Searching for synchronization primitives
Creating a file in the %temp% directory
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lolbin packed shell32.dll
Link:
https://www.filescan.io/uploads/6472a2e3a4e82deee725b7ec/reports/95997fae-c88c-433d-89eb-127a4571c660/overview
Verdict:
Malicious
Labled as:
Fugrafa.Generic
Link:
https://www.hybrid-analysis.com/sample/5a5e3d70cd466c1fd8b96432c3e547d1219f87562450259393b51780b65a201d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d54f6e21-e1b3-43a2-899b-b397897f416b
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1243927
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected DCRat
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a5e3d70cd466c1fd8b96432c3e547d1219f87562450259393b51780b65a201d/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-05-28 00:40:06 UTC
File Type:
PE (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ljpd24gnizwb7wfzmqzmhzkh2eqz7b2wericle4twulybns2eaoq._file
Verdict:
malicious
Similar samples:
227b396c6dceeb7107850a0fd635299670d01e91fef3aaf4840fdffe88f3e1f9
DCRat
c691c174c042a1f23f13b420abad454bd4b843e1033119080114da0a99cfdfff
DCRat
d504922abfbd95fed6cc1bcc7558dd44fe268f28a6b990e26b32df0c4ff96e82
DCRat
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat
Link:
https://tria.ge/reports/230528-az7l3sea9t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
DCRat payload
DcRat
Unpacked files
SH256 hash:
7ea7d3a777e2c913170212dddd74716564ef92709cbfdf25322f773f3719cea5
MD5 hash:
21e32d5191d84839465543b08f399e8b
SHA1 hash:
76ebcb565eb31292a3ae3638a673c5dd8aa49ed4
Link:
https://www.unpac.me/results/27e4d1a3-4c06-4488-b681-7106b41e8096/
SH256 hash:
5a5e3d70cd466c1fd8b96432c3e547d1219f87562450259393b51780b65a201d
MD5 hash:
ecee2ebd3ec0c0d36f88475532eddbef
SHA1 hash:
c68350688ae49166da20529076bc6e09ece54972
Link:
https://www.unpac.me/results/27e4d1a3-4c06-4488-b681-7106b41e8096/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5a5e3d70cd46/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a5e3d70cd466c1fd8b96432c3e547d1219f87562450259393b51780b65a201d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/392693/

Comments