MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b6520c7b6cc8b183b108b0fdf12fe349b82fc060100e49019ac734b268456d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b6520c7b6cc8b183b108b0fdf12fe349b82fc060100e49019ac734b268456d0
SHA3-384 hash: 1197254d7bc5280b4b73e2bb0c73b158a90b82b50c931fb36dd0c05cfe6c0c428e87fdc4be71e3c376fbe0555fedc6ae
SHA1 hash: 7a69046519ac6195f275c9dbe1ddd393c43f0341
MD5 hash: 064773034947221b8da5f3ffcaadd75d
humanhash: december-oscar-music-oven
File name:SecuriteInfo.com.HEUR.Trojan-Downloader.MSIL.Agent.gen.26726.31191
Download: download sample
Signature DCRat
Create hunting rule
File size:1'141'248 bytes
First seen:2023-07-03 20:29:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:VP4C/u/kQQZl3Qljj8kVvz6devmDQ/TLAJ+daN45a3W89UJ/p+VzHwEsIdfg88/h:h4C/DZ9YEmSVzHwjY0x7
Threatray 12 similar samples on MalwareBazaar
TLSH T17A352C157BE88126E1BF5776E4F105178AB4B807EA92E71D04A1A3AC1CD3B80DE5327F
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter SecuriteInfoCom
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.HEUR.Trojan-Downloader.MSIL.Agent.gen.26726.31191
Verdict:
Malicious activity
Analysis date:
2023-07-03 20:31:33 UTC
Tags:
opendir loader
Link:
https://app.any.run/tasks/0d9e580a-d9b9-4f3d-b60d-4429a801a7b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/406197/
Detection(s):
SecuriteInfo.com.HEUR.Trojan-Downloader.MSIL.Agent.gen.26726.31191.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Creating a file in the %temp% directory
Using the Windows Management Instrumentation requests
Changing a file
Moving a recently created file
Creating a process from a recently created file
Creating a window
Searching for the window
Searching for synchronization primitives
Sending a UDP request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control hacktool lolbin packed replace
Link:
https://www.filescan.io/uploads/64a32fcb204315fbc16c8ddd/reports/38ce5063-d347-4c93-9343-adc1231a6221/overview
Verdict:
Malicious
Labled as:
MSIL/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/5b6520c7b6cc8b183b108b0fdf12fe349b82fc060100e49019ac734b268456d0
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/94d049ad-5f19-4673-bcc1-22df2aedf835
Result
Threat name:
Babadeda
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1266221
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Drops PE files to the startup folder
Drops script or batch files to the startup folder
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Powershell adding suspicious path to exclusion list
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Babadeda
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1266221 Sample: SecuriteInfo.com.HEUR.Troja... Startdate: 03/07/2023 Architecture: WINDOWS Score: 100 96 pastebin.com 2->96 100 Snort IDS alert for network traffic 2->100 102 Sigma detected: Powershell adding suspicious path to exclusion list 2->102 104 Multi AV Scanner detection for submitted file 2->104 106 6 other signatures 2->106 11 SecuriteInfo.com.HEUR.Trojan-Downloader.MSIL.Agent.gen.26726.31191.exe 15 4 2->11         started        16 cmd.exe 2->16         started        signatures3 process4 dnsIp5 98 23.137.249.127, 49690, 49694, 49695 GTLAKESUS Reserved 11->98 86 SecuriteInfo.com.H...26726.31191.exe.log, ASCII 11->86 dropped 126 Writes to foreign memory regions 11->126 128 Injects a PE file into a foreign processes 11->128 18 InstallUtil.exe 14 17 11->18         started        21 cmd.exe 1 11->21         started        88 C:\Users\user\AppData\Roaming\...\DC64.exe, PE32 16->88 dropped 24 conhost.exe 16->24         started        file6 signatures7 process8 file9 76 C:\Users\user\AppData\Local\...\2r3frf.zip, PE32+ 18->76 dropped 78 C:\Users\user\AppData\...\2r3frf.exe (copy), PE32+ 18->78 dropped 26 DIS64.exe 18->26         started        29 2r3frf.exe 10 18->29         started        32 Blue32.exe 18->32         started        34 conhost.exe 18->34         started        120 Uses ipconfig to lookup or modify the Windows network settings 21->120 36 powershell.exe 21 21->36         started        38 conhost.exe 21->38         started        signatures10 process11 file12 122 Writes to foreign memory regions 26->122 124 Injects a PE file into a foreign processes 26->124 40 AppLaunch.exe 26->40         started        43 cmd.exe 26->43         started        90 C:\Users\user\AppData\Local\...\DIS64.exe, PE32 29->90 dropped 92 C:\Users\user\AppData\Local\...\Blue32.exe, PE32 29->92 dropped 94 C:\Users\user\AppData\Local\...\DC64.exe, PE32 29->94 dropped 45 cmd.exe 32->45         started        47 cmd.exe 32->47         started        49 Blue32.exe 32->49         started        signatures13 process14 file15 82 C:\Users\user\AppData\Local\Temp\...\9270.bat, ASCII 40->82 dropped 51 cmd.exe 40->51         started        55 conhost.exe 43->55         started        57 powershell.exe 43->57         started        59 conhost.exe 45->59         started        61 ipconfig.exe 45->61         started        63 conhost.exe 47->63         started        65 ipconfig.exe 47->65         started        84 C:\Users\user\...\ResolvedAssemblyFiles.exe, PE32 49->84 dropped process16 file17 80 C:\Users\user\AppData\Roaming\...\wtchdg.bat, DOS 51->80 dropped 112 Drops script or batch files to the startup folder 51->112 114 Uses cmd line tools excessively to alter registry or file data 51->114 116 Drops PE files to the startup folder 51->116 118 2 other signatures 51->118 67 reg.exe 51->67         started        70 powershell.exe 51->70         started        72 conhost.exe 51->72         started        74 29 other processes 51->74 signatures18 process19 signatures20 108 Disable Windows Defender real time protection (registry) 67->108 110 Disables UAC (registry) 70->110
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b6520c7b6cc8b183b108b0fdf12fe349b82fc060100e49019ac734b268456d0/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-07-03 20:30:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lnssbr5wzsfrqoyqrmh56ex6gsnyf7agaeaojeazvrzuwjuek3ia._file
Verdict:
malicious
Similar samples:
0f0760eb43d1a3ed16b4842b25674e4d6d1239766243bac1d4c19341bb37d5b8
DCRat
26824a60b529f933c81dbd8c9da85bf8962feab2a7c99dc7ee30723598836d5f
DCRat
4cd2a6b92caa467a8e4b72426b8d2823e1d00ef28a62b28e5df91527a8d44f65
DCRat
66ec3c9fb1339c6925fb508c17190aa7869e24b149abcedd771aa53ea9de27fa
DCRat
785fb0207bb3978514a7bbf2082746f154e43d6c61daffc8d967c67637d3e6ef
DCRat
880afcf0d5f116d755c14f746a93d21406bf16dbecb496e84b30143d48a926bd
DCRat
ae025809e03a89496d161b722b94d9ce5eb1f0bb74fd8c814fc82a9eac757c3f
DCRat
ae615dbfdd6c83d6d78670be7b535f817cd3adc5f50ad4684b9f1b2121523acf
DCRat
c9bfc18f2eeb1ea26c3481b8598cbac125e17220b05fd308770f4f3d69c720b8
DCRat
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/230703-y946psbe3y/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Executes dropped EXE
Downloads MZ/PE file
Modifies Windows Defender Real-time Protection settings
Modifies security service
UAC bypass
Unpacked files
SH256 hash:
5b6520c7b6cc8b183b108b0fdf12fe349b82fc060100e49019ac734b268456d0
MD5 hash:
064773034947221b8da5f3ffcaadd75d
SHA1 hash:
7a69046519ac6195f275c9dbe1ddd393c43f0341
Link:
https://www.unpac.me/results/9280a4f1-3d74-432c-8974-ab2e890fce39/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5b6520c7b6cc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 5b6520c7b6cc8b183b108b0fdf12fe349b82fc060100e49019ac734b268456d0

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/406197/
  
URLhaus
https://urlhaus.abuse.ch/url/2675893/
  
Delivery method
Distributed via web download

Comments