MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c08819a0402013e935fb78e6349ea1a798c53db14e482267deaf183b06dc436. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c08819a0402013e935fb78e6349ea1a798c53db14e482267deaf183b06dc436
SHA3-384 hash: 4d3f7e26c2db1a81e3f503b2a0a78a47bd0554b0437f82a0325292f23950ff68d726eedbeaf64beb76bbf3dc6cf32dff
SHA1 hash: 546fae4db8ee0b84ad164056efaed8e17cce6206
MD5 hash: 999142f2751bd4d2d1da9a2d558029d3
humanhash: lamp-dakota-cold-skylark
File name:999142f2751bd4d2d1da9a2d558029d3
Download: download sample
Signature DCRat
Create hunting rule
File size:497'664 bytes
First seen:2021-07-29 11:16:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:vqqDLOAbTNroWmxxyznX08XbDYAQU5s6rObagKZ961DkDgdhUxTnwpdHQNqPzGQ3:yqnOq0UXPDYAR5sUM1DGb6HZNwP
Threatray 31 similar samples on MalwareBazaar
TLSH T1A0B47B4A37F8AE15E0FF4775E4F15DAE87B1B812A6B2EF4F09C552A918237009C40B67
Reporter zbetcheckin
Tags:32 DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/174985/
Detection(s):
Win.Packed.Uztuby-9853721-0
Create hunting rule

Win.Packed.Uztuby-9864800-0
Create hunting rule

Win.Packed.Uztuby-9869253-0
Create hunting rule

Win.Packed.Uztuby-9873584-0
Create hunting rule

Win.Packed.Basic-9876200-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.AsyncRAT.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3869fe1a-253a-4fd8-a4ce-ebeca589710f
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823752
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Creates processes via WMI
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 456164 Sample: 7U3pXKiyjL Startdate: 29/07/2021 Architecture: WINDOWS Score: 100 42 api.samp-loader.ru 2->42 44 Found malware configuration 2->44 46 Antivirus detection for URL or domain 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 6 other signatures 2->50 8 7U3pXKiyjL.exe 10 38 2->8         started        12 MusNotifyIcon.exe 3 2->12         started        14 SearchUI.exe 3 2->14         started        16 10 other processes 2->16 signatures3 process4 dnsIp5 30 C:\Windows\SystemApps\...\SearchUI.exe, PE32 8->30 dropped 32 C:\Windows\System32\...\MusNotifyIcon.exe, PE32 8->32 dropped 34 C:\Windows\System32\bcdsrv\spoolsv.exe, PE32 8->34 dropped 36 13 other malicious files 8->36 dropped 54 Detected unpacking (overwrites its own PE header) 8->54 56 Creates multiple autostart registry keys 8->56 58 Creates an autostart registry key pointing to binary in C:\Windows 8->58 70 2 other signatures 8->70 19 cmd.exe 1 8->19         started        60 Multi AV Scanner detection for dropped file 12->60 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->62 64 Machine Learning detection for dropped file 12->64 66 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->66 38 api.samp-loader.ru 95.181.163.93, 49729, 49730, 49731 RACKTECHRU Russian Federation 16->38 40 192.168.2.1 unknown unknown 16->40 68 Antivirus detection for dropped file 16->68 file6 signatures7 process8 signatures9 52 Drops executables to the windows directory (C:\Windows) and starts them 19->52 22 w32tm.exe 1 19->22         started        24 conhost.exe 19->24         started        26 chcp.com 1 19->26         started        28 backgroundTaskHost.exe 19->28         started        process10
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Spy
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 02:48:19 UTC
File Type:
PE (.Net Exe)
AV detection:
27 of 46 (58.70%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
106c12a3e09c4585808382c93be13f5b60f7cd86e5a28d638d9de5f6662f3609
DCRat
11a153c8afaa36b8af99ceb85f50b7b923ddacb921dfa9888e0c49d795933075
DCRat
1294a91cd45ed0dc87531245654e961b6aa1b399ca32a33048a04ab7993b16b7
DCRat
1f2c235e93529aff918ec8634035b3069992ebb16ef8042903edd07b0a21db5b
DCRat
88771c803925c9b53a6eeedbf38e34bbb20cc6ab5861ca8789b1efbdda0cbbb2
DCRat
aca79bb201dac22b64bdae888935645cf27fcbc49411c8972761ef6ed2e3cfd2
DCRat
c310aca2959669fdb69fdec4c1336353d84b7ae9b8767a1086be3591b4af32f0
DCRat
e3df75eda0f3fff88f4ab98a687f7ec50b1adde27dbb1bb0947f96892eebf493
DCRat
ff8bcaa8c3a792db0f191e003d3c72a3dc532f849e2f495254c6252e5b61382c
DCRat
+ 21 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer persistence rat
Link:
https://tria.ge/reports/210729-wxkkn5xlxs/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Executes dropped EXE
DCRat Payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
e293f4173b2c9b4dc4369de10f5240a4e824de1de12b605d8dcfc7ffe8588c9a
MD5 hash:
24a2f3dfbdd94a7084b0132ae71ffdb0
SHA1 hash:
729cd707106c81af7a1a44f32aed2bd42eabf365
Link:
https://www.unpac.me/results/aa13a837-7cd3-4730-9ea8-9aa238e9a7d0/
SH256 hash:
5c08819a0402013e935fb78e6349ea1a798c53db14e482267deaf183b06dc436
MD5 hash:
999142f2751bd4d2d1da9a2d558029d3
SHA1 hash:
546fae4db8ee0b84ad164056efaed8e17cce6206
Link:
https://www.unpac.me/results/aa13a837-7cd3-4730-9ea8-9aa238e9a7d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c08819a0402013e935fb78e6349ea1a798c53db14e482267deaf183b06dc436

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 5c08819a0402013e935fb78e6349ea1a798c53db14e482267deaf183b06dc436

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1489706/
Cape
Cape
https://www.capesandbox.com/analysis/174985/

Comments


Avatar
zbet commented on 2021-07-29 11:16:47 UTC

url : hxxp://194.226.139.141/DhcpcommonFontsession.exe