MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d355666219db06acc93d01c0973c0c0a5db514b5af2c43dd7d97075d7b78914. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d355666219db06acc93d01c0973c0c0a5db514b5af2c43dd7d97075d7b78914
SHA3-384 hash: a222e8fc140e9b8999ec28735e19201d533e35fff8a4e7f170eaa83754ea4cfdf9b7b3873d2f73343d6020757ae85899
SHA1 hash: 0fe8956f681aac08e2138c015d75ed8e99e6e05f
MD5 hash: 61c1c1ea4c4ffb7fa6c1c707c8d41c61
humanhash: emma-utah-double-winner
File name:61c1c1ea4c4ffb7fa6c1c707c8d41c61
Download: download sample
Signature DCRat
Create hunting rule
File size:67'072 bytes
First seen:2021-11-29 04:48:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 1536:Qno9HWyxI4/+ZnWSoaR5+k4N/1bbstxRtqDgBasFZpqKmY7:QnoxI4WZZR4k41bbstygXFCz
Threatray 1'799 similar samples on MalwareBazaar
TLSH T10B635B003798C926E6AD86B4BCF2554106B4D23B2102DA5F7CC454DB9BAFFC64A137EE
Reporter zbetcheckin
Tags:32 DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://51.255.48.204/ClientElizaBot.exe
Verdict:
Malicious activity
Analysis date:
2021-11-29 02:17:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c9d9b990-e41b-441b-a1f9-5f2b7c43603d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Samas-8025724-0
Create hunting rule

Win.Packed.Razy-9807129-0
Create hunting rule

Win.Malware.Generickdz-9865912-0
Create hunting rule

Win.Malware.Enigmaprotector-9874743-0
Create hunting rule

Win.Malware.Enigmaprotector-9881027-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a file
Launching a process
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm evasive hacktool njrat obfuscated packed rat
Link:
https://www.filescan.io/uploads/61a45b87effcae2254f4210d/reports/7c327ff2-a0d1-4e33-8b9b-c00da30797cd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c865d02a-9be1-4624-8aef-02724248d054
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/897682
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 530160 Sample: TuxIXubpF7 Startdate: 29/11/2021 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 3 other signatures 2->41 7 msvc.exe 2 2->7         started        11 TuxIXubpF7.exe 7 2->11         started        process3 dnsIp4 33 74.119.195.9, 4821, 49708, 49711 MOVECLICKLLCUS United States 7->33 43 Antivirus detection for dropped file 7->43 45 Multi AV Scanner detection for dropped file 7->45 47 Machine Learning detection for dropped file 7->47 29 C:\Users\user\AppData\Roaming\msvc.exe, PE32 11->29 dropped 31 C:\Users\user\AppData\...\TuxIXubpF7.exe.log, ASCII 11->31 dropped 14 cmd.exe 1 11->14         started        17 cmd.exe 1 11->17         started        file5 signatures6 process7 signatures8 49 Uses schtasks.exe or at.exe to add and modify task schedules 14->49 19 conhost.exe 14->19         started        21 schtasks.exe 1 14->21         started        23 msvc.exe 3 17->23         started        25 conhost.exe 17->25         started        27 timeout.exe 1 17->27         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d355666219db06acc93d01c0973c0c0a5db514b5af2c43dd7d97075d7b78914/
Threat name:
ByteCode-MSIL.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2021-11-28 23:12:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
30 of 45 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lu2vmzrbtwygvtet2aoas46aycs5wuklllzmipox3fyhlv5xreka._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
114c890f736efbfef6a5d5bfe69d10f3b98b5cf919b25536bff9dd7ba2738fc6
DCRat
2a9eee2d4a689729f8aa6d173eb41948a79595c5b95b181908c38aba0271e7ff
DCRat
402d6617014b320ae65709f7029fd2cf3661f5d69932abfa2e2e770236718d65
DCRat
4be7c85a7b9d5a472831cab1e15aa7b81547f13b0167af8a31cfe958a2069ebc
DCRat
4e16c7179564c280431462f14d51eb4da50bbc1524b4961b289a0ad0fb96ed35
DCRat
5111624119a7adb096dffe411fd8c44d7ca928f93dbc8689c21af993a20493c7
DCRat
7818fc1e2f9e7df1ba5688ddc87f54b59b3e12c3d2c60393b50f9b56447ac2ab
DCRat
aa13ee7937305e18ac2da00c90a73476f802ba0ae72863a811dd7bcb29eff095
DCRat
fa9e3e8282175677e1bf926361df6aa60510a6ba8d3d8857d9c9cd850d971d60
DCRat
+ 1'789 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:eliza rat
Link:
https://tria.ge/reports/211129-fe5jwaeef5/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
74.119.195.9:4821
Unpacked files
SH256 hash:
5d355666219db06acc93d01c0973c0c0a5db514b5af2c43dd7d97075d7b78914
MD5 hash:
61c1c1ea4c4ffb7fa6c1c707c8d41c61
SHA1 hash:
0fe8956f681aac08e2138c015d75ed8e99e6e05f
Link:
https://www.unpac.me/results/5e027577-a782-4df4-9e27-454431500fa0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5d355666219db06acc93d01c0973c0c0a5db514b5af2c43dd7d97075d7b78914

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
Author:ditekSHen
Description:Detects executables containing the string DcRatBy
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 5d355666219db06acc93d01c0973c0c0a5db514b5af2c43dd7d97075d7b78914

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1830812/

Comments


Avatar
zbet commented on 2021-11-29 04:48:03 UTC

url : hxxp://51.255.48.204/ClientElizaBot.exe