MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72ae820b13a8e8f73da2770b9c0bd9d0a6a42e2ba3dcaf1279359e2b2b221b12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72ae820b13a8e8f73da2770b9c0bd9d0a6a42e2ba3dcaf1279359e2b2b221b12
SHA3-384 hash: 9967c9933c9b80ff0620c65330c10443da3e9421afc713ded500f0d031385c9dc1c944b7e0b62c008f3d09f99f982c8b
SHA1 hash: addc8dca076b2216c98466b5eec8f827ca1482d9
MD5 hash: 9fb32dc431fd70acfb7d1608c0535317
humanhash: washington-louisiana-sierra-wolfram
File name:0x000600000002323a-338
Download: download sample
Signature DCRat
Create hunting rule
File size:1'684'480 bytes
First seen:2023-12-30 10:54:54 UTC
Last seen:2023-12-30 10:55:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6f462fcc6b830b77fb3fef2add9dc570 (9 x CoinMiner, 3 x BitRAT, 2 x XWorm)
ssdeep 24576:rN+pjxSNHrO1+pz+p55/cS8jfCCnNPjf+pWE4+pwv++pu/p1X0:MpFCHrOwp6pdpWE9pypu/zE
Threatray 11 similar samples on MalwareBazaar
TLSH T12B7542E476482ED8C062CE18B746B9B56DA15FA93A3D4935E1FCBD018B3FD08578C18B
TrID 38.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
11.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 06276565593b9e4c (2 x DCRat, 1 x AsyncRAT, 1 x Formbook)
Reporter e24111111111111
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
285
Origin country :
GR GR
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
c8dd8464008d24fe02938509eb3163f09749e1c76bff6dcfd25b1d3193357419.exe
Verdict:
Malicious activity
Analysis date:
2023-12-30 11:18:42 UTC
Tags:
evasion xworm asyncrat
Link:
https://app.any.run/tasks/e016738c-992e-42f2-8a5c-984235c68635

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file in the Windows directory
Creating a file in the %temp% directory
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a window
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer lolbin packed shell32
Link:
https://www.filescan.io/uploads/658ff707a6bc59352f323702/reports/fb803900-dbfa-4ffa-9ccb-7330c6ad27c7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/72ae820b13a8e8f73da2770b9c0bd9d0a6a42e2ba3dcaf1279359e2b2b221b12
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bef47859-51ec-449b-9b99-f712d4e9fc52
Result
Threat name:
AsyncRAT, DcRat, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1368230
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with benign system names
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Potential malicious VBS script found (has network functionality)
Protects its processes via BreakOnTermination flag
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected DcRat
Yara detected Generic Downloader
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1368230 Sample: 0x000600000002323a-338.exe Startdate: 30/12/2023 Architecture: WINDOWS Score: 100 41 maxcare.app 2->41 43 ip-api.com 2->43 45 fvia.app 2->45 55 Multi AV Scanner detection for domain / URL 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for URL or domain 2->59 61 15 other signatures 2->61 8 0x000600000002323a-338.exe 3 10 2->8         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming\ship.exe, PE32 8->33 dropped 35 C:\Users\user\AppData\Roaming\ntoskrn.exe, PE32 8->35 dropped 37 C:\Users\user\AppData\...\WindowsSecurity.exe, PE32 8->37 dropped 39 6 other malicious files 8->39 dropped 67 Potential malicious VBS script found (has network functionality) 8->67 69 Encrypted powershell cmdline option found 8->69 71 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->71 12 Registry Editor.exe 1 8->12         started        15 WindowsSecurity.exe 14 2 8->15         started        18 dow.exe 1 8->18         started        21 7 other processes 8->21 signatures6 process7 dnsIp8 73 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->73 75 Writes to foreign memory regions 12->75 77 Allocates memory in foreign processes 12->77 79 Injects a PE file into a foreign processes 12->79 23 RegAsm.exe 12->23         started        51 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 15->51 81 Antivirus detection for dropped file 15->81 83 Multi AV Scanner detection for dropped file 15->83 85 Machine Learning detection for dropped file 15->85 87 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 15->87 27 WerFault.exe 15->27         started        31 C:\Windows\svchost.exe, PE32 18->31 dropped 89 Drops PE files with benign system names 18->89 53 maxcare.app 104.21.37.62, 443, 49729 CLOUDFLARENETUS United States 21->53 91 System process connects to network (likely due to code injection or exploit) 21->91 93 Windows Scripting host queries suspicious COM object (likely to drop second stage) 21->93 95 Potential dropper URLs found in powershell memory 21->95 29 conhost.exe 21->29         started        file9 signatures10 process11 dnsIp12 47 171.247.47.66, 4444, 49750, 49752 VIETEL-AS-APViettelGroupVN Viet Nam 23->47 49 fvia.app 104.21.34.141, 443, 49737, 49746 CLOUDFLARENETUS United States 23->49 63 Protects its processes via BreakOnTermination flag 23->63 65 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 23->65 signatures13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/72ae820b13a8e8f73da2770b9c0bd9d0a6a42e2ba3dcaf1279359e2b2b221b12
Detection:
dcrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/72ae820b13a8e8f73da2770b9c0bd9d0a6a42e2ba3dcaf1279359e2b2b221b12/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-05-24 19:39:21 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
18 of 22 (81.82%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=okxiecytvdupopnco4fzyc6z2ctkilrlupok6etzgwpcwkzcdmja._file
Verdict:
malicious
Similar samples:
05f076e9882c1c6b93d1c7611b616535228faa560dc48374e4be7447356cdcfb
DCRat
322225ecdeac0d8a220c363b04cab052411917311caea6edd1fec8075973fc50
DCRat
72ae820b13a8e8f73da2770b9c0bd9d0a6a42e2ba3dcaf1279359e2b2b221b12
DCRat
8d11ec5c3f5b3d5eb57e75469ffc10721aee94ae56b3d432fafdee189bb0d6e8
DCRat
aa5bbaca6d3c246a8f77026966b0c853c30f55f245a6e55b3e54697f5ff8a588
DCRat
ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29
DCRat
+ 1 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:xworm botnet:default rat trojan
Link:
https://tria.ge/reports/231230-mz4xeafcg2/
Behaviour
Creates scheduled task(s)
Enumerates physical storage devices
Looks up external IP address via web service
Checks computer location settings
Async RAT payload
AsyncRat
Detect Xworm Payload
Xworm
Unpacked files
SH256 hash:
f78e70be8fd8f6f3160d0c81c5b576a61269793810e3b2e7c6dee963a6f1eb15
MD5 hash:
097ec55788abb1227d217dda37e82e7b
SHA1 hash:
d7a36418f95ba8e21152325013cbf12fc426127b
Link:
https://www.unpac.me/results/798617c2-9778-4ef6-a185-5658e3d1608d/
SH256 hash:
78866f2db94d2e3fc1dd6327206dca8a9a8f95e1bfc897a4fcf7ae41e200e7bd
MD5 hash:
4d1f2166658814405c8c66163e6f3387
SHA1 hash:
2e4bf3ef1f631d6279386ea9ac570f9182f0e980
Link:
https://www.unpac.me/results/798617c2-9778-4ef6-a185-5658e3d1608d/
SH256 hash:
f65e7a6d4e2874967bdac2e38721f7141ed3778feb74a07c82f8be2716e3e925
MD5 hash:
52c6c0a31da4b83b061ebe7409edb906
SHA1 hash:
ca0b545df3948b34f81f52ac08a64acef6bf096b
Link:
https://www.unpac.me/results/798617c2-9778-4ef6-a185-5658e3d1608d/
SH256 hash:
0e3b7bce0fb97f6860d6dd9142648188dce14573725d400174882e600e64bdbd
MD5 hash:
9c19d058a894e35cad64a0dab5f5a56f
SHA1 hash:
c41047677b50f5225eea3eb94df73bb99e43e076
Detections:
APT_ArtraDownloader2_Aug19_1
Create hunting rule
Link:
https://www.unpac.me/results/798617c2-9778-4ef6-a185-5658e3d1608d/
Parent samples :
72ae820b13a8e8f73da2770b9c0bd9d0a6a42e2ba3dcaf1279359e2b2b221b12
80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21
994ea35144e43c0074f6d60ccff844cc70d0a2b34ad9b583a7316e17aec94e2f
SH256 hash:
5d717d35b913ff6d13c408f294d899ca58bb321598426eca2bea71b9e6edd9ce
MD5 hash:
216ef921adac2bbb51ff6331f61b19e7
SHA1 hash:
90c3cfc3b78daa2bfa12d26dbd765fbfd4bc510d
Detections:
XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MALWARE_Win_XWorm
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
Link:
https://www.unpac.me/results/798617c2-9778-4ef6-a185-5658e3d1608d/
Parent samples :
72ae820b13a8e8f73da2770b9c0bd9d0a6a42e2ba3dcaf1279359e2b2b221b12
80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21
994ea35144e43c0074f6d60ccff844cc70d0a2b34ad9b583a7316e17aec94e2f
8d11ec5c3f5b3d5eb57e75469ffc10721aee94ae56b3d432fafdee189bb0d6e8
c8dd8464008d24fe02938509eb3163f09749e1c76bff6dcfd25b1d3193357419
SH256 hash:
72ae820b13a8e8f73da2770b9c0bd9d0a6a42e2ba3dcaf1279359e2b2b221b12
MD5 hash:
9fb32dc431fd70acfb7d1608c0535317
SHA1 hash:
addc8dca076b2216c98466b5eec8f827ca1482d9
Link:
https://www.unpac.me/results/798617c2-9778-4ef6-a185-5658e3d1608d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/72ae820b13a8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72ae820b13a8e8f73da2770b9c0bd9d0a6a42e2ba3dcaf1279359e2b2b221b12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments