MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83923b2bb65492892ef63d18dff00654431b27cd409d8fd67d4ba0eadc052c6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 83923b2bb65492892ef63d18dff00654431b27cd409d8fd67d4ba0eadc052c6a
SHA3-384 hash: 0838d0247fd4cab1bb480f447c2b9155033a20ccbadda941e9ef05cbb34428d1cae2364d8bb9fbef45a7cab58b603ae9
SHA1 hash: fc59c4232058744b1495b3d546a5d4cba11d79f7
MD5 hash: a63b54e6077c5d034c060adc869e8c3c
humanhash: wisconsin-magnesium-early-twenty
File name:a63b54e6077c5d034c060adc869e8c3c.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:169'472 bytes
First seen:2021-07-14 13:50:32 UTC
Last seen:2021-07-14 15:07:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b9778d941dd7a5b9a7e6b833506dbeae (1 x DCRat)
ssdeep 3072:afwr84wFujfH3mHrFLWYPNWJyWMQs6N0YjOpmlP2MZ:Z+0fcRzdmjOpSV
Threatray 2'504 similar samples on MalwareBazaar
TLSH T157F36C422381CB69D16FD3F1B592C1864533ABD6D613B20FB286AE6109E93D4D5C3ECB
Reporter abuse_ch
Tags:DCRat exe RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a63b54e6077c5d034c060adc869e8c3c.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-14 14:09:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/794318b0-19ea-4b72-96ee-47040d35a957

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171673/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.1102.17781.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5d69c900-caeb-4af1-bdcb-b137a6133361
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/816253
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Drops PE files with benign system names
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Sigma detected: Schedule system process
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 448660 Sample: DjRrfehqoJ.exe Startdate: 14/07/2021 Architecture: WINDOWS Score: 92 46 Sigma detected: Suspect Svchost Activity 2->46 48 Sigma detected: Schedule system process 2->48 50 .NET source code contains potential unpacker 2->50 52 2 other signatures 2->52 11 DjRrfehqoJ.exe 2 2->11         started        process3 file4 44 C:\Users\user\Desktop\43534.exe, PE32 11->44 dropped 14 43534.exe 1 11->14         started        process5 signatures6 60 Antivirus detection for dropped file 14->60 62 Machine Learning detection for dropped file 14->62 64 Drops PE files with benign system names 14->64 66 Injects a PE file into a foreign processes 14->66 17 43534.exe 6 14->17         started        process7 file8 40 C:\Users\user\AppData\Roaming\svchost.exe, PE32 17->40 dropped 42 C:\Users\user\AppData\...\tmp2A8F.tmp.bat, DOS 17->42 dropped 20 cmd.exe 1 17->20         started        22 cmd.exe 1 17->22         started        process9 signatures10 25 svchost.exe 20->25         started        28 conhost.exe 20->28         started        30 timeout.exe 1 20->30         started        54 Uses schtasks.exe or at.exe to add and modify task schedules 22->54 32 conhost.exe 22->32         started        34 schtasks.exe 1 22->34         started        process11 signatures12 56 Antivirus detection for dropped file 25->56 58 Machine Learning detection for dropped file 25->58 36 svchost.exe 25->36         started        process13 process14 38 WerFault.exe 36->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/83923b2bb65492892ef63d18dff00654431b27cd409d8fd67d4ba0eadc052c6a/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 13:51:04 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qojdwk5wksjislxwhumn74agkrbrwj6nicoy7vt5joqovxaffrva._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
064cad19bee4580a82bc4ee3558e8510100ebba8da83720749f553cc411d5cb3
DCRat
41db78fad794ca70ba68d9225112a0a8f6d50799effca89a88736e3df0c925ae
DCRat
4f4a33f70099855f5f503716515f388da3a5daa1e2fac59ec6c881e89ef7d072
DCRat
69e75e57bc4a09c9a3d7726b28423d10df5b0224177ebfa43930668efd0af5da
DCRat
6f0f5ac2a08c4746186a79f3afe48a614b1ed180ce830058805354bfa8cb1e8e
DCRat
7443a98b0d8781ce10c495383c3aecfd6cc0a7f3e6d9c0d9638c8fd5e2f5264e
DCRat
a288c4d3129a5fbc475d58916a465a9e43ba804a23dd6aa6726947c4ce9081bf
DCRat
aa6206082575919b3b0ea11c5430082a8b6b2251ca4d4aeedfe663ca250fdafb
DCRat
d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e
DCRat
db6707dfd3c466dd3265628f922abb9908916f58ee47d9575cc45233a858e3fd
DCRat
+ 2'494 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/210714-gh2n2qs2aa/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Executes dropped EXE
Async RAT payload
AsyncRat
Unpacked files
SH256 hash:
a6185f58790846070486de3fd087cbb82814b137b09085b739a26ecd654ee019
MD5 hash:
a23e903c7b7b95854539551a4b6c506c
SHA1 hash:
67e4d25377f1fade7a1435c66932206034473b45
Link:
https://www.unpac.me/results/97db9477-e75c-4765-ba9c-8511cea2fd06/
SH256 hash:
fa522d6ecd02f49a9052b5bad734c9128de1ee910d5e62fba8c46f9b6af16d46
MD5 hash:
1df72d247a5f617d62e01ebc26dd8e4e
SHA1 hash:
7dd0187a0ee55e32dc520591aecd1179e96ef5bd
Link:
https://www.unpac.me/results/97db9477-e75c-4765-ba9c-8511cea2fd06/
SH256 hash:
83923b2bb65492892ef63d18dff00654431b27cd409d8fd67d4ba0eadc052c6a
MD5 hash:
a63b54e6077c5d034c060adc869e8c3c
SHA1 hash:
fc59c4232058744b1495b3d546a5d4cba11d79f7
Link:
https://www.unpac.me/results/97db9477-e75c-4765-ba9c-8511cea2fd06/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/83923b2bb65492892ef63d18dff00654431b27cd409d8fd67d4ba0eadc052c6a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171673/

Comments