MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85641fdd05980c31b2e8d6d3f6218391dd089780df85a53e24a1f3f0abdf6a24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85641fdd05980c31b2e8d6d3f6218391dd089780df85a53e24a1f3f0abdf6a24
SHA3-384 hash: ba0a7509d7b7f4860451d46ef8843c034ab234fd5a12a1f5ae0a0f9931520c9d3e7a264216a0c0b0776d49d0a7dba689
SHA1 hash: ee5ac1e22e294660bef79fd0f836fe851f362609
MD5 hash: b526f0a2b32de1e6685fd3bade38f257
humanhash: march-nevada-alaska-romeo
File name:b526f0a2b32de1e6685fd3bade38f257
Download: download sample
Signature DCRat
Create hunting rule
File size:555'648 bytes
First seen:2021-11-11 16:53:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:PDd4WUPG/AMDnBZDyqOSOrD57DEbmQlaCBHFSiSREeYGojAg/0z1OmB9ukaNfE:PDd4nG/AMzBlONlDEbm/1Yi1OwIka6
Threatray 7'677 similar samples on MalwareBazaar
TLSH T1F9C4CF413B58CFA2F19F7B3AE90016618774B343DA2EDF489F48A9CC3892FC45666257
Reporter zbetcheckin
Tags:32 DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://we.tl/t-ohTUfP028Y
Verdict:
Malicious activity
Analysis date:
2021-11-11 11:08:36 UTC
Tags:
exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/c1d0917a-6bf8-4697-97cf-187c6e7ceb14

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205085/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/618d4ab1a00afa9663a42cee/reports/a024bb62-4a38-4ef6-9690-de96a57df750/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2e16ff26-ba37-4ce6-a99a-95189b603155
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/887623
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Creates an autostart registry key pointing to binary in C:\Windows
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Bypass UAC via CMSTP
Sigma detected: Powershell Defender Exclusion
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 520098 Sample: 4vo6jE1nlG Startdate: 11/11/2021 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected UAC Bypass using CMSTP 2->70 72 Yara detected AntiVM3 2->72 74 7 other signatures 2->74 7 4vo6jE1nlG.exe 8 16 2->7         started        11 svchost.exe 2->11         started        13 svchost.exe 2->13         started        15 3 other processes 2->15 process3 file4 48 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 7->48 dropped 50 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 7->50 dropped 52 C:\Users\user\AppData\...\4vo6jE1nlG.exe.log, ASCII 7->52 dropped 62 3 other files (none is malicious) 7->62 dropped 76 Creates an autostart registry key pointing to binary in C:\Windows 7->76 78 Adds a directory exclusion to Windows Defender 7->78 80 Disables UAC (registry) 7->80 82 Drops PE files with benign system names 7->82 17 AdvancedRun.exe 7->17         started        20 powershell.exe 25 7->20         started        22 AdvancedRun.exe 1 7->22         started        30 13 other processes 7->30 54 C:\Windows\Temp\wb5vwprh.inf, Windows 11->54 dropped 56 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 11->56 dropped 84 Multi AV Scanner detection for dropped file 11->84 24 AdvancedRun.exe 11->24         started        58 C:\Windows\Temp\vozyoift.inf, Windows 13->58 dropped 60 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 13->60 dropped 26 AdvancedRun.exe 13->26         started        28 consent.exe 15->28         started        signatures5 process6 dnsIp7 64 192.168.2.1 unknown unknown 17->64 32 AdvancedRun.exe 17->32         started        34 conhost.exe 20->34         started        36 AdvancedRun.exe 22->36         started        38 AdvancedRun.exe 24->38         started        66 194.5.97.54, 4449, 49749, 49750 DANILENKODE Netherlands 30->66 40 AdvancedRun.exe 30->40         started        42 conhost.exe 30->42         started        44 conhost.exe 30->44         started        46 4 other processes 30->46 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85641fdd05980c31b2e8d6d3f6218391dd089780df85a53e24a1f3f0abdf6a24/
Threat name:
ByteCode-MSIL.Trojan.GenSteal
Create hunting rule
Status:
Malicious
First seen:
2021-11-10 15:50:18 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qvsb7xiftagddmxi23j7mimdshoqrf4a36c2kpreuhz7bk67nisa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
168f62c6ea11a386469563c360ee5517da31015e774ccc9c8ba3d1bd4b4f45ef
DCRat
19247536d1bb8035395a3a2bca3ecb17c36ddf48fee86a00d9d6e3e4bf622f35
DCRat
83923b2bb65492892ef63d18dff00654431b27cd409d8fd67d4ba0eadc052c6a
DCRat
8d49f4d62f32381186bb74d032803832867dc89aa8b9f039db8417da8f721a66
DCRat
959e3ca2579b6be8a11c06763c5a34ec118abc96d869e25bef06319c92da465e
DCRat
d0ba38de7fbef35868d1f321a5d193c8c3689d167e9c10af7075fd67903347d2
DCRat
dd5383ed9704546324f7e97d31b76e38c2b38b9600fd36fdba920af791488848
DCRat
f8fb3109639b476089103cd8a0afe01d3f015453c25ecb4f46bf1be8f8b04579
DCRat
+ 7'667 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:venom clients evasion persistence rat trojan
Link:
https://tria.ge/reports/211111-vejpqsbfh8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Windows security modification
Executes dropped EXE
Async RAT payload
Nirsoft
AsyncRat
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
194.5.97.54:4449
Unpacked files
SH256 hash:
8421a6c2ba57e2d9b0410c18634248ee59b799d3192e0b79168435ca438b36df
MD5 hash:
6ff57c44279e40c6749b44dd85f858b0
SHA1 hash:
f57dd6335fc86ebaab2c541b188dfee9a59576d6
Link:
https://www.unpac.me/results/6c53e7d0-2c2b-432e-a879-825a9cdce708/
SH256 hash:
85641fdd05980c31b2e8d6d3f6218391dd089780df85a53e24a1f3f0abdf6a24
MD5 hash:
b526f0a2b32de1e6685fd3bade38f257
SHA1 hash:
ee5ac1e22e294660bef79fd0f836fe851f362609
Link:
https://www.unpac.me/results/6c53e7d0-2c2b-432e-a879-825a9cdce708/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/85641fdd0598/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/85641fdd05980c31b2e8d6d3f6218391dd089780df85a53e24a1f3f0abdf6a24

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
Author:ditekSHen
Description:Detects executables containing the string DcRatBy
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 85641fdd05980c31b2e8d6d3f6218391dd089780df85a53e24a1f3f0abdf6a24

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/205085/
  
URLhaus
https://urlhaus.abuse.ch/url/1776927/

Comments


Avatar
zbet commented on 2021-11-11 16:53:53 UTC

url : hxxp://samsung-tv.tk/seminude.exe