MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a7de5f2291f1e9a2601a9e2c2f899637280d5780aeb94135d60dffb474deb40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a7de5f2291f1e9a2601a9e2c2f899637280d5780aeb94135d60dffb474deb40
SHA3-384 hash: d486e6302167969e5353334386ca97fcaedca81e4e6e9e7fdd54b6396da75fb1e528aff29ad0e615f6bf1f960c4563bf
SHA1 hash: 77fd2120a9ed75b5db3a8d1ddd93cdfc8fe8b98d
MD5 hash: b281bb876b1fcdaa80dcd99427a2bd9c
humanhash: gee-paris-echo-red
File name:archive.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:2'164'224 bytes
First seen:2024-01-22 19:30:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dbf2cb41b81f26a6ac38e2a88ee28237 (1 x DCRat)
ssdeep 49152:8bA3YaV2w7CHLjOXspMUyCw8bJpE9cToEx:8bnW7CD6Labc9soE
Threatray 2'660 similar samples on MalwareBazaar
TLSH T105A5AE417E51CA52F0151933C6EF55188BB0AC1026ABE31B7DBA377E69223937C0DADB
TrID 76.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
16.5% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 00c8d0a4d0d4ec00 (2 x DCRat)
Reporter adm1n_usa32
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
RO RO
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/472370/
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

Win.Packed.Msilmamut-9950860-0
Create hunting rule

Win.Packed.Basic-9952747-0
Create hunting rule

Win.Packed.Uztuby-9963900-0
Create hunting rule

Win.Packed.Uztuby-9969968-0
Create hunting rule

Win.Malware.Uztuby-9972880-0
Create hunting rule

Win.Trojan.DarkKomet-9976180-0
Create hunting rule

Win.Trojan.Uztuby-10010740-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Creating a file
Running batch commands
Сreating synchronization primitives
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Launching a process
Unauthorized injection to a recently created process
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cmd cscript dcrat explorer fingerprint lolbin packed schtasks setupapi shdocvw shell32
Link:
https://www.filescan.io/uploads/65aec27887258803c23befef/reports/e5c2bbef-d79d-45d6-b812-127aedeb13ad/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/8a7de5f2291f1e9a2601a9e2c2f899637280d5780aeb94135d60dffb474deb40
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5fb90c6a-3d83-4dcb-8017-af4d8188c1be
Result
Threat name:
Babadeda, DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1379011
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Detected unpacking (overwrites its own PE header)
Disable Task Manager(disabletaskmgr)
Disables the Windows task manager (taskmgr)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Babadeda
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1379011 Sample: archive.exe Startdate: 22/01/2024 Architecture: WINDOWS Score: 100 38 ip-api.com 2->38 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for dropped file 2->46 48 8 other signatures 2->48 9 archive.exe 3 7 2->9         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\...\~ZY2FAB.tmp, PE32 9->32 dropped 34 C:\Agentruntimeperfdhcp\dhcpcommon.exe, PE32 9->34 dropped 36 C:\...\feK7ReLHyHDhXewsN5x2bH.vbe, data 9->36 dropped 62 Detected unpacking (overwrites its own PE header) 9->62 13 wscript.exe 1 9->13         started        16 ~ZY2FAB.tmp 7 9->16         started        signatures6 process7 signatures8 64 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->64 18 cmd.exe 1 13->18         started        66 Multi AV Scanner detection for dropped file 16->66 20 cmd.exe 1 16->20         started        process9 process10 22 dhcpcommon.exe 14 3 18->22         started        26 reg.exe 1 1 18->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        dnsIp11 40 ip-api.com 208.95.112.1, 49703, 80 TUT-ASUS United States 22->40 50 Antivirus detection for dropped file 22->50 52 Multi AV Scanner detection for dropped file 22->52 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->54 56 Machine Learning detection for dropped file 22->56 58 Disable Task Manager(disabletaskmgr) 26->58 60 Disables the Windows task manager (taskmgr) 26->60 signatures12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8a7de5f2291f1e9a2601a9e2c2f899637280d5780aeb94135d60dffb474deb40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a7de5f2291f1e9a2601a9e2c2f899637280d5780aeb94135d60dffb474deb40/
Threat name:
ByteCode-MSIL.Backdoor.DCRat
Create hunting rule
Status:
Malicious
First seen:
2024-01-21 20:27:06 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rj66l4rjd4pjujqbvhrmf6ezmnzibvlyblvzie25mdp7wr2n5naa._file
Verdict:
malicious
Similar samples:
362b245742cfe47a741c851c67b872aa21db3f32b2bff78640e578b7e2cbeb11
DCRat
4729c95c7b1da0c7176d100bb5fccea3b1c467f295e37677fab3b50d41ff1ff0
DCRat
57635a3e961e37e2193a038c9e90dd73b6841c1b316f8d128137a80fba61495c
DCRat
6f3aaa08baa55d61dd0e518e6847e47c323f2d3dcbaabe2e3c5299ebb7138b7e
DCRat
71898823e2f461b674aa28804eedc70188b30535a366c7fa60decc23f8c851dc
DCRat
786bd0f69b66c376235bcdb464e8b725848d7dc35bd2a76f863c5bd043a12063
DCRat
92c824e81461ae24e514c4fee0d34a187cde7037d2ecddcbfa6bc89e8fdc5c4c
DCRat
e7abd2759610e70543aa0ad745c99b23e9b090ef383bbd88bd8ed7e0a80b7695
DCRat
f816ea850eca0a23b99541054eddc2ac01971bb502dcf1231dc02ed58282365f
DCRat
+ 2'650 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat evasion infostealer rat
Link:
https://tria.ge/reports/240122-x8cvdsdbc4/
Behaviour
Modifies registry class
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Disables Task Manager via registry modification
DCRat payload
DcRat
Unpacked files
SH256 hash:
c09d7b1ecf9dd4917c8f081132ac5c533bc326959505d7364aa546d4822e5c9c
MD5 hash:
60b6a611559a27f113b51c76733f26d0
SHA1 hash:
6dc70a539f0d1c8b9a84edef26c2bdf82bbfa098
Link:
https://www.unpac.me/results/6dbad6c8-07c0-4b46-91d2-02a6d5660d6b/
SH256 hash:
2d25d54ade4bd254f217c8110cf7f96656767c3e0c5dcf6dc0c30b5f8ceeffa7
MD5 hash:
5417d9eab3e78a7d968e00eab0e33100
SHA1 hash:
b9135bd12a4db8cd61bef519d6d70408086c0aac
Detections:
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/6dbad6c8-07c0-4b46-91d2-02a6d5660d6b/
SH256 hash:
71ddb2a994a4b846dd27d62f9281f613496f98a4ae47fc4e04448b810041685c
MD5 hash:
125eb12c468c3cba8e40b264c47bea07
SHA1 hash:
417e1677b2f8c56d0bddee9d25f8eca17172fbb3
Link:
https://www.unpac.me/results/6dbad6c8-07c0-4b46-91d2-02a6d5660d6b/
SH256 hash:
8a7de5f2291f1e9a2601a9e2c2f899637280d5780aeb94135d60dffb474deb40
MD5 hash:
b281bb876b1fcdaa80dcd99427a2bd9c
SHA1 hash:
77fd2120a9ed75b5db3a8d1ddd93cdfc8fe8b98d
Link:
https://www.unpac.me/results/6dbad6c8-07c0-4b46-91d2-02a6d5660d6b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8a7de5f2291f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a7de5f2291f1e9a2601a9e2c2f899637280d5780aeb94135d60dffb474deb40

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/472370/

Comments