MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b75dc7056d22cf6b52d10867d70d86ab0a11cb953bc542d63c7f70558b93645. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b75dc7056d22cf6b52d10867d70d86ab0a11cb953bc542d63c7f70558b93645
SHA3-384 hash: c7cb85a370d256924df201f3f2920a062f8998fae8f835cc8e3d95e7a4bd745fd227ad8da83bd44c8d4161267cfbd5d2
SHA1 hash: fa2baa98688bdbf8641e443c90fcb244330de041
MD5 hash: 5991f6529039369b6676b8bd5aaae84e
humanhash: aspen-pluto-carpet-shade
File name:1614.scr
Download: download sample
Signature DCRat
Create hunting rule
File size:130'085 bytes
First seen:2022-08-18 10:56:09 UTC
Last seen:2022-08-18 12:15:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'598 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 1536:xx9DjwWm3xtHvToPMgCD7+lbbbbbbbbbbbbbbbbbbbbbbbbbA6:x/YhtHboPMgOZ6
Threatray 4'043 similar samples on MalwareBazaar
TLSH T1C4D3A3B1B2F1E235C4185672A0DA3C7043F56D86DD31A5A1EE8CF6D81931EF26F42A4B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 10808a8c8c8a8010 (77 x Formbook, 51 x AgentTesla, 44 x RemcosRAT)
Reporter pr0xylife
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
346
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1614.scr
Verdict:
Suspicious activity
Analysis date:
2022-08-18 10:59:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f3b0d395-51ca-4303-8d7c-e74b19f3b724

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299577/
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.190.13824.9273.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
Searching for synchronization primitives
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Program Files subdirectories
Sending a UDP request
Query of malicious DNS domain
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/62fe1b3d2093f7352869c031/reports/f2762879-d102-430f-9aea-cb1ad57137ea/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4494a8ca-6f31-4abf-9697-db48808e9609
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1053751
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates processes via WMI
Drops PE files with benign system names
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 686268 Sample: 1614.scr Startdate: 18/08/2022 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic 2->52 54 Antivirus detection for URL or domain 2->54 56 Antivirus detection for dropped file 2->56 58 8 other signatures 2->58 9 1614.scr 14 5 2->9         started        13 fontdrvhost.exe 2->13         started        16 rCUDbMtRVlcnKxdfoVmebbITVIm.exe 3 2->16         started        18 18 other processes 2->18 process3 dnsIp4 50 csomundibash.ru 45.130.41.74, 49752, 80 BEGET-ASRU Russian Federation 9->50 38 C:\Users\user\AppData\Local\...\filename.exe, PE32 9->38 dropped 40 C:\Users\user\AppData\Local\...\1614.scr.log, ASCII 9->40 dropped 20 filename.exe 3 6 9->20         started        66 Antivirus detection for dropped file 13->66 68 Multi AV Scanner detection for dropped file 13->68 70 Machine Learning detection for dropped file 13->70 file5 signatures6 process7 file8 34 C:\FontHostDhcp\Surrogatenet.exe, PE32 20->34 dropped 36 C:\...behaviorgraphpwo9lOe6m5aZOY0EI8x2WKjB.vbe, data 20->36 dropped 60 Antivirus detection for dropped file 20->60 62 Multi AV Scanner detection for dropped file 20->62 64 Machine Learning detection for dropped file 20->64 24 wscript.exe 1 20->24         started        signatures9 process10 process11 26 cmd.exe 1 24->26         started        process12 28 Surrogatenet.exe 34 26->28         started        32 conhost.exe 26->32         started        file13 42 C:\Windows\Offline Web Pages\csrss.exe, PE32 28->42 dropped 44 C:\Recovery\smartscreen.exe, PE32 28->44 dropped 46 C:\Recovery\fontdrvhost.exe, PE32 28->46 dropped 48 12 other malicious files 28->48 dropped 72 Antivirus detection for dropped file 28->72 74 Multi AV Scanner detection for dropped file 28->74 76 Machine Learning detection for dropped file 28->76 78 2 other signatures 28->78 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b75dc7056d22cf6b52d10867d70d86ab0a11cb953bc542d63c7f70558b93645/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-08-18 10:57:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 26 (84.62%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rn25y4cw2iwpnnjnccdh24gynkykchfzko6filldy73qkwfzgzcq._file
Verdict:
malicious
Similar samples:
0bc34209adba693df004565db62ac2b8ac0a2fa249b89ca4f403479cd5bccbdf
DCRat
351678ba9f6ac971abd396e3a32b77acf7d6942a620d857b6d4908a958472d79
DCRat
7d7153b4be71012acd47e5b2282f9429e08b92e3d874ee5ed4f52e3ccd50c7ac
DCRat
8064b88e95ae2c691e1cdfee92d04a14e99fbae9ea196841b6a76b3c8a76a09b
DCRat
989e25e4e59ab6778b3d50459aeaec98c97211ee9cbdea8b75c140bda008770b
DCRat
aa1c0412d07df921b5486b8c181af55fd3196f2bd84222d0b6fd9e8be3d99cf1
DCRat
d14488f004a9f6594ebf9b8013aa78a01828dfe63755875cc9e66b1d8793cbef
DCRat
+ 4'033 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat spyware stealer
Link:
https://tria.ge/reports/220818-m18xrageb9/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
DCRat payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
8b75dc7056d22cf6b52d10867d70d86ab0a11cb953bc542d63c7f70558b93645
MD5 hash:
5991f6529039369b6676b8bd5aaae84e
SHA1 hash:
fa2baa98688bdbf8641e443c90fcb244330de041
Link:
https://www.unpac.me/results/6a8b3a7d-17fa-4481-a757-471586f592d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b75dc7056d22cf6b52d10867d70d86ab0a11cb953bc542d63c7f70558b93645

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla
Create hunting rule
Author:Harish Kumar P
Description:Yara Rule to Detect AgentTesla
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/299577/

Comments