MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ff008daec53167a2ec59a1fef763840c29bd032ceb6dec7c508b93d67cf809d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ff008daec53167a2ec59a1fef763840c29bd032ceb6dec7c508b93d67cf809d
SHA3-384 hash: 2e4bcba5589988fe263e828238af648f92cf514a45cb7a06ff8443c5367c01b697895cda6ab8659fd3e529fca014c74c
SHA1 hash: 18b1af1f4ee7a52e466fa10cbcd52f9f914c9ba9
MD5 hash: b1fb36fc31e2e9e18b07abc77c833fe8
humanhash: low-mobile-ten-yankee
File name:b1fb36fc31e2e9e18b07abc77c833fe8.bin.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'092'096 bytes
First seen:2023-05-29 15:15:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:31VRAjJP3NZn0oWyFcNWQX/e5aG/Twy8j:3v+JPjn0tqeWQa/cy8j
Threatray 113 similar samples on MalwareBazaar
TLSH T19135E87C9BBA237BA1B7C3544BC9B45FB180A973F1057BE5A0C203498921971B5CBD2E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://vm654.loyal.sclad.network/Localcentral.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b1fb36fc31e2e9e18b07abc77c833fe8.bin.exe
Verdict:
Malicious activity
Analysis date:
2023-05-29 15:18:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f51a4844-6344-4c85-9316-7ef318edaa6c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/393114/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6474c1b3c85fa5bfbeccd84b/reports/04e1e76c-cb5b-403d-9b8f-c900e793b679/overview
Verdict:
Malicious
Labled as:
MSIL/Kryptik_AGeneric.AUK trojan
Link:
https://www.hybrid-analysis.com/sample/8ff008daec53167a2ec59a1fef763840c29bd032ceb6dec7c508b93d67cf809d
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/80969955-c8df-47ba-a851-ec16bf4c4c30
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1244540
Signature
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected DCRat
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8ff008daec53167a2ec59a1fef763840c29bd032ceb6dec7c508b93d67cf809d/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2023-05-29 15:16:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r7yarwxmkmlhulwftip665ryidbjxubsz23n5r6fbc4t2z6pqcoq._file
Verdict:
malicious
Similar samples:
02eac3477d8072f8a2e1eb518a741c467ec260aee8766b2ecbbe99bee947844a
DCRat
1faa876f1399fb2010efd296d79c43f2b7dda0ec087991d542327515a405540c
DCRat
4abeb9e9a46d1cac2b17c326d06830018532f8bca33ae4a3ba4536f044a50bc8
DCRat
69cb12c0b363b013dd951d0d93ca6349c59190f1a027df0885dc8c6dbb81548c
DCRat
799ed0d211859a9ff154db97b898160da3fc25110ca6b1b02b693e049d601dd1
DCRat
+ 103 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat
Link:
https://tria.ge/reports/230529-snfnbsch2v/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
DCRat payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
18fe48031a18449fab109af60ba11c09558d0a388962c14c1be453aff9126c0f
MD5 hash:
ad122d61ca248b162cc410a0d8220ee5
SHA1 hash:
c0c0f96efde22b527c90d8b3552f0a5584e317bb
Link:
https://www.unpac.me/results/84911b39-489c-4cef-a120-35f4dc1864af/
SH256 hash:
e16d31256434834519f0fc54095f9a5e03700adaba2e51a75dad1ab581441323
MD5 hash:
1edd3839f47ae345890b4dc71ba6cfe5
SHA1 hash:
0b6593476cd3f7a7292c1e5f63e137aebb147708
Link:
https://www.unpac.me/results/84911b39-489c-4cef-a120-35f4dc1864af/
SH256 hash:
21c143f86192399dd85ccdef9ba19e5e036c8af95c6b854b98121e232bd51143
MD5 hash:
1aa7bcc1164637a3232c071303b8b0e3
SHA1 hash:
a8f24659c0a42696cd2a17f575948311fc452c09
Link:
https://www.unpac.me/results/84911b39-489c-4cef-a120-35f4dc1864af/
SH256 hash:
aaf6a7af62539da5f8ae3951a237f8a0cb0dbb365efa124161492aa703ee5033
MD5 hash:
1587fd5cabd16cc54da3e73f39011587
SHA1 hash:
9ee95d775c4ab72ed9bcdcfbf9133d181ae3ca33
Link:
https://www.unpac.me/results/84911b39-489c-4cef-a120-35f4dc1864af/
SH256 hash:
158fab6189a60302592807c6f297b7cfe7be866f59e4c63413ac54faef14e34c
MD5 hash:
02f26f2c2c3688d9a2397e40548117b7
SHA1 hash:
469f63d5f127cab9666c216fee5f4cc03dfdcd9d
Link:
https://www.unpac.me/results/84911b39-489c-4cef-a120-35f4dc1864af/
SH256 hash:
8ff008daec53167a2ec59a1fef763840c29bd032ceb6dec7c508b93d67cf809d
MD5 hash:
b1fb36fc31e2e9e18b07abc77c833fe8
SHA1 hash:
18b1af1f4ee7a52e466fa10cbcd52f9f914c9ba9
Link:
https://www.unpac.me/results/84911b39-489c-4cef-a120-35f4dc1864af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DCRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8ff008daec53167a2ec59a1fef763840c29bd032ceb6dec7c508b93d67cf809d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 8ff008daec53167a2ec59a1fef763840c29bd032ceb6dec7c508b93d67cf809d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/393114/
  
URLhaus
https://urlhaus.abuse.ch/url/2644854/
  
Delivery method
Distributed via web download

Comments