MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab0f07a906a076c101943b677a6325390574f4184cb1d28effd51fdb62bd6ae0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	ab0f07a906a076c101943b677a6325390574f4184cb1d28effd51fdb62bd6ae0
SHA3-384 hash:	9b8af895d07956daadf4885c7196e6b1c387a39d7d481fddba410f7b500a798ac079aefdb32a17c8161585782be936a6
SHA1 hash:	0ef7c0076b42e3fc115623f90039224163b04d70
MD5 hash:	20ff4291f36bd9fbba6b368dd2690cd4
humanhash:	bulldog-social-eighteen-robin
File name:	20ff4291f36bd9fbba6b368dd2690cd4.exe
Download:	download sample
Signature	DCRat Alert Create hunting rule
File size:	848'896 bytes
First seen:	2023-12-28 23:10:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:GAbuRJ+dCGgR89WY7sf/qRAPFebQjr1p4aySC9WuzvAAb:vb+J+AY7sKRELj/ySCoAb
Threatray	161 similar samples on MalwareBazaar
TLSH	T14B050701BE44CE11F0191233C3EF454847B4A8516AA6E32B7DBA37BD55123A7BE0DADB
TrID	47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 8.4% (.SCR) Windows screen saver (13097/50/3) 6.8% (.EXE) Win64 Executable (generic) (10523/12/4) 4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter	abuse_ch
Tags:	DCRat exe

abuse_ch

DCRat C2:
http://a0900918.xsph.ru/9b366b94.php

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

328

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN dcrat

Malware family:

dcrat

Alert

Create hunting rule

ID:

1

File name:

ab0f07a906a076c101943b677a6325390574f4184cb1d28effd51fdb62bd6ae0.exe

Verdict:

Malicious activity

Analysis date:

2023-12-29 06:11:41 UTC

Tags:

rat backdoor dcrat remote stealer

Link:

https://app.any.run/tasks/850f8de6-23f7-49a3-ac2f-5e9a616793ab

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

ClamAV Detected

Detection(s):

Win.Packed.Msilmamut-9950860-0

Alert

Create hunting rule

Win.Packed.Basic-9952747-0

Alert

Create hunting rule

Win.Packed.Uztuby-9963900-0

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a file

Using the Windows Management Instrumentation requests

Launching a process

Creating a file in the Program Files subdirectories

Creating a process from a recently created file

Creating a process with a hidden window

DNS request

Connecting to a non-recommended domain

Sending an HTTP GET request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Enabling autorun by creating a file

Enabling autorun

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

anti-vm cmd cscript dcrat explorer lolbin net_reactor obfuscated packed schtasks

Link:

https://www.filescan.io/uploads/658e0087b2e45ed099c50105/reports/45aecd3f-b10d-4caf-9e00-4600b65f5b29/overview

Hybrid Analysis Trojan.MSIL.Basic.8

Verdict:

Malicious

Labled as:

Trojan.MSIL.Basic.8

Link:

https://www.hybrid-analysis.com/sample/ab0f07a906a076c101943b677a6325390574f4184cb1d28effd51fdb62bd6ae0

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Malicious

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5b40e87b-9307-4d9c-b298-9dfc4f2b04fc

Joe Sandbox DCRat

Result

Threat name:

DCRat

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1367827

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Creates processes via WMI

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Drops PE files to the user root directory

Drops PE files with benign system names

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected DCRat

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

100%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/ab0f07a906a076c101943b677a6325390574f4184cb1d28effd51fdb62bd6ae0

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ab0f07a906a076c101943b677a6325390574f4184cb1d28effd51fdb62bd6ae0/

ReversingLabs TitaniumCloud ByteCode-MSIL.Backdoor.DCRat

Threat name:

ByteCode-MSIL.Backdoor.DCRat

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-12-26 19:03:00 UTC

File Type:

PE (.Net Exe)

AV detection:

32 of 37 (86.49%)

Threat level:

  5/5

Spamhaus Hash Blocklist Malicious file

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vmhqpkigub3mcamuhntxuyzfhecxj5ayjsy5fdx72up5wyv5nlqa._file

Threatray malicious

Verdict:

malicious

Similar samples:

11e9006a70a09fdb18197a2ab767335abad8b628302345fe4a97cfd52fca0358

DCRat

6ac022afe977413b140ed4f16693e5e2d4bcc4e512bce469553a84c156b39744

DCRat

90f403c6304240465460ace49b8db9d46c7d28bc36fd49b89f4722ee497bd2dd

DCRat

9fe02aaada149d3806300b2e860386533ef371df36842c212e2483642086dd37

DCRat

+ 151 additional samples on MalwareBazaar

Hatching Triage dcrat

Result

Malware family:

dcrat

Alert

Create hunting rule

Score:

  10/10

Tags:

family:dcrat infostealer persistence rat

Link:

https://tria.ge/reports/231228-2586msaabr/

Behaviour

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Drops file in Program Files directory

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

DCRat payload

DcRat

Modifies WinLogon for persistence

Process spawned unexpected child process

UnpacMe

Unpacked files

SH256 hash:

ab0f07a906a076c101943b677a6325390574f4184cb1d28effd51fdb62bd6ae0

MD5 hash:

20ff4291f36bd9fbba6b368dd2690cd4

SHA1 hash:

0ef7c0076b42e3fc115623f90039224163b04d70

Link:

https://www.unpac.me/results/a35ccdc1-900b-44e3-af52-2f8b9b39680c/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ab0f07a906a076c101943b677a6325390574f4184cb1d28effd51fdb62bd6ae0