MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9581b11b9ed55b72517712e7147450f5411775b2b325568679ae05b12b3451c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9581b11b9ed55b72517712e7147450f5411775b2b325568679ae05b12b3451c
SHA3-384 hash: ec748d97587b79a164b6636380f4e2eb8bd92968a1a2ccad40f529ef85c281f8f101fa60a8cb6afef39b24d513bff105
SHA1 hash: 3a292e5235f318e4c7ee8cdef7e3582390b2b391
MD5 hash: 000d72f9d59f5e12c4b1a669f74ac98d
humanhash: high-bakerloo-fourteen-sad
File name:000d72f9d59f5e12c4b1a669f74ac98d.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:2'704'896 bytes
First seen:2022-05-11 09:36:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 49152:/TsvgV9Ew2ZBBu7EP0MsiDvCl6wqWQyz57dI2KSOIS4TAiscAbf9VaP2ZtFP+jMV:/TagFquI3siulEWQy1BK0oRbS+BPb
Threatray 1'143 similar samples on MalwareBazaar
TLSH T1FFC533ED64B3B32DCB2F0976F0094E763EB1B96DD404D69BF46B1644F89B223499E804
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 9271c48cd6d47192 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://185.246.66.170/DefaultDumpBigload1/generatorVoiddb0/authserver0multi/auth/update/Uploads/Python32/Db/151video/Locallongpoll/DefaultwindowsbaseGenerator/TomultiSqltestprivate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://185.246.66.170/DefaultDumpBigload1/generatorVoiddb0/authserver0multi/auth/update/Uploads/Python32/Db/151video/Locallongpoll/DefaultwindowsbaseGenerator/TomultiSqltestprivate.php https://threatfox.abuse.ch/ioc/549533/

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/269647/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.49575.25105.28448.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Creating a window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Launching a process
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dcrat obfuscated packed
Link:
https://www.filescan.io/uploads/627b83ea982f586844f16c5a/reports/8d9eaeb8-638a-4168-a4de-3363e97a8a00/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a4dbaaff-d9bb-4e34-be61-28d79c2bb98b
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/991756
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates processes via WMI
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 624248 Sample: 5Y4ronNuxo.exe Startdate: 11/05/2022 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for dropped file 2->52 54 12 other signatures 2->54 9 5Y4ronNuxo.exe 1 2->9         started        13 dllhost.exe 2->13         started        15 WmiPrvSE.exe 2->15         started        17 20 other processes 2->17 process3 file4 46 C:\Users\user\AppData\...\5Y4ronNuxo.exe.log, ASCII 9->46 dropped 56 Creates processes via WMI 9->56 19 5Y4ronNuxo.exe 4 20 9->19         started        58 Antivirus detection for dropped file 13->58 60 Multi AV Scanner detection for dropped file 13->60 62 Machine Learning detection for dropped file 13->62 22 dllhost.exe 13->22         started        24 RuntimeBroker.exe 17->24         started        26 RuntimeBroker.exe 17->26         started        signatures5 process6 file7 38 C:\Users\...\uAHjUWKenvcjEcRzLPyWDBUQOyq.exe, PE32 19->38 dropped 40 C:\Users\Public\Desktop\WmiPrvSE.exe, PE32 19->40 dropped 42 C:\Recovery\dllhost.exe, PE32 19->42 dropped 44 6 other malicious files 19->44 dropped 28 cmd.exe 19->28         started        process8 process9 30 w32tm.exe 28->30         started        32 conhost.exe 28->32         started        34 RuntimeBroker.exe 28->34         started        process10 36 w32tm.exe 30->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b9581b11b9ed55b72517712e7147450f5411775b2b325568679ae05b12b3451c/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-04 08:33:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
21 of 39 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xfmbwenz5vk3ojixoexhcr2fb5kbc523fmzfk2dhtlqfwevtiuoa._file
Verdict:
malicious
Similar samples:
0ea4f67aca805ae8edbf5504cb49d5c313315dfd855cc493c227e08eb2429680
DCRat
10b18e742857f69a081e9f30a71d13a7d31559f020ab245bb0db2fe7be73f0af
DCRat
201f0605a4d0424471b1f6b6f2e334f299cff3f6313a027ae5ecbb49ebabbc08
DCRat
a3f1615bd60b684da869e6b08295b273bd7698f63aa24ffb86d2ce24e03496bf
DCRat
ba55503901721f9390f13067f62f4a73f1693c6ca54232f0d7a60def6604cd4c
DCRat
d7428420538d01356c483f838c10798cb05da2993e5aafb68f4748ce8dc64113
DCRat
+ 1'133 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware stealer suricata
Link:
https://tria.ge/reports/220511-llgdhsgcc4/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Process spawned unexpected child process
suricata: ET MALWARE DCRAT Activity (GET)
Unpacked files
SH256 hash:
1a329d230c874fda8b975d92b6ef259220efa87e8f2e75e11af40c65c9ce1b9c
MD5 hash:
14a2f8c746e7e51777cc8288167209b3
SHA1 hash:
2e163ae63f907861791d3fe4e81634b4b3f00cef
Link:
https://www.unpac.me/results/b45dd90a-c050-43dc-88c3-54d535c50288/
SH256 hash:
e245c4a7d41e095b5c5136a89e698bd11e452594d864e250607cff2b2efadbab
MD5 hash:
6c991f5490cd23d8df31d89864395b21
SHA1 hash:
a6e3fde5d6f72fce36c5a8955a6025d92efb4356
Link:
https://www.unpac.me/results/b45dd90a-c050-43dc-88c3-54d535c50288/
SH256 hash:
ce07a34e704f53ce9e8f2393694810cbc4b84c5dd861f2b9d0c61f915d3d6187
MD5 hash:
4aefc4a3eb90673ad8f6b4453d96bc99
SHA1 hash:
69ccc5c0ce3fadc7ecc03e68588a94e69568c96f
Link:
https://www.unpac.me/results/b45dd90a-c050-43dc-88c3-54d535c50288/
SH256 hash:
b9581b11b9ed55b72517712e7147450f5411775b2b325568679ae05b12b3451c
MD5 hash:
000d72f9d59f5e12c4b1a669f74ac98d
SHA1 hash:
3a292e5235f318e4c7ee8cdef7e3582390b2b391
Link:
https://www.unpac.me/results/b45dd90a-c050-43dc-88c3-54d535c50288/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b9581b11b9ed55b72517712e7147450f5411775b2b325568679ae05b12b3451c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:MALWARE_Win_DCRat
Create hunting rule
Author:ditekSHen
Description:DCRat payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269647/

Comments