MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5c537cfff04de0c597d05b695b7fd6c2bf147bf03f7f08d645743758b4cf8f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 15

Intelligence 15 IOCs YARA 6 File information Comments

SHA256 hash:	c5c537cfff04de0c597d05b695b7fd6c2bf147bf03f7f08d645743758b4cf8f6
SHA3-384 hash:	7b050fbe6a34643a79c9c3d93013c282f19fa26182673d8a341fc1e525634774910ea72e5bc198381c86e45ebd218f5b
SHA1 hash:	f3dae227511fbbadc5f3aed1ff1db5a2d6b3ff03
MD5 hash:	06e7e53c62f291ea0e259f086a1f348c
humanhash:	speaker-ceiling-papa-social
File name:	06e7e53c62f291ea0e259f086a1f348c.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	3'550'208 bytes
First seen:	2024-04-28 18:20:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	49152:+i8mZaUSpLDkPEB0SWVn0tglAkt3SjA51bTqc0aVppqWzhYRzQpJYX/VQVPj/Uif:+MZ9SpLZCn1lxijAfbTqMrhYmLMi
TLSH	T121F5E0017E548A12F01A1733C2EF454847B4EA516AE6E32B7DBA33AE55123B77C0D9CB
TrID	47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 8.4% (.SCR) Windows screen saver (13097/50/3) 6.8% (.EXE) Win64 Executable (generic) (10523/12/4) 4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter	abuse_ch
Tags:	DCRat exe

abuse_ch

DCRat C2:
http://a0949502.xsph.ru/_Defaultwindows.php

Intelligence

File Origin

# of uploads :

# of downloads :

499

Origin country :

Vendor Threat Intelligence

Malware family:

dcrat

ID:

File name:

c5c537cfff04de0c597d05b695b7fd6c2bf147bf03f7f08d645743758b4cf8f6.exe

Verdict:

Malicious activity

Analysis date:

2024-04-28 18:23:20 UTC

Tags:

rat backdoor dcrat remote stealer

Link:

https://app.any.run/tasks/b0794784-a4fd-4fcb-9fe9-779bedaa6970

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file

Using the Windows Management Instrumentation requests

Launching a process

Creating a file in the Program Files subdirectories

Creating a file in the %temp% directory

Running batch commands

Creating a process with a hidden window

Sending a UDP request

Creating a process from a recently created file

Blocking the User Account Control

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm cmd cscript explorer lolbin obfuscated packed schtasks

Link:

https://www.filescan.io/uploads/662e938f3137a4e0f3c272bc/reports/02201b4e-b8bd-4ac9-87cb-0fff3eea24b5/overview

Verdict:

Malicious

Labled as:

Trojan.MSIL.Basic.8

Link:

https://www.hybrid-analysis.com/sample/c5c537cfff04de0c597d05b695b7fd6c2bf147bf03f7f08d645743758b4cf8f6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/793ce86b-e5ec-4255-84d1-ce4e37a9ff6a

Result

Threat name:

DCRat

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1432998

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Creates processes via WMI

Disable UAC(promptonsecuredesktop)

Disables UAC (registry)

Drops PE files with benign system names

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Schedule system process

Sigma detected: System File Execution Location Anomaly

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected DCRat

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c5c537cfff04de0c597d05b695b7fd6c2bf147bf03f7f08d645743758b4cf8f6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c5c537cfff04de0c597d05b695b7fd6c2bf147bf03f7f08d645743758b4cf8f6/

Threat name:

ByteCode-MSIL.Trojan.Whispergate

Status:

Malicious

First seen:

2024-04-26 16:52:43 UTC

File Type:

PE (.Net Exe)

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=yxctpt77atpaywl5aw3jln75nqv7cr57ap37bdlek5bxlc2m7d3a._file

Verdict:

malicious

Result

Malware family:

dcrat

Score:

10/10

Tags:

family:dcrat evasion infostealer rat trojan

Link:

https://tria.ge/reports/240428-wzbejaea5v/

Behaviour

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Checks whether UAC is enabled

Checks computer location settings

Executes dropped EXE

DCRat payload

DcRat

Process spawned unexpected child process

UAC bypass

Unpacked files

SH256 hash:

814726e3ebdda0c6ab0170dfed0708738922e8b02ec0cd74766c498a03fb0391

MD5 hash:

80a5d6bed9645817b122518112b7c17c

SHA1 hash:

ea775eaeef57958c9ba333cdd7ae4f3d5114254f

Detections:

dcrat_user_ping_counter

Link:

https://www.unpac.me/results/fb7b4ae3-f6d2-4783-9171-a9ee58440803/

SH256 hash:

0e9c43067e7c3f99867ef21f0d77fe47738ca71a921095c9654083da3d4c17c5

MD5 hash:

83efe3e6bbae5bed96cb61de073ca653

SHA1 hash:

b76e8e2151baba7b6c5c28216058addd5a2c6c73

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/fb7b4ae3-f6d2-4783-9171-a9ee58440803/

SH256 hash:

37a638b0cfa1743898ba840dcb787d13538e8773f31a8d2a1c7b564dec337cb1

MD5 hash:

88cce3ad8513a1a112a07c09aa117379

SHA1 hash:

7189d43c83bf3d74e4377de57d78be03a63ecca3

Detections:

dcrat_usbspread

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/fb7b4ae3-f6d2-4783-9171-a9ee58440803/

SH256 hash:

0848516a94b992ed89917ffc8f3c615e8898fe94dfe09c07299f4ad3c57f1f40

MD5 hash:

b2f09ee606a11c7cf64909dd7056ddb5

SHA1 hash:

fea26749eef5e2785d6e16e26d9b3fc97b7b16a6

Link:

https://www.unpac.me/results/fb7b4ae3-f6d2-4783-9171-a9ee58440803/

SH256 hash:

cf21621232897cf3b4c53f292b751c4a6d7a6e0b08c1768369fbe5349754fe1e

MD5 hash:

481693b8b81dbc6adda803a747e70589

SHA1 hash:

e4dc94bcdc5e58dc950f82a7515c901f1c1c043f

Detections:

dcrat_clipboard_logger

Link:

https://www.unpac.me/results/fb7b4ae3-f6d2-4783-9171-a9ee58440803/

SH256 hash:

69845442f3c5b9b690912e895e08d2d85ae43aeea064e4f9db4d23744f23e46c

MD5 hash:

d622489d794013fd2ac3e2e788fd76f0

SHA1 hash:

da5fecf4fbaac88e3cd1b46df642d228581170b0

Detections:

dcrat_system_restore_points_cleaner

Link:

https://www.unpac.me/results/fb7b4ae3-f6d2-4783-9171-a9ee58440803/

SH256 hash:

1f37fd8a33dc37bab9077220aa7bd596ba8fa2c26ad9a3aa5118620481ba1e25

MD5 hash:

f994b4c436858b35dbaf4bf9ec1d2dc4

SHA1 hash:

d694779ed116129483753ff2af1c6ae4c7c38a9f

Detections:

DCRatMiscInfoGrabberPlugin

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/fb7b4ae3-f6d2-4783-9171-a9ee58440803/

SH256 hash:

0a6036625a04e6ad346b14476e756d65f5fd718748157ecfeff46f5f9db92270

MD5 hash:

623880ed88daeed74d1cbf3f37fff1a8

SHA1 hash:

d262f6bb4d8fbc88b8a138d34fc448b9fa0f7215

Detections:

dcrat_crash_logger

Link:

https://www.unpac.me/results/fb7b4ae3-f6d2-4783-9171-a9ee58440803/

SH256 hash:

18190cb8a29dcc0cf32366acaf6196efe10a4fcaa4249190947868570f24419b

MD5 hash:

c892e3d5f64aded4df0ef555ae0f3781

SHA1 hash:

95affecd202a4122d1cc2cec3d28c86fcc4334ff

Link:

https://www.unpac.me/results/fb7b4ae3-f6d2-4783-9171-a9ee58440803/

SH256 hash:

4ab55589b750a7d71f2937345d0c4615e00d3076e8429160521959c17d9f5c9a

MD5 hash:

de703c537b3c7a9ccad4e8232d8b66ae

SHA1 hash:

7f32d1c1be057792b5a8484628fd9f781bed6cca

Detections:

dcrat_reg_editor_plugin

Link:

https://www.unpac.me/results/fb7b4ae3-f6d2-4783-9171-a9ee58440803/

SH256 hash:

3b2190a99973c6dd0951ba3b0f1a1fd99933b1bf1b47acbfbc435d278ebc6c58

MD5 hash:

2392dcc9ef3a64f9113b038bca2136b2

SHA1 hash:

6966103901bea0f5ec7dd6c9789fddd1e149d7c1

Detections:

dcrat_bsod_protection

Link:

https://www.unpac.me/results/fb7b4ae3-f6d2-4783-9171-a9ee58440803/

Parent samples :

c5c537cfff04de0c597d05b695b7fd6c2bf147bf03f7f08d645743758b4cf8f6
06e06f76364f957938f21dcba29b05d17da0597a9e18f3bedc2e0655e84a289f

SH256 hash:

0fab909fd1a261d0e128ce6df5a5902cdee18edf81a22a7b0820f22139c28f1c

MD5 hash:

7f022019957d02d60e5d432b3d916a25

SHA1 hash:

5018f55e09b1c87d476aa228c2b692be23ad5d6c

Detections:

dcrat_disable_uac

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/fb7b4ae3-f6d2-4783-9171-a9ee58440803/

SH256 hash:

282caefacc2fdc7376810050d41a0496e373e482fb040a687ebbf11925c9b8d3

MD5 hash:

15d3744f6a3d6c1ad865ecb16e8d3188

SHA1 hash:

48c8345529bc1eb5f85f127930f8687d486964e9

Detections:

dcrat_file_searcher

Link:

https://www.unpac.me/results/fb7b4ae3-f6d2-4783-9171-a9ee58440803/

SH256 hash:

d3afbf26b01c7bece48a56eadacbe28fe2745edb0e2438bb8abaab71e7f166fb

MD5 hash:

fd4f275f7dc31518a3870792d7becb24

SHA1 hash:

327a03e107d9b97779b0ee740b7408a815d8672d

Detections:

dcrat_performance_counter

Link:

https://www.unpac.me/results/fb7b4ae3-f6d2-4783-9171-a9ee58440803/

SH256 hash:

6fea4d8944a5fc3f72cdd51fb1d9f7ebf1e06155662d12f103ba2057971faa72

MD5 hash:

8fe268d25d406fa597a02c0a70eb2f19

SHA1 hash:

313e1e273d3543c620966877c226f1eeb3eebbaa

Detections:

dcrat_hosts_editor

Link:

https://www.unpac.me/results/fb7b4ae3-f6d2-4783-9171-a9ee58440803/

SH256 hash:

c894ea43617dca10e30d7d5a6670d16d00d42fc99d9723765a268865d310e6c8

MD5 hash:

3c5c272838e490572833919f1af6ff1e

SHA1 hash:

fd21d0d453f540e6e3d64ef3103f13b13f8e1ee6

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/fb7b4ae3-f6d2-4783-9171-a9ee58440803/

SH256 hash:

c4852b6e5824e11f6cdd364def542aa7b19d8079176da6ca5346ca48e2aff08a

MD5 hash:

741376cac907611674c781e931d0bfce

SHA1 hash:

aa514cdd1149e121534c785b9d85674e86d9ce9d

Detections:

dcrat_obs_grabber

Link:

https://www.unpac.me/results/fb7b4ae3-f6d2-4783-9171-a9ee58440803/

SH256 hash:

0fb7df33d2709bda4ff69d44f7a58d2a3739a27d0dfb63afdc588e7f2988879a

MD5 hash:

0c06ce5a77cf628c4951013961583678

SHA1 hash:

287db3fc658ff49f40f2bc4bae6916f95374f9d6

Detections:

dcrat_vpn_grabber

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/fb7b4ae3-f6d2-4783-9171-a9ee58440803/

SH256 hash:

789c4e77648b0aebf655145c83588ea3e6c9762f85c81f709238a9d0055e6c2e

MD5 hash:

46904ca55c2d730772d4eb75834ed63c

SHA1 hash:

8f22c360996a90deaf9959505e845db95abd5dcc

Detections:

dcrat_block_input_plugin

Link:

https://www.unpac.me/results/fb7b4ae3-f6d2-4783-9171-a9ee58440803/

SH256 hash:

aa3d7c7363635393a1b1acd17ff2c396e75739e7ec27bc3be80a6d5d5ea6363c

MD5 hash:

588897a6c66f4fe6dfcd544c84cea3e8

SHA1 hash:

366e08ccc234d0fda27810e6b445c1917034840e

Detections:

dcrat_message_on_start

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/fb7b4ae3-f6d2-4783-9171-a9ee58440803/

SH256 hash:

c5c537cfff04de0c597d05b695b7fd6c2bf147bf03f7f08d645743758b4cf8f6

MD5 hash:

06e7e53c62f291ea0e259f086a1f348c

SHA1 hash:

f3dae227511fbbadc5f3aed1ff1db5a2d6b3ff03

Link:

https://www.unpac.me/results/fb7b4ae3-f6d2-4783-9171-a9ee58440803/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.91

Link:

https://yomi.yoroi.company/submissions/c5c537cfff04de0c597d05b695b7fd6c2bf147bf03f7f08d645743758b4cf8f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BAZT_B5_NOCEXInvalidStream Create hunting rule

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	PureCrypter Create hunting rule
Author:	@bartblaze
Description:	Identifies PureCrypter, .NET loader and obfuscator.
Reference:	https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample