MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0ba38de7fbef35868d1f321a5d193c8c3689d167e9c10af7075fd67903347d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0ba38de7fbef35868d1f321a5d193c8c3689d167e9c10af7075fd67903347d2
SHA3-384 hash: d48805dcf0000fadb17a22f4c18934dfd407e4786482a7c10091a7e76d89ed7f0c320f8a7ce85897ceb88fa061938358
SHA1 hash: 11f39851a6a8ee1d00e6021803872c44ef484a1a
MD5 hash: afe27d80ec5f4d7190b5689144e2ef24
humanhash: undress-fillet-louisiana-oven
File name:PAYMENT.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:317'440 bytes
First seen:2021-10-27 16:28:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 6144:pCgbFbC2JAGOyxpAf0Vnv9ajqT/Vbpyo+bjeZDrBK5d:pCAFbHQyxpCWngqjVowDrid
Threatray 7'311 similar samples on MalwareBazaar
TLSH T15F64A62C3B825A72FF5EC133A9110A29BB660B136A50B9F25FDF15CA874F4776D44C88
Reporter abuse_ch
Tags:DCRat exe RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/200656/
Detection(s):
SecuriteInfo.com.Trojan.Mardom.MN.10.6070.26227.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Forced shutdown of a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm obfuscated packed
Link:
https://www.filescan.io/uploads/61797e50db358dd15ee0403c/reports/040ba1f8-b539-4065-a54a-dc4b198b116c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/514f29f4-36cd-4744-a06d-63f86b6eaef8
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/877931
Signature
.NET source code contains potential unpacker
Binary or sample is protected by dotNetProtector
Drops PE files with benign system names
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Schedule system process
Tries to delay execution (extensive OutputDebugStringW loop)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 510370 Sample: PAYMENT.exe Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Yara detected AsyncRAT 2->49 51 Sigma detected: Schedule system process 2->51 53 6 other signatures 2->53 7 PAYMENT.exe 4 2->7         started        10 svchost.exe 3 2->10         started        process3 signatures4 55 Tries to delay execution (extensive OutputDebugStringW loop) 7->55 12 cmd.exe 1 7->12         started        15 cmd.exe 3 7->15         started        18 RegAsm.exe 1 2 7->18         started        57 Multi AV Scanner detection for dropped file 10->57 59 Machine Learning detection for dropped file 10->59 61 Writes to foreign memory regions 10->61 63 Injects a PE file into a foreign processes 10->63 21 cmd.exe 1 10->21         started        23 cmd.exe 1 10->23         started        25 RegAsm.exe 3 10->25         started        process5 dnsIp6 65 Uses schtasks.exe or at.exe to add and modify task schedules 12->65 67 Drops PE files with benign system names 12->67 27 conhost.exe 12->27         started        29 schtasks.exe 1 12->29         started        39 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 15->39 dropped 41 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 15->41 dropped 31 conhost.exe 15->31         started        43 91.193.75.132, 49800, 5529 DAVID_CRAIGGG Serbia 18->43 45 127.0.0.1 unknown unknown 18->45 33 conhost.exe 21->33         started        35 schtasks.exe 1 21->35         started        37 conhost.exe 23->37         started        file7 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0ba38de7fbef35868d1f321a5d193c8c3689d167e9c10af7075fd67903347d2/
Threat name:
ByteCode-MSIL.Trojan.Mardom
Create hunting rule
Status:
Malicious
First seen:
2021-10-27 16:29:05 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2c5drxt7x3zvq2gr6mq2lumtzdbwrhiwp2obbl3qox6wpebti7ja._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
19247536d1bb8035395a3a2bca3ecb17c36ddf48fee86a00d9d6e3e4bf622f35
DCRat
395a803ba3e091e6ac2629c5591e6cd874f68332a436287d0121f5f21b3524e6
DCRat
4f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7
DCRat
83923b2bb65492892ef63d18dff00654431b27cd409d8fd67d4ba0eadc052c6a
DCRat
8d49f4d62f32381186bb74d032803832867dc89aa8b9f039db8417da8f721a66
DCRat
d8eb5792d969c21c364da69eca1322ab5f63e0a39b0e542bad4ee95be873c296
DCRat
dd5383ed9704546324f7e97d31b76e38c2b38b9600fd36fdba920af791488848
DCRat
f8fb3109639b476089103cd8a0afe01d3f015453c25ecb4f46bf1be8f8b04579
DCRat
+ 7'301 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat
Link:
https://tria.ge/reports/211027-ty8mjaffb5/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
127.0.0.1:8848
127.0.0.1:5529
127.0.0.1:9109
91.193.75.132:8848
91.193.75.132:5529
91.193.75.132:9109
Unpacked files
SH256 hash:
4b4bd9652d4a00aed26c42f5f31527282613ea484add16a20cf0d34202eb3b9d
MD5 hash:
a2f2e7f18100d72e82c7395292cd53d3
SHA1 hash:
26a92744d2e324852e638e3fbf85aa31b4269fa2
Link:
https://www.unpac.me/results/d0d499b3-29b0-4275-9e6b-366920f83dca/
SH256 hash:
d0ba38de7fbef35868d1f321a5d193c8c3689d167e9c10af7075fd67903347d2
MD5 hash:
afe27d80ec5f4d7190b5689144e2ef24
SHA1 hash:
11f39851a6a8ee1d00e6021803872c44ef484a1a
Link:
https://www.unpac.me/results/d0d499b3-29b0-4275-9e6b-366920f83dca/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d0ba38de7fbe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0ba38de7fbef35868d1f321a5d193c8c3689d167e9c10af7075fd67903347d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_dotNetProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with dotNetProtector
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
Author:ditekSHen
Description:Detects executables containing the string DcRatBy
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DCRat

Executable exe d0ba38de7fbef35868d1f321a5d193c8c3689d167e9c10af7075fd67903347d2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/200656/

Comments