MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0d8566e5537f7d1c749632eafdd9475e89ca672376dba56055815538d80f2aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	d0d8566e5537f7d1c749632eafdd9475e89ca672376dba56055815538d80f2aa
SHA3-384 hash:	8dde4493ddc12e35b2649c9480d7f6df6f3400d85f3f61970411396c54a4ef1a1df4b2fba80c0ad81709014c2eabc91f
SHA1 hash:	f02619183210ebcfbeef9fb36bc05bb60f8525f4
MD5 hash:	82b237983c744cf8c87ecb771cb6712c
humanhash:	lactose-friend-black-foxtrot
File name:	0x0007000000023241-391
Download:	download sample
Signature	DCRat Alert Create hunting rule
File size:	5'680'640 bytes
First seen:	2023-12-30 10:57:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	98304:viV6amVAcmZWGN57Ze13cnIRtO+niV6amVAcmZWGN57Ze13cnIRtG:vis9VALJZLIR5nis9VALJZLIR
TLSH	T1C9460255EF240E14C6020FBC4EB89572C4376FD17B98DA61B82AF09AC7368D59DC2D8E
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	06276565593b9e4c (2 x DCRat, 1 x AsyncRAT, 1 x Formbook)
Reporter	e24111111111111
Tags:	DCRat exe

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

298

Origin country :

GR

Vendor Threat Intelligence

ANY.RUN asyncrat

Malware family:

asyncrat

Alert

Create hunting rule

ID:

1

File name:

80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21.exe

Verdict:

Malicious activity

Analysis date:

2023-12-30 11:20:13 UTC

Tags:

evasion xworm asyncrat

Link:

https://app.any.run/tasks/da923875-50b3-41e7-b17d-fbd4c3f7f358

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Creating a process from a recently created file

Creating a file

Creating a window

DNS request

Sending a custom TCP request

Unauthorized injection to a recently created process

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/658ff7bbd48681e0d6666752/reports/d1629e0a-0e42-4170-9692-fd45ae69b138/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/d0d8566e5537f7d1c749632eafdd9475e89ca672376dba56055815538d80f2aa

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer

Gathering data

Joe Sandbox AsyncRAT, DcRat

Result

Threat name:

AsyncRAT, DcRat

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1368242

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Detected unpacking (changes PE section rights)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Protects its processes via BreakOnTermination flag

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AsyncRAT

Yara detected DcRat

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

100%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/d0d8566e5537f7d1c749632eafdd9475e89ca672376dba56055815538d80f2aa

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d0d8566e5537f7d1c749632eafdd9475e89ca672376dba56055815538d80f2aa/

ReversingLabs TitaniumCloud ByteCode-MSIL.Trojan.AsyncRAT

Threat name:

ByteCode-MSIL.Trojan.AsyncRAT

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-05-26 11:23:28 UTC

File Type:

PE (.Net Exe)

Extracted files:

5

AV detection:

26 of 37 (70.27%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2dmfm3svg735dr2jmmxk7xmuoxujzjtsg5w3uvqflakvhdma6kva._file

Hatching Triage asyncrat

Result

Malware family:

asyncrat

Alert

Create hunting rule

Score:

  10/10

Tags:

family:asyncrat rat

Link:

https://tria.ge/reports/231230-m2t5zsdefk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Executes dropped EXE

Async RAT payload

AsyncRat

UnpacMe DCRat INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice SUSP_NET_NAME_ConfuserEx INDICATOR_SUSPICIOUS_EXE_DcRatBy INDICATOR_SUSPICIOUS_EXE_B64_Artifacts

Unpacked files

SH256 hash:

dd0dc7ad62d2a66b164ba36dc395ab67466fcd519ceaffd62ccebf5ddb60a340

MD5 hash:

ea35b0859a343c66e692a216e3f64835

SHA1 hash:

7d67cf9ab7f48aa349e92bfef3dce7fc960ee7ad

Detections:

DCRat

Alert

Create hunting rule

INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

Alert

Create hunting rule

SUSP_NET_NAME_ConfuserEx

Alert

Create hunting rule

INDICATOR_SUSPICIOUS_EXE_DcRatBy

Alert

Create hunting rule

INDICATOR_SUSPICIOUS_EXE_B64_Artifacts

Alert

Create hunting rule

Link:

https://www.unpac.me/results/ab4338a5-69a0-4eb0-b6b1-c973b2feae72/

Parent samples :

dd0dc7ad62d2a66b164ba36dc395ab67466fcd519ceaffd62ccebf5ddb60a340
d0d8566e5537f7d1c749632eafdd9475e89ca672376dba56055815538d80f2aa
80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21
994ea35144e43c0074f6d60ccff844cc70d0a2b34ad9b583a7316e17aec94e2f

SH256 hash:

d0d8566e5537f7d1c749632eafdd9475e89ca672376dba56055815538d80f2aa

MD5 hash:

82b237983c744cf8c87ecb771cb6712c

SHA1 hash:

f02619183210ebcfbeef9fb36bc05bb60f8525f4

Link:

https://www.unpac.me/results/ab4338a5-69a0-4eb0-b6b1-c973b2feae72/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d0d8566e5537f7d1c749632eafdd9475e89ca672376dba56055815538d80f2aa