MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d18e505ce073d9d492f5183f342fd24f306d61cd1bc7dc92e68d265eddc9d276. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d18e505ce073d9d492f5183f342fd24f306d61cd1bc7dc92e68d265eddc9d276
SHA3-384 hash: f7019d31f9325170cf7a4920dcfe60d9373054c29478ce227ea51b7e67db5b77829e4d0fbb42fc2b0aa9679d051a92ad
SHA1 hash: 049316b84ca3829744cdef31c2ceb7bec0aa91f6
MD5 hash: 2db4abb2e5169ea5b459c77e2437287e
humanhash: sodium-single-india-oklahoma
File name:2db4abb2e5169ea5b459c77e2437287e.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'053'696 bytes
First seen:2023-08-25 07:15:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:cxxJD1ApcDikRJ+bQK5wvktFw/7ITCygbPIZ2TEy:CAp+EbQVvktpT/pZUE
Threatray 86 similar samples on MalwareBazaar
TLSH T15E25F122BB3B5A59CA99E87A505FF5CE0CE618523A6542FF7CB937508A140C2C7C8D1F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://94.156.102.214/eternalPollMulti.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
2db4abb2e5169ea5b459c77e2437287e.exe
Verdict:
Malicious activity
Analysis date:
2023-08-25 07:15:25 UTC
Tags:
rat backdoor dcrat remote
Link:
https://app.any.run/tasks/d64d1fc6-4722-4cad-bcd8-ef648d9a31ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/444655/
Detection(s):
SecuriteInfo.com.Trojan.Siggen21.20967.8042.26104.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Launching a process
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d18e505ce073d9d492f5183f342fd24f306d61cd1bc7dc92e68d265eddc9d276
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/50896431-5585-4389-ba95-7a95a27d5225
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1297192
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected DCRat
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d18e505ce073d9d492f5183f342fd24f306d61cd1bc7dc92e68d265eddc9d276/
Threat name:
ByteCode-MSIL.Trojan.Seraph
Create hunting rule
Status:
Malicious
First seen:
2023-08-22 14:08:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ghfaxhaopm5jexvda7til6sj4yg2yondpd5zexgrutf5xoj2j3a._file
Verdict:
malicious
Similar samples:
4bdab9a6c4d44f4404bf56fd34b5d6d9dd602e88cc02b5b57b09cf7e55e71cb1
DCRat
663064253d950f0bf09872b96f7ae51b34d146a38a09501e0bf69e0ab1a9410b
DCRat
851f06a5ea70130dc3f9427d37c7ad8922a1a3a853ae5711784a272b014c95d5
DCRat
975a57feee1242d2031e3f902b4f14ad7b9332c9dbb3f20863b119b00b5287d2
DCRat
ad8f12c1e6641d10ba6c2082668c34a30d4fd1886f207062e5526e2f58475da2
DCRat
b8a7a98af1a8c447cd01719ad921f645bf56f293fb7efab345874dc6a04f597f
DCRat
c2a2689212a40415f5bf94e08cc232543076bd9dfae34b78638abc32c84085ff
DCRat
+ 76 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer persistence rat
Link:
https://tria.ge/reports/230825-h3slbsbd8w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
DCRat payload
DcRat
Unpacked files
SH256 hash:
7548d403d8b54e3c276810cfdde6e57fd84c6d8409aeeb036efec12a4f82df3e
MD5 hash:
e2d5bf7cb19aac919d2dd163c1c1dc34
SHA1 hash:
89beab4324007ef16b5586dbae42da17680312d9
Link:
https://www.unpac.me/results/e10b55b5-f23a-46b3-92b5-d92ccffdf884/
SH256 hash:
270e4c9c272e76b067e85727fbd871ff65edc0ef837a9b80cfed84252203ffbd
MD5 hash:
c9618d3d5ba243b024fe41223ef625be
SHA1 hash:
626d260a95fbf0b8b2ace91b64d0c7aa294616bf
Link:
https://www.unpac.me/results/e10b55b5-f23a-46b3-92b5-d92ccffdf884/
SH256 hash:
0e6a056bdf3dc2fb1ea91aeed5084bd0e4a8e66f2390a5d76270c48a4b3caaa1
MD5 hash:
6df1793047abd1f65774338157c79441
SHA1 hash:
de6e9d42254c8bb7fb737a671df3c1c9438a0e6d
Link:
https://www.unpac.me/results/e10b55b5-f23a-46b3-92b5-d92ccffdf884/
SH256 hash:
09f764c88d0bc3d49cad6e9f273a6cba4bee130998f9afa226faa49f95a12916
MD5 hash:
53b86fccd17c9991c8ddffd3473e1cdf
SHA1 hash:
a6fa57a57f953be6443d500a9210695acf303bde
Link:
https://www.unpac.me/results/e10b55b5-f23a-46b3-92b5-d92ccffdf884/
SH256 hash:
e430c00fe0e14766b6025201686f5a1abadcdfc48d1752396f7f19ce75309ee9
MD5 hash:
32716c47b9d10fd05792d506aaca96f9
SHA1 hash:
5f58ebebdfa94809f10a0d4cca2e58e06c4ebe29
Link:
https://www.unpac.me/results/e10b55b5-f23a-46b3-92b5-d92ccffdf884/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/e10b55b5-f23a-46b3-92b5-d92ccffdf884/
SH256 hash:
d18e505ce073d9d492f5183f342fd24f306d61cd1bc7dc92e68d265eddc9d276
MD5 hash:
2db4abb2e5169ea5b459c77e2437287e
SHA1 hash:
049316b84ca3829744cdef31c2ceb7bec0aa91f6
Link:
https://www.unpac.me/results/e10b55b5-f23a-46b3-92b5-d92ccffdf884/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d18e505ce073/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/d18e505ce073d9d492f5183f342fd24f306d61cd1bc7dc92e68d265eddc9d276

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DCRat
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:DCRat Payload
Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:MALWARE_Win_DCRat
Create hunting rule
Author:ditekSHen
Description:DCRat payload
Rule name:Multifamily_RAT_Detection
Create hunting rule
Author:Lucas Acha (http://www.lukeacha.com)
Description:Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/444655/

Comments