MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d447242a078661aa69c652929cbedbc1896b135aa50ed27427ea8c7e4d4a71be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	d447242a078661aa69c652929cbedbc1896b135aa50ed27427ea8c7e4d4a71be
SHA3-384 hash:	59cefb4d4f69dd5cac9a8ed00e21cc623767dff16786951bfd8082b70221dfd7c8cb26464ddba9f737865c9a0537405d
SHA1 hash:	ad74d9dbca6885a004e21824d87f8e5168030484
MD5 hash:	7c44e8e46e3f7669ad24db6756895950
humanhash:	sweet-grey-oranges-winter
File name:	file
Download:	download sample
Signature	DCRat Create hunting rule
File size:	175'666 bytes
First seen:	2023-06-13 14:19:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ba04039b1cc8f51b64f582e0f52f5cdb (1 x DCRat)
ssdeep	3072:FWAm7g0RE3N82rmAniiFhb7zPeo7f8D6L6W6/68696Ugtdy+PkDLJ6rSIalbn:sHE3i2rmVizt8D6L6W6/68696UgtPkDd
Threatray	542 similar samples on MalwareBazaar
TLSH	T1BD049D2D3DB85C67D0E4C7B189F2B427B450AC2E25CF5D0F29C6AB28567794724E322E
TrID	82.3% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 5.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.5% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter	jstrosch
Tags:	DCRat exe

Intelligence

File Origin

# of uploads :

# of downloads :

275

Origin country :

Vendor Threat Intelligence

Malware family:

asyncrat

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-06-13 14:37:09 UTC

Tags:

asyncrat

Link:

https://app.any.run/tasks/4fd7753c-398c-4ae8-8aa7-ae36afff0689

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/398421/

Detection(s):

SecuriteInfo.com.Variant.Lazy.350119.13390.4211.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Launching a process

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

overlay packed trickbot

Link:

https://www.filescan.io/uploads/64887b1908b287b7595b7668/reports/9e0b3cd3-2752-4f88-8ef0-ee7834de5c0f/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/d447242a078661aa69c652929cbedbc1896b135aa50ed27427ea8c7e4d4a71be

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DCRat

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f6657d12-8b98-489c-b378-3ecfa2f3307a

Result

Threat name:

AsyncRAT, DcRat

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1253775

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected AsyncRAT

Yara detected DcRat

Behaviour

Behavior Graph:

Download SVG

Detection:

dcrat

Link:

https://mwdb.cert.pl/sample/d447242a078661aa69c652929cbedbc1896b135aa50ed27427ea8c7e4d4a71be/

Threat name:

Win32.Backdoor.AsyncRAT

Status:

Malicious

First seen:

2023-06-13 14:20:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2rdsikqhqzq2u2ogkkjjzpw3ygewwe22uuhne5bh5kgh4tkkog7a._file

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat botnet:default rat

Link:

https://tria.ge/reports/230613-rnfgwsge95/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Async RAT payload

AsyncRat

Malware Config

C2 Extraction:

192.168.175.1:1800

Unpacked files

SH256 hash:

3b3c00add0536e00bb83978fe78de7534799405918380d9d678d11303640b4cd

MD5 hash:

e07a1c0c3c290a21a9121d566e0153d1

SHA1 hash:

c5f9bd4109d60e74e33699e94c1ccc084d5041b1

Link:

https://www.unpac.me/results/68c83b73-fc24-4c93-9e52-264fbe53cca3/

SH256 hash:

d447242a078661aa69c652929cbedbc1896b135aa50ed27427ea8c7e4d4a71be

MD5 hash:

7c44e8e46e3f7669ad24db6756895950

SHA1 hash:

ad74d9dbca6885a004e21824d87f8e5168030484

Link:

https://www.unpac.me/results/68c83b73-fc24-4c93-9e52-264fbe53cca3/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d447242a0786/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d447242a078661aa69c652929cbedbc1896b135aa50ed27427ea8c7e4d4a71be

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

exe d447242a078661aa69c652929cbedbc1896b135aa50ed27427ea8c7e4d4a71be

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/398421/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample