MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcef9be7998958aa6f72aab41f6fb01c8bceb039b1fd111849c399bd5eab4fb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcef9be7998958aa6f72aab41f6fb01c8bceb039b1fd111849c399bd5eab4fb4
SHA3-384 hash: c5673d1fee800e0aff8af9a161acd5f7de3ffa8145f84c5e4aa7ebe1ea7b95e3a4e6fb39c92d217cd7bb8ff25105fc71
SHA1 hash: 3250e8b3f454dc0c31784c0f89414ea0b20a4498
MD5 hash: a3793bbdf9592814251b0cf5cbc1a15a
humanhash: pasta-three-michigan-nuts
File name:a3793bbdf9592814251b0cf5cbc1a15a.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:5'295'112 bytes
First seen:2021-12-23 14:56:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0822777feb8e7fd010d6791c4438bd5d (1 x DCRat)
ssdeep 98304:IUWpZKsv7/tr8fBda09VBw+zhCN1vhXZZifHHsUrcnuVJKY:I5KsD/R8ffvVB7hyjpZEnsfuVk
Threatray 38 similar samples on MalwareBazaar
TLSH T121363350637739F2E576413489A381467A31BC7F0F249A4B335067A39FFE269A93EB10
File icon (PE):PE icon
dhash icon cc33726969b909d4 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a3793bbdf9592814251b0cf5cbc1a15a.exe
Verdict:
No threats detected
Analysis date:
2021-12-23 15:03:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3bd2fb87-ea7e-4b8e-90ad-c4166aae4d54

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PyInstaller
Create hunting rule
Link:
https://www.capesandbox.com/analysis/215986/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Creating a file in the %AppData% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Enabling the 'hidden' option for recently created files
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file in the %AppData% subdirectories
Searching for the window
DNS request
Sending a custom TCP request
Searching for synchronization primitives
Sending an HTTP GET request
Downloading the file
Setting a single autorun event
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3025/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/61c48e448991ba72b393d0b3/reports/41c7ba94-3eac-4885-a5e8-f0bd9720dc57/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/abe3465e-3f47-4c5d-b51b-e0f9279ad30b
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/912060
Signature
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Malicious encrypted Powershell command line found
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: WScript or CScript Dropper
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 544539 Sample: 0GbdsWiKVp.exe Startdate: 23/12/2021 Architecture: WINDOWS Score: 100 122 Antivirus detection for URL or domain 2->122 124 Multi AV Scanner detection for submitted file 2->124 126 Yara detected AntiVM3 2->126 128 5 other signatures 2->128 10 0GbdsWiKVp.exe 29 2->10         started        13 wscript.exe 2->13         started        16 wscript.exe 2->16         started        process3 file4 84 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 10->84 dropped 86 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 10->86 dropped 88 C:\Users\user\...\win32com.shell.shell.pyd, PE32+ 10->88 dropped 90 20 other files (none is malicious) 10->90 dropped 18 0GbdsWiKVp.exe 5 9 10->18         started        154 Malicious encrypted Powershell command line found 13->154 156 Wscript starts Powershell (via cmd or directly) 13->156 21 cmd.exe 13->21         started        24 cmd.exe 16->24         started        signatures5 process6 file7 80 C:\Users\user\AppData\Roaming\WindowsA.vbs, UTF-8 18->80 dropped 82 C:\Users\user\AppData\Roaming\rundll32.exe, PE32+ 18->82 dropped 26 wscript.exe 1 18->26         started        29 wscript.exe 1 18->29         started        31 cmd.exe 1 18->31         started        42 3 other processes 18->42 130 Malicious encrypted Powershell command line found 21->130 132 Wscript starts Powershell (via cmd or directly) 21->132 134 Encrypted powershell cmdline option found 21->134 33 powershell.exe 21->33         started        36 conhost.exe 21->36         started        38 powershell.exe 24->38         started        40 conhost.exe 24->40         started        signatures8 process9 dnsIp10 136 Malicious encrypted Powershell command line found 26->136 138 Wscript starts Powershell (via cmd or directly) 26->138 44 cmd.exe 1 26->44         started        47 cmd.exe 1 29->47         started        140 Uses cmd line tools excessively to alter registry or file data 31->140 142 Encrypted powershell cmdline option found 31->142 49 conhost.exe 31->49         started        51 attrib.exe 1 31->51         started        92 us-east-1.route-1.000webhost.awex.io 33->92 94 hfcontent.000webhostapp.com 33->94 144 Writes to foreign memory regions 33->144 146 Injects a PE file into a foreign processes 33->146 53 RegSvcs.exe 33->53         started        96 145.14.145.38, 443, 49769 AWEXUS Netherlands 38->96 98 us-east-1.route-1.000webhost.awex.io 38->98 100 hfcontent.000webhostapp.com 38->100 55 conhost.exe 42->55         started        57 conhost.exe 42->57         started        59 attrib.exe 1 42->59         started        61 3 other processes 42->61 signatures11 process12 signatures13 148 Malicious encrypted Powershell command line found 44->148 150 Wscript starts Powershell (via cmd or directly) 44->150 152 Encrypted powershell cmdline option found 44->152 63 powershell.exe 14 18 44->63         started        67 conhost.exe 44->67         started        69 powershell.exe 16 47->69         started        71 conhost.exe 47->71         started        process14 dnsIp15 106 45.57.245.101, 49758, 49760, 49765 SERVER-MANIACA Canada 63->106 108 us-east-1.route-1.000webhost.awex.io 145.14.144.95, 443, 49756, 49764 AWEXUS Netherlands 63->108 110 hfcontent.000webhostapp.com 63->110 118 Writes to foreign memory regions 63->118 120 Injects a PE file into a foreign processes 63->120 73 RegSvcs.exe 63->73         started        76 RegSvcs.exe 63->76         started        112 145.14.145.68, 443, 49757, 49759 AWEXUS Netherlands 69->112 114 192.168.2.1 unknown unknown 69->114 116 hfcontent.000webhostapp.com 69->116 78 RegSvcs.exe 69->78         started        signatures16 process17 dnsIp18 102 91.245.253.84, 4449, 49777 V4ESCROW-ASRO Romania 73->102 104 zerocool888.duckdns.org 154.16.248.147, 8848 ASDETUKhttpwwwheficedcomGB South Africa 73->104
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dcef9be7998958aa6f72aab41f6fb01c8bceb039b1fd111849c399bd5eab4fb4/
Threat name:
Win64.Trojan.Fsysna
Create hunting rule
Status:
Malicious
First seen:
2021-12-21 17:55:00 UTC
File Type:
PE+ (Exe)
Extracted files:
752
AV detection:
8 of 43 (18.60%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3txzxz4zrfmku33svk2b635qdsf45mbzwh6rcgcjyom32xvlj62a._file
Verdict:
unknown
Similar samples:
30eb8727af3b8a2f4551574c7d826e9f27480e79d242b92d392b1f64091acf12
DCRat
3dcdb90a6140612a5ca5e3a3e7efbc82c43766355399965a200a5753fd1273ad
DCRat
485fcf4c2834e20d71b6765eccd79f6b0880d6a9fdc5d3e519a943862e9b8246
DCRat
57311d2b4a33c4cd2dd65302938876a40539eec1cea6df82539dce8e9c2f29ae
DCRat
71bb29dfc07190aeace9d750fcb2e9a66a8abebab3c6d2c40eb0b3ce93e4c36f
DCRat
83acd77bd1b76095992046c1cd53fd0fb4f0ae9f22f410facf174f4e1ce2f475
DCRat
a364cf1f815223ccb6ec8462e1c883567de1f8ccb8c3ba259aedef55210ae037
DCRat
d4ab30cc8bb9999ceeeb23b2945f38f698d8e80aedacfdfc12333cf0bea966cb
DCRat
ea1213c0a684662e8305cfe1c6eeebbb12a9d1404e7571438d3730cc1df1caab
DCRat
f42c71d191748551be0bbb356e4dc638c60fbdc906e7d6536ed4512c5c7eab3e
DCRat
+ 28 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default botnet:venom clients persistence pyinstaller rat upx
Link:
https://tria.ge/reports/211223-sbk3aaaad4/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Blocklisted process makes network request
UPX packed file
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
91.245.253.84:4449
zerocool888.duckdns.org:8848
Dropper Extraction:
https://hfcontent.000webhostapp.com/ps1/@adambelfort2xor.ps1
Unpacked files
SH256 hash:
dcef9be7998958aa6f72aab41f6fb01c8bceb039b1fd111849c399bd5eab4fb4
MD5 hash:
a3793bbdf9592814251b0cf5cbc1a15a
SHA1 hash:
3250e8b3f454dc0c31784c0f89414ea0b20a4498
Link:
https://www.unpac.me/results/765ca07b-17be-418d-be7d-dae5406363f4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dcef9be7998958aa6f72aab41f6fb01c8bceb039b1fd111849c399bd5eab4fb4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/215986/

Comments