MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd5383ed9704546324f7e97d31b76e38c2b38b9600fd36fdba920af791488848. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd5383ed9704546324f7e97d31b76e38c2b38b9600fd36fdba920af791488848
SHA3-384 hash: 71a551fbd4f00f9669ddeec5ca87dab4afafffdeedca699b3eb95a4fbdb30757d7879623d03ea37c0ed27874be1ee5f8
SHA1 hash: 65ac5c6c95852b59db3e78c76fefa6ef0c51036c
MD5 hash: 1d60cfeb99750d66e3e6d485a9f478fc
humanhash: fillet-nebraska-harry-social
File name:Requirement.vbs
Download: download sample
Signature DCRat
Create hunting rule
File size:3'319 bytes
First seen:2021-09-27 17:31:20 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:PWfwmc6rmkxdwyXo97iFHT7mohH4wyXaB414XHTw8NN:PMHcrkxdtY97iFlhYt44i3v
Threatray 5'671 similar samples on MalwareBazaar
TLSH T18F61581CA7B8B452D6DB08DCC509FEC608FC54E41F8EF2122BE6BA1E648C85B159C559
Reporter abuse_ch
Tags:DCRat RAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192222/
Detection(s):
SecuriteInfo.com.ISB.Downloadergen48.19749.27582.UNOFFICIAL
Create hunting rule

Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/859232
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Sigma detected: CrackMapExec PowerShell Obfuscation
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd5383ed9704546324f7e97d31b76e38c2b38b9600fd36fdba920af791488848/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3vjyh3mxarkggjhx5f6tdn3ohdblhc4wad6tn7n2sifppekirbea._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0562bb5cd1a74596a0900d3df786db3371e247dcb1150d86889dbc1187b7c04e
DCRat
0b8a5cbe236a7057a2904f18480b85ce9b59b891c0a1a041516248d35760744d
DCRat
19247536d1bb8035395a3a2bca3ecb17c36ddf48fee86a00d9d6e3e4bf622f35
DCRat
3ede9e9bdf0965f93b5351cc4be670b30934bc39aca24a3f3ac5f245f47c5073
DCRat
69e75e57bc4a09c9a3d7726b28423d10df5b0224177ebfa43930668efd0af5da
DCRat
83923b2bb65492892ef63d18dff00654431b27cd409d8fd67d4ba0eadc052c6a
DCRat
959e3ca2579b6be8a11c06763c5a34ec118abc96d869e25bef06319c92da465e
DCRat
f8fb3109639b476089103cd8a0afe01d3f015453c25ecb4f46bf1be8f8b04579
DCRat
+ 5'661 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:dcl rat
Link:
https://tria.ge/reports/210927-v4a4wshfaq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Blocklisted process makes network request
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
dclimited.duckdns.org:5529
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dd5383ed9704/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd5383ed9704546324f7e97d31b76e38c2b38b9600fd36fdba920af791488848

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
Author:ditekSHen
Description:Detects executables containing the string DcRatBy
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/192222/

Comments