MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5c9d1b6f77188c03e94713b41f00afc6d12e6f82daf3604d5f34c584c2389ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 12

Intelligence 12 IOCs YARA 7 File information Comments

SHA256 hash:	e5c9d1b6f77188c03e94713b41f00afc6d12e6f82daf3604d5f34c584c2389ff
SHA3-384 hash:	d8e8524d9a204315cea0de356a6803e9dd4e797ed7444316532b0c5d75d1ea6279368027bb1b374014ea683e8aacf211
SHA1 hash:	1d103ce2b7149c0e1a5b2fc6722bbf41d078e654
MD5 hash:	80c6f3f766ffc819d3747deb5ae9dce2
humanhash:	maryland-oregon-speaker-comet
File name:	file.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	842'400 bytes
First seen:	2023-04-15 07:16:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5a938367ff1218e8ce81e8bf10050a38 (4 x RedLineStealer, 1 x DCRat, 1 x CoinMiner)
ssdeep	12288:r5O2eftpAOH6VBS/bG2IjOREzFNqnfGLF7KxzPF6BkHqLvVQXDPmj:EftpUzSD+jOcqfAF7KxzPPKL9om
Threatray	2'002 similar samples on MalwareBazaar
TLSH	T15C05E101A14180B1D62BA530ACD9BB5BD13DE2117778F6FF3346063B5E7A1F6A8312E6
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	DCRat exe

Intelligence

File Origin

# of uploads :

# of downloads :

232

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file.exe

Verdict:

No threats detected

Analysis date:

2023-04-15 07:17:44 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/09c1a1af-faa2-41da-8317-21b974595a57

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DCRat

Link:

https://www.capesandbox.com/analysis/382388/

Detection(s):

SecuriteInfo.com.Variant.Jaik.139663.30589.32753.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Sending a custom TCP request

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/79713/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

dcrat greyware overlay packed

Link:

https://www.filescan.io/uploads/643a4f6ef4a1f6ede14ed89f/reports/31b76168-4d32-4a77-9526-becd1698d757/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/e5c9d1b6f77188c03e94713b41f00afc6d12e6f82daf3604d5f34c584c2389ff

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9699b2ae-d52c-4df0-8099-a28d02cdddc4

Result

Threat name:

DCRat

Detection:

malicious

Classification:

troj.evad

Score:

75 / 100

Link:

https://www.joesandbox.com/analysis/1214279

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected DCRat

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e5c9d1b6f77188c03e94713b41f00afc6d12e6f82daf3604d5f34c584c2389ff/

Threat name:

Win32.Trojan.Zusy

Status:

Malicious

First seen:

2023-04-14 21:17:19 UTC

File Type:

PE (Exe)

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4xe5dnxxogemapuuoe5ud4ak7rwrfzxyfwxtmbgv6ngfqtbdrh7q._file

Verdict:

malicious

DCRat

6461952908bf12e4e88547e8e736d9665a76590cf09f7c0c97c649e4f668453d

DCRat

bb60a1b440e724320be0da80d1804440d329e5be5ae318563c6cf858ce26008a

DCRat

c1266acce2c7a4c69f64c2226a8f780b2688ecf0f1812d0083a85648d350a666

DCRat

c3d08c9293f87258ab312e53d5b830c60aa4717a9dc87a76d34f421ba19ad6a9

DCRat

cd716a11679b98b42382e72283c0fa785d8a4b041bee8044a2c7dffae2142446

DCRat

+ 1'992 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230415-h4clhaeh7y/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

d4d2f9c9bbb0dbf2e823b4618059e7a3f1f448324a51014fbb96db59e8a7da92

MD5 hash:

ddf512dceb5651e4183b2476c9443271

SHA1 hash:

4cebbf808cacf801860373891f54a9b009e100f9

Link:

https://www.unpac.me/results/a515bcff-f91a-48a7-b5b5-e80f6ef21552/

SH256 hash:

d5189a5f9be871c1e958b8fa85a4c03cb50a87acda59921591bdaf20b583ec14

MD5 hash:

3e56a1eb3020ef3fb1097eb149adb44b

SHA1 hash:

97a269865318dd7dbfb5df7a63c3e302e4722433

Link:

https://www.unpac.me/results/a515bcff-f91a-48a7-b5b5-e80f6ef21552/

SH256 hash:

b11ad1adfa96eacf5f18cf87785884947a6d35a1baebf4f20f16402b04d5109f

MD5 hash:

89bf0f7e9adf290c6d571eccf79206a9

SHA1 hash:

65f95791234ff93bc3e35f1d35d7a6664872dc56

Detections:

win_xorist_auto

Link:

https://www.unpac.me/results/a515bcff-f91a-48a7-b5b5-e80f6ef21552/

Parent samples :

d5775aecd2e8d149e2b9ba576ddc2db3624a974cafc8fc1df318226fc2c6d4b4
8e997bef9ad61722cb7b782da93b7373acd19dbdc4cb91b47e80280e2100b6a3
5ba1b028da2c0e52c38c7a55bf1e7952cc50c907576ec2f22b6a25d691dde2d6
be15d47389920ab9637eefc24bbf6c191607013a3d2608c1243a377aacb5d4ce
f027301d00c6bc4b1c87e5e3266775f395907fa04e2c768b7082381d60880f82
b1088573c2e783e97fb07ccf1d8d8e9372ccd8983cc07c7ee9c6989a3844b334
e5c9d1b6f77188c03e94713b41f00afc6d12e6f82daf3604d5f34c584c2389ff
45e1440acf3453915252d0d61ffcee6fd96170ccf2323c16178dfaaa186565f8
1a659b2d6922bd1ea186c53148094c26733368e9099ea037a83912c02a59d410
f733fbe95a7fe8a2c0ef459b05fed88b7a295de5e39c591bf62d3e0a5575e6fc
658b0a01404144b5da03574e2a05b6c02030baa2276b9e047174c6ccb3e8918d
cf4efad0b9d74151b09be4acfb12d1aea2a9e316b97a2eb7f4ca8ac12b0e6d8c
381bb149e04bec8f62336cdf3c81741c2c7a471f6dacc2f7835eb174643abad7
284f083103d1c160d9e4721ecce515646ce451a1b7ddf9dd89817904e21a4a2d
1a39cff5d5b0b550cd9b30f08c0e32430c2e1b92aecc663d4151789e54d13f64
1b881d8c3ba53e9b250de6d1118a27738fd8e88fd475e3e01afabd4e627f83a2
e0abb4fa147097a4fb1758ed20b7d1a54f020d0de2d8144a2beaec404acb4d4c
2ec983b4653f6a5ee028e9ecfa37d8cf2404a10e9691bb8ed39023be643ef55e
797bbd3d5e08ab4919540911ab6149be0c6f38de3659378bf38fc5ac01ccee48
4cc156f578777710f3ce0c217664b9830ddfcab407f0c6de0cae10d5501d1ca1
4d908524b238846077a6fb1df34be93ae926e13c15bb8ac5c45a8980ef4862ce
581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892
8ac5083f52da0ff312259331f65b326782803aa837a7b371a6d43a021b0c24c3
7816a1291d7c035b81b68f8e5f65e10f952beb2bf1ce9d125bfe9d44a378ee9f
e1a60229372db9d65dbadfe6db923edf3987ac9f908878491bd12497613324d8
41bd2718e24b2367c4a29a6eb94045d4ce1e29b4d6ca99d7d2d8b14e316e18f5
ab71530434f64e6aa105732c42dbb5a409ac0aae4258b3c3e7db1a7d5914cc30
3b88fdeb5144b0f3a710b42cefa937e57aed28001acb82562229472ce258a124
70fbebc77d5f37a0ffd373be6ee9f218a5ea30b86e395e7212b850f0f6934b6f
294003b3626890da222c7aeb34f7ac71cec614026c686fd88df269cc175a0e8c
a6ca0d0f6c47f310778e8d3a82f96ce6b6e70e1248a17f73fda6dff59653b761
9e90c1219aac375230e375f3d641f6b1edb2968acb41d542528ad744714c9b35
1d6628a6cd66f3dd7f3377ee1c30e8a92cedb1d40f5a121b84e5ab84a0e19909
841eb644979b3c640761762645c9cd26f9bb46e558eaeb7bf0c2a79e761878f4
1b304c8a2ae4546bd7958c7f22becaf6b682a5c88b7a01945a952de991b0ef0b
693cf45b243073eeb5479f4b29ff36c417b858b042363cf1a53d7623504a6d29
f9fd2f63fb1b73be1e960ab5a6572aa6968279e56a95bb846fa7ea4110ab867c
5680eb1ffa1fac4f1c5a78024331ff7dd8982138d89d2df4ec56996b44c9cc99
48be2502fad84657b383c41b2616f34a029f9a39d63aae1a1714faf7ba79e3da

SH256 hash:

e5c9d1b6f77188c03e94713b41f00afc6d12e6f82daf3604d5f34c584c2389ff

MD5 hash:

80c6f3f766ffc819d3747deb5ae9dce2

SHA1 hash:

1d103ce2b7149c0e1a5b2fc6722bbf41d078e654

Link:

https://www.unpac.me/results/a515bcff-f91a-48a7-b5b5-e80f6ef21552/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e5c9d1b6f771/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/e5c9d1b6f77188c03e94713b41f00afc6d12e6f82daf3604d5f34c584c2389ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AppLaunch Create hunting rule
Author:	iam-py-test
Description:	Detect files referencing .Net AppLaunch.exe

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	sfx_pdb Create hunting rule
Author:	@razvialex
Description:	Detect interesting files containing sfx with pdb paths.

Rule name:	sfx_pdb_winrar_restrict Create hunting rule
Author:	@razvialex
Description:	Detect interesting files containing sfx with pdb paths.

Rule name:	win_xorist_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.xorist.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/382388/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample