MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e94b5bfcea6689274d9bca93a3d77c03ecbf49e2ca1dff4e3fe8baec0f401b3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e94b5bfcea6689274d9bca93a3d77c03ecbf49e2ca1dff4e3fe8baec0f401b3f
SHA3-384 hash: 9a9538acbae3c2bb6c66e349fd862d3b0da046b748120fe54f5fc97b15b492cf1bd49d396b8391d498e5a8c9b9956fc5
SHA1 hash: 38286d249be4e8d2b9634f261a4d21dab0e103ab
MD5 hash: 32594d7ddc394f7a0e8fdbca8622440c
humanhash: coffee-mars-north-vegan
File name:Agreement_Sep_22nd_2021.vbs
Download: download sample
Signature DCRat
Create hunting rule
File size:2'130 bytes
First seen:2021-09-20 10:44:26 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:6YCH1I5/cEoOeUypPK/c6vHRk3zyZefY1YKbtxG:4VYc9OeUCWc6xOQxG
Threatray 1'345 similar samples on MalwareBazaar
TLSH T19F41F083FBE843966CD4D4E4410C67AB54BAC0263C6960D6C7F282ABB4FDC5838F2174
Reporter pr0xylife
Tags:AsyncRAT DCRat vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189392/
Detection(s):
SecuriteInfo.com.CL.Downloadergen116.28741.27467.UNOFFICIAL
Create hunting rule

Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853945
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Compiles code for process injection (via .Net compiler)
Drops VBS files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Sigma detected: Drops script at startup location
Sigma detected: Encoded IEX
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected RUNPE
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 486381 Sample: Agreement_Sep_22nd_2021.vbs Startdate: 20/09/2021 Architecture: WINDOWS Score: 100 76 Found malware configuration 2->76 78 Antivirus detection for dropped file 2->78 80 Yara detected RUNPE 2->80 82 7 other signatures 2->82 10 wscript.exe 1 2->10         started        13 wscript.exe 1 2->13         started        process3 signatures4 88 VBScript performs obfuscated calls to suspicious functions 10->88 90 Suspicious powershell command line found 10->90 92 Wscript starts Powershell (via cmd or directly) 10->92 15 powershell.exe 14 19 10->15         started        20 powershell.exe 13->20         started        process5 dnsIp6 66 pastetext.net 104.21.83.52, 443, 49742 CLOUDFLARENETUS United States 15->66 52 C:\Users\PublicdgeUpdate.PS1, ASCII 15->52 dropped 68 Drops VBS files to the startup folder 15->68 70 Compiles code for process injection (via .Net compiler) 15->70 22 powershell.exe 24 15->22         started        26 conhost.exe 15->26         started        54 C:\...\SystemLoginWindows32BitsSystem.vbs, ASCII 20->54 dropped 56 C:\Users\user\AppData\Local\...\mgytn43l.0.cs, C++ 20->56 dropped 72 Writes to foreign memory regions 20->72 74 Injects a PE file into a foreign processes 20->74 28 csc.exe 20->28         started        30 conhost.exe 20->30         started        32 AppLaunch.exe 20->32         started        34 AppLaunch.exe 20->34         started        file7 signatures8 process9 file10 60 C:\Users\user\AppData\...\40xlxxew.cmdline, UTF-8 22->60 dropped 84 Writes to foreign memory regions 22->84 86 Injects a PE file into a foreign processes 22->86 36 csc.exe 3 22->36         started        39 AppLaunch.exe 2 4 22->39         started        62 C:\Users\user\AppData\Local\...\mgytn43l.dll, PE32 28->62 dropped 42 cvtres.exe 28->42         started        signatures11 process12 dnsIp13 58 C:\Users\user\AppData\Local\...\40xlxxew.dll, PE32 36->58 dropped 44 cvtres.exe 1 36->44         started        64 rick63.publicvm.com 194.5.98.135, 49749, 49811, 5900 DANILENKODE Netherlands 39->64 46 cmd.exe 39->46         started        file14 process15 process16 48 conhost.exe 46->48         started        50 timeout.exe 46->50         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e94b5bfcea6689274d9bca93a3d77c03ecbf49e2ca1dff4e3fe8baec0f401b3f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ffvx7hkm2esotm3zkj2hv34apwl6spczio76tr75c5oyd2adm7q._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
12f2e964639c39076f29196264c1dcbd3792eaaaa77aca14986a802a122b341b
DCRat
134970a4894d8c7cfd33a8e26f8d4fe1397cd249d0d864f7e50530c051c1cf8d
DCRat
25e21f55b7fbffe0d90e6845044e3e907964a5c278f29fcd1cf0fff9916a2ac3
DCRat
486b4fcc5a6e4f4e949aa11aa3f2e9d8d2075ac8445617af8c41ab214f6dbfa0
DCRat
4f7e6260b30d732b40936166544b75d8ff162f9c75c73d1f7cd37a7e0d3189d0
DCRat
51e4dce11e58aa2be5d3c73056bf45652de5032dcb29636b28f2c1659df135db
DCRat
61824b191d00e5bfa96a2bfb0da8c98e5fbfa5670da92abbc49d247e7e8e3650
DCRat
ca84e70120b5fb479ca54211645ac24d562849107ef0e04df6741c0b88d6d168
DCRat
ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42
DCRat
+ 1'335 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:default rat
Link:
https://tria.ge/reports/210920-mtd4ssdgb6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Blocklisted process makes network request
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
rick63.publicvm.com:5900
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e94b5bfcea6689274d9bca93a3d77c03ecbf49e2ca1dff4e3fe8baec0f401b3f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Rule name:INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
Author:ditekSHen
Description:Detects executables containing the string DcRatBy
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189392/

Comments