MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb50f1549e55f943b73285db4c4e7edcb7f34a0f67f65b1dbed2b13a819bc962. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb50f1549e55f943b73285db4c4e7edcb7f34a0f67f65b1dbed2b13a819bc962
SHA3-384 hash: c7d069eb1ae3686ea7fa1e8f47b219a4b44aaf24222c3da2a0cc0ef68e19e1bc5890918a66e6745a5aec579f65d62f77
SHA1 hash: faf9d65012541db14028327c03a8a78a2a108b03
MD5 hash: 180806f8d78d49ab48d39e297865c72a
humanhash: kansas-lithium-summer-green
File name:HEUR-Trojan-Spy.MSIL.Stealer.gen-eb50f1549e55.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'525'248 bytes
First seen:2023-08-26 12:45:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'935 x AgentTesla, 19'827 x Formbook, 12'310 x SnakeKeylogger)
ssdeep 24576:lyxYeTpUhC5vBS/oNHlnDXHp0wq3cFUNN/lvzUBC7N++4:lvhCRVFDXlqGw5
Threatray 15 similar samples on MalwareBazaar
TLSH T17F656B027E4AED02C0292637C9DF552447A8FE497B67DB1A7E9F335D62123A70D0E1CA
TrID 47.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.4% (.SCR) Windows screen saver (13097/50/3)
6.8% (.EXE) Win64 Executable (generic) (10523/12/4)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://a0567586.xsph.ru/authmulti.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
369
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
HEUR-Trojan-Spy.MSIL.Stealer.gen-eb50f1549e55.exe
Verdict:
Malicious activity
Analysis date:
2023-08-26 12:46:44 UTC
Tags:
rat backdoor dcrat remote
Link:
https://app.any.run/tasks/ab883e42-80fa-47c8-aaf4-c668b522c1d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Uztuby-9848412-0
Create hunting rule

Win.Packed.Uztuby-9851623-0
Create hunting rule

Win.Packed.Uztuby-9875336-0
Create hunting rule

Win.Packed.Uztuby-9877681-0
Create hunting rule

Win.Malware.Uztuby-9878616-0
Create hunting rule

Win.Malware.Uztuby-9878756-0
Create hunting rule

Win.Packed.Uztuby-9884169-0
Create hunting rule

Win.Packed.Uztuby-9889426-0
Create hunting rule

Win.Packed.Basic-9952747-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the system32 subdirectories
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the Program Files subdirectories
Creating a file in the Windows subdirectories
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Connecting to a non-recommended domain
Sending an HTTP GET request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm cmd control explorer keylogger lolbin net obfuscated schtasks stealer
Link:
https://www.filescan.io/uploads/64e9f40b5506a0cc9524e319/reports/b2267304-583a-4057-b601-f59fd36a15d9/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8
Link:
https://www.hybrid-analysis.com/sample/eb50f1549e55f943b73285db4c4e7edcb7f34a0f67f65b1dbed2b13a819bc962
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/16f1e443-979e-4603-aada-d919f8415388
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1297835
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1297835 Sample: HEUR-Trojan-Spy.MSIL.Steale... Startdate: 26/08/2023 Architecture: WINDOWS Score: 100 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 9 other signatures 2->48 7 HEUR-Trojan-Spy.MSIL.Stealer.gen-eb50f1549e55.exe 6 22 2->7         started        11 WmiPrvSE.exe 14 3 2->11         started        14 MmRTMUncBqVRIvIYFAkJE.exe 14 3 2->14         started        16 7 other processes 2->16 process3 dnsIp4 30 C:\...\MmRTMUncBqVRIvIYFAkJE.exe, PE32 7->30 dropped 32 C:\Windows\...\MmRTMUncBqVRIvIYFAkJE.exe, PE32 7->32 dropped 34 C:\Windows\System32\wbem\...\WmiPrvSE.exe, PE32 7->34 dropped 36 2 other malicious files 7->36 dropped 56 Creates multiple autostart registry keys 7->56 58 Creates an autostart registry key pointing to binary in C:\Windows 7->58 60 Creates processes via WMI 7->60 18 cmd.exe 1 7->18         started        40 a0567586.xsph.ru 141.8.197.42, 49719, 49720, 49721 SPRINTHOSTRU Russian Federation 11->40 62 Antivirus detection for dropped file 11->62 64 Multi AV Scanner detection for dropped file 11->64 66 Machine Learning detection for dropped file 11->66 file5 signatures6 process7 process8 20 MmRTMUncBqVRIvIYFAkJE.exe 2 18->20         started        24 w32tm.exe 1 18->24         started        26 conhost.exe 18->26         started        28 chcp.com 1 18->28         started        dnsIp9 38 a0567586.xsph.ru 20->38 50 Antivirus detection for dropped file 20->50 52 Multi AV Scanner detection for dropped file 20->52 54 Machine Learning detection for dropped file 20->54 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb50f1549e55f943b73285db4c4e7edcb7f34a0f67f65b1dbed2b13a819bc962/
Threat name:
ByteCode-MSIL.Backdoor.DCRat
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 00:04:00 UTC
File Type:
PE (.Net Exe)
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5nipcve6kx4uhnzsqxnuytt63s37gsqpm73fwhn62kytvam3zfra._file
Verdict:
malicious
Similar samples:
1d50e2d78f933c77c53253df393839673c730d3aed70610b579bd178aed3a1ff
DCRat
2131b75617c740ddba1b808e0decc1e7054e34e6ce51c91bc4b848a52050e728
DCRat
4cced7c39444bc55a0cd79b0384b24517e355e0d70ab20019af96f2a7c181cd8
DCRat
64372c3ad1a4fff52786f20761db9c67605a533f0b5c48311b9cb005c24e0314
DCRat
791abb6d6739a00917f0bfe2ab5ca3b61a58e228d19fed16d156dbd0579b310e
DCRat
f4c62f1bb28e7734697495b0125bcf943c6f528c297fa904865e58165e030a2a
DCRat
+ 5 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer persistence rat
Link:
https://tria.ge/reports/230826-pzl3psca6v/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Executes dropped EXE
DCRat payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
eb50f1549e55f943b73285db4c4e7edcb7f34a0f67f65b1dbed2b13a819bc962
MD5 hash:
180806f8d78d49ab48d39e297865c72a
SHA1 hash:
faf9d65012541db14028327c03a8a78a2a108b03
Link:
https://www.unpac.me/results/e157417f-27d1-4cf5-914c-1cebc36331fa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb50f1549e55f943b73285db4c4e7edcb7f34a0f67f65b1dbed2b13a819bc962

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:msil_suspicious_use_of_strreverse
Create hunting rule
Author:dr4k0nia
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_NET_Msil_Suspicious_Use_StrReverse
Create hunting rule
Author:dr4k0nia, modified by Florian Roth
Description:Detects mixed use of Microsoft.CSharp and VisualBasic to use StrReverse
Reference:https://github.com/dr4k0nia/yara-rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments