MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec5ef85aa6d6c9a7cb797c88ab6fe26b547a2cc22ccc0fc84c6c697b3ac2c6d7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 12

Intelligence 12 IOCs YARA 23 File information Comments

SHA256 hash:	ec5ef85aa6d6c9a7cb797c88ab6fe26b547a2cc22ccc0fc84c6c697b3ac2c6d7
SHA3-384 hash:	cdb4494411c1c863eb1ca8e6fec390f5b90257bf7a45bf17c624c4fca3b2313751e775e83bf8e9018abd02cc9c9139ec
SHA1 hash:	3588a8e6307be6e9035a199720c831d8835d0023
MD5 hash:	df938284654be1e804833d47e069b122
humanhash:	autumn-asparagus-uniform-tennessee
File name:	DF938284654BE1E804833D47E069B122.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	1'305'088 bytes
First seen:	2024-02-08 07:40:17 UTC
Last seen:	2024-02-08 09:33:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2e5467cba76f44a088d39f78c5e807b6 (132 x DCRat, 113 x njrat, 80 x RedLineStealer)
ssdeep	24576:YKUHrZy5XGgwQFqL8pgltJ5G73pxOzMWRCn5THfwqHqx9XaD76ni8h9as:VUYGUkWGu7DyMFHlU5X3hI
Threatray	200 similar samples on MalwareBazaar
TLSH	T108553384E5CC7F6CFCB78AB6A990895494359162FE4B63FF32547CC1C22D22522B781E
TrID	25.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 19.1% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.1% (.EXE) Win32 Executable (generic) (4504/4/1) 7.8% (.EXE) Win16/32 Executable Delphi generic (2072/23) 7.8% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	DCRat exe

abuse_ch

DCRat C2:
http://553689cm.nyashsens.top/TosecurepacketgeocpuauthSqlWindowspublictemp.php

Intelligence

File Origin

# of uploads :

# of downloads :

343

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/475333/

Detection(s):

PUA.Win.Packer.EnigmaProtector-19

PUA.Win.Packer.EnigmaProtector-1

PUA.Win.Packer.EnigmaProtector-9852682-0

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

bladabindi enigma lolbin obfuscated packed packed shell32

Link:

https://www.filescan.io/uploads/65c48598bf0e860d2bdb7f07/reports/dd078ea5-95e4-413c-bfb8-e171aa65cd11/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/ec5ef85aa6d6c9a7cb797c88ab6fe26b547a2cc22ccc0fc84c6c697b3ac2c6d7

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

DCRat

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ece1604c-f4de-4b1c-bdcb-fcf7a2d38204

Result

Threat name:

DCRat

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1388892

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

PE file has nameless sections

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Yara detected DCRat

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ec5ef85aa6d6c9a7cb797c88ab6fe26b547a2cc22ccc0fc84c6c697b3ac2c6d7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ec5ef85aa6d6c9a7cb797c88ab6fe26b547a2cc22ccc0fc84c6c697b3ac2c6d7/

Threat name:

Win32.Trojan.Znyonm

Status:

Malicious

First seen:

2024-02-04 14:10:19 UTC

File Type:

PE (Exe)

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5rppqwvg23e2ps3zpsekw37cnnkhulgcftga7scmnruxwowcy3lq._file

Verdict:

malicious

DCRat

1f80a5027a30b618996426f0c02d630d7b275351f524fd9b5644e9f6db779be9

DCRat

2b1fed2ea6c60f4ab2e657bb20d60d0acda9deea0795efe50c4eb2e31f7312e9

DCRat

6a6207965b2fd4f5f747f99a1d4b9688a141dbfd2683f6826505b0104d60c956

DCRat

82e31b9bef8bdc34385c82db1239f570fccdb0b96a8f1ae0dcd4fa7abcc9ca25

DCRat

9c6c5f7fa825c84fb433ae6ebb655ac849b74a760c17b86d3dd1e8ce6e074749

DCRat

fd11715f74c03c006abf3d00ef802d9ed283ffa17ded36537b2d240757185fbc

DCRat

+ 190 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/240208-jh4zasbe9t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Unpacked files

SH256 hash:

b0c112cf3f74e6bd81204c5dfd78ecd148d380f1c372162f503e884d072e973c

MD5 hash:

a3a8469327f8f80896f1cf4c57ea8026

SHA1 hash:

6090f73ba8b0ce4be59fff9af1fdddc394aedde1

Link:

https://www.unpac.me/results/a431859c-ae58-47a7-a53e-e9d22a21fe03/

SH256 hash:

ec5ef85aa6d6c9a7cb797c88ab6fe26b547a2cc22ccc0fc84c6c697b3ac2c6d7

MD5 hash:

df938284654be1e804833d47e069b122

SHA1 hash:

3588a8e6307be6e9035a199720c831d8835d0023

Detections:

SUSP_XORed_URL_In_EXE

Link:

https://www.unpac.me/results/a431859c-ae58-47a7-a53e-e9d22a21fe03/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ec5ef85aa6d6c9a7cb797c88ab6fe26b547a2cc22ccc0fc84c6c697b3ac2c6d7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	EnigmaProtector11X13XSukhovVladimirSergeNMarkin Create hunting rule
Author:	malware-lu

Rule name:	EnigmaStub Create hunting rule
Author:	@bartblaze
Description:	Identifies Enigma packer stub.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing bas64 encoded gzip files

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_XORed_URL_In_EXE Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	SUSP_XORed_URL_in_EXE_RID2E46 Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	win_smominru_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/475333/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample