MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eecf2be58b05e17324df1774fc2a24ed69ed539be3fffdab025e9d60b7ab3e2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eecf2be58b05e17324df1774fc2a24ed69ed539be3fffdab025e9d60b7ab3e2d
SHA3-384 hash: ae1b70caf435cec51b2d150fa415b740279865ad090e616dd2f67fe8c9435c66038c95e2308e02fe1614176d8073fe78
SHA1 hash: 76ac138ed9260b94a45cc8c455e59090321f2b8b
MD5 hash: 77d2af9fdae1712c0ceb712df3df132a
humanhash: whiskey-may-apart-pennsylvania
File name:77d2af9fdae1712c0ceb712df3df132a
Download: download sample
Signature DCRat
Create hunting rule
File size:24'576 bytes
First seen:2021-12-23 06:13:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0bf9136bb9c49b909aa5e2a7af9a8048 (1 x RedLineStealer, 1 x DCRat)
ssdeep 192:/T1v0mpdwpTTpwfmp8TSn5l7iU4c6R9nFl7iU4cbRR7E5:/T1vTOn37iUf0nb7iUf05
Threatray 8'404 similar samples on MalwareBazaar
TLSH T1A1B2ED9BF5E0509DE1C9527806A2837AA8157C3A5848E84FFF15BF5E2CB42C2B4F0B17
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter zbetcheckin
Tags:32 DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
77d2af9fdae1712c0ceb712df3df132a
Verdict:
Suspicious activity
Analysis date:
2021-12-23 06:15:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cef5c241-c93f-41f5-962a-7fc907842a65

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/215878/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2972/overview
Behaviour
MalwareBazaar
Verdict:
No Threat
Threat level:
  10/10
Confidence:
67%
Tags:
powershell
Link:
https://www.filescan.io/uploads/61c413ad4ab5c44cbf4dab10/reports/3691152c-d6d1-43d7-9692-f4fafb512ed9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c5a08e9-d8d6-44af-a83d-2ad6581832fc
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/911856
Signature
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious values (likely registry only malware)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Suspicious PowerShell Command Line
Sigma detected: Suspicious PowerShell Invocations - Specific
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 544334 Sample: RQ81deGsp3 Startdate: 23/12/2021 Architecture: WINDOWS Score: 100 53 Potential malicious icon found 2->53 55 Antivirus detection for URL or domain 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 6 other signatures 2->59 8 RQ81deGsp3.exe 1 2->8         started        10 wscript.exe 2->10         started        12 wscript.exe 2->12         started        process3 process4 14 powershell.exe 8->14         started        18 powershell.exe 15 20 8->18         started        21 mshta.exe 10->21         started        23 mshta.exe 12->23         started        dnsIp5 49 C:\Users\...\Windows Audio Application..vbs, UTF-8 14->49 dropped 63 Creates an undocumented autostart registry key 14->63 65 Creates autostart registry keys with suspicious values (likely registry only malware) 14->65 25 conhost.exe 14->25         started        51 87.251.85.102, 49761, 49762, 49765 GALAXYDATARU Russian Federation 18->51 27 conhost.exe 18->27         started        29 powershell.exe 21->29         started        33 powershell.exe 21->33         started        35 powershell.exe 23->35         started        37 powershell.exe 23->37         started        file6 signatures7 process8 file9 47 C:\Users\...\Windows Audio Application.vbs, UTF-8 29->47 dropped 61 Creates autostart registry keys with suspicious values (likely registry only malware) 29->61 39 conhost.exe 29->39         started        41 conhost.exe 33->41         started        43 conhost.exe 35->43         started        45 conhost.exe 37->45         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eecf2be58b05e17324df1774fc2a24ed69ed539be3fffdab025e9d60b7ab3e2d/
Threat name:
Win32.Trojan.Midie
Create hunting rule
Status:
Malicious
First seen:
2021-12-20 17:02:40 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
18 of 43 (41.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=53hsxzmlaxqxgjg7c52pykre5vu62u434p773kycl2owbn5lhywq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
06d230cca12e200a7b7400e0a6a36fec7811a9d88fadb147fef454c953a23061
DCRat
168f62c6ea11a386469563c360ee5517da31015e774ccc9c8ba3d1bd4b4f45ef
DCRat
4d87dc42d7955f0441294956abfd9878b967ca196c6e1a3be40affc4877da5f9
DCRat
85641fdd05980c31b2e8d6d3f6218391dd089780df85a53e24a1f3f0abdf6a24
DCRat
c25d7f5497f9a12e564244665d9e83740bbcb88fa384fba9d3bc704f4da7d442
DCRat
f6401919fd20e698ec964ca0df4eee18c1f13852eef32a9246fe4605cff79969
DCRat
fc2efbe9d556ba1bfae20033d0cb3503d4db0f09cce8090baefc78ecb897da49
DCRat
+ 8'394 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat botnet:network persistence rat
Link:
https://tria.ge/reports/211223-gzbyqshhbp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Blocklisted process makes network request
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
185.7.214.8:4449
Dropper Extraction:
http://87.251.85.102/veno1/YES.PNG
http://87.251.85.102/veno1/AU.PNG
Unpacked files
SH256 hash:
eecf2be58b05e17324df1774fc2a24ed69ed539be3fffdab025e9d60b7ab3e2d
MD5 hash:
77d2af9fdae1712c0ceb712df3df132a
SHA1 hash:
76ac138ed9260b94a45cc8c455e59090321f2b8b
Link:
https://www.unpac.me/results/7d74e3a8-77a9-450a-af1f-f6270cec86fa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eecf2be58b05e17324df1774fc2a24ed69ed539be3fffdab025e9d60b7ab3e2d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
Author:ditekSHen
Description:Detects executables containing the string DcRatBy
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe eecf2be58b05e17324df1774fc2a24ed69ed539be3fffdab025e9d60b7ab3e2d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1912961/
Cape
Cape
https://www.capesandbox.com/analysis/215878/

Comments


Avatar
zbet commented on 2021-12-23 06:13:51 UTC

url : hxxp://87.251.85.102/veno1/veno1.exe