MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe154355036477bd31cfddcfe4f12d1d8a8baad12f088a6abf5836071509c50e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe154355036477bd31cfddcfe4f12d1d8a8baad12f088a6abf5836071509c50e
SHA3-384 hash: 912d3a526b24bbf46c3359d85819d2143ec4bcae6b2bae57b49712853b54dffbd9c670e9397d9ec6090680131c6db88b
SHA1 hash: 6dc7edd0435198593f1e3cdb8e72f462f36d1a48
MD5 hash: 6c0d324455c0ab3d5bbb89a86ca8a6ce
humanhash: friend-sixteen-rugby-alabama
File name:Details_06.vbs
Download: download sample
Signature DCRat
Create hunting rule
File size:37'534 bytes
First seen:2021-12-03 11:49:45 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:sHNlvFg7DmxQ7gm576q7nL7Fgz8Qjvq7nL7Fg8T8NlvFg7DmxQ7gmEggM576q7nK:srhIXMiKJ1GPQj
Threatray 1'706 similar samples on MalwareBazaar
TLSH T11AF266B52C69C493FB295B41487B36DB6A2413AD0BCF095837237E153B9236E4DE8C4A
Reporter pr0xylife
Tags:AsyncRAT DCRat vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211024/
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/61aa046efa72c81b5b095027/reports/5ad5dbf6-d63c-4dbd-970b-a3f549571432/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/900830
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Drops VBS files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Csc.exe Source File Folder
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected RUNPE
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 533308 Sample: Details_06.vbs Startdate: 03/12/2021 Architecture: WINDOWS Score: 100 70 Found malware configuration 2->70 72 Antivirus detection for dropped file 2->72 74 Yara detected RUNPE 2->74 76 9 other signatures 2->76 10 wscript.exe 1 2->10         started        13 wscript.exe 1 2->13         started        process3 signatures4 82 VBScript performs obfuscated calls to suspicious functions 10->82 84 Wscript starts Powershell (via cmd or directly) 10->84 86 Bypasses PowerShell execution policy 10->86 15 powershell.exe 14 18 10->15         started        20 powershell.exe 13->20         started        process5 dnsIp6 62 paste.ee 104.26.4.223, 443, 49742 CLOUDFLARENETUS United States 15->62 50 C:\Users\Public\sdftpxxn9yaa.PS1, ASCII 15->50 dropped 64 Drops VBS files to the startup folder 15->64 22 powershell.exe 22 15->22         started        26 conhost.exe 15->26         started        66 Writes to foreign memory regions 20->66 68 Injects a PE file into a foreign processes 20->68 28 csc.exe 20->28         started        30 conhost.exe 20->30         started        32 InstallUtil.exe 20->32         started        file7 signatures8 process9 file10 54 C:\Users\user\...behaviorgraphTXNvdiaLogin64Bits.vbs, ASCII 22->54 dropped 56 C:\Users\user\AppData\...\o4llvdzp.cmdline, UTF-8 22->56 dropped 78 Writes to foreign memory regions 22->78 80 Injects a PE file into a foreign processes 22->80 34 csc.exe 3 22->34         started        37 InstallUtil.exe 2 4 22->37         started        58 C:\Users\user\AppData\Local\...\g0kverhx.dll, PE32 28->58 dropped 40 cvtres.exe 28->40         started        signatures11 process12 dnsIp13 52 C:\Users\user\AppData\Local\...\o4llvdzp.dll, PE32 34->52 dropped 42 cvtres.exe 1 34->42         started        60 rick63.publicvm.com 185.19.85.178, 49743, 49748, 5900 DATAWIRE-ASCH Switzerland 37->60 44 cmd.exe 37->44         started        file14 process15 process16 46 conhost.exe 44->46         started        48 timeout.exe 44->48         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe154355036477bd31cfddcfe4f12d1d8a8baad12f088a6abf5836071509c50e/
Threat name:
Script-WScript.Downloader.SLoad
Create hunting rule
Status:
Malicious
First seen:
2021-12-03 11:50:10 UTC
File Type:
Text (VBS)
AV detection:
11 of 28 (39.29%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ykugvidmr332mop3xh6j4jndwfixkwrf4eiu2v7la3aofijyuha._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
12f2e964639c39076f29196264c1dcbd3792eaaaa77aca14986a802a122b341b
DCRat
3959233284f7f4a7bec2a314820e3b8e073591a31dfe8c43a03f7a24833b7fd3
DCRat
3fc706ce01f2ff41e02943699351d1ad3c32160cbd0be0b8bb85f9472303d4c2
DCRat
486b4fcc5a6e4f4e949aa11aa3f2e9d8d2075ac8445617af8c41ab214f6dbfa0
DCRat
51e4dce11e58aa2be5d3c73056bf45652de5032dcb29636b28f2c1659df135db
DCRat
91d07db42921a9ffe88f14cc796ae63454267d252acd7a528b6a2e4ec327310d
DCRat
a341b8f10a51457c11292173cfa48fe49256c9ccef8ec045753b49b2bfa935d6
DCRat
ec1773386924814a953850ec438551a133c27541b156e6d685d9eda1477a65b4
DCRat
ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42
DCRat
+ 1'696 additional samples on MalwareBazaar
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat rat
Link:
https://tria.ge/reports/211203-nzllhagdbp/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Blocklisted process makes network request
Async RAT payload
AsyncRat
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fe1543550364/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe154355036477bd31cfddcfe4f12d1d8a8baad12f088a6abf5836071509c50e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Rule name:INDICATOR_SUSPICIOUS_EXE_DcRatBy
Create hunting rule
Author:ditekSHen
Description:Detects executables containing the string DcRatBy
Rule name:INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
Author:ditekSHen
Description:Detects executables attemping to enumerate video devices using WMI
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/211024/

Comments