MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a468384b275c437d13c05d8433a2223910db37b9251fe0602752a7dc7664253c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a468384b275c437d13c05d8433a2223910db37b9251fe0602752a7dc7664253c
SHA3-384 hash: 2298c09ec6971d65bad2dc621e7cb6490c6dc9e511417a1c8e877f0af7dd03edd3ff973b44e668d0d079e10406395417
SHA1 hash: dca3c3572947d17576f1530c9dc342bf0d9a70d8
MD5 hash: 0d8ef6d15966eb940b00e078b0ae0bb1
humanhash: wyoming-magnesium-zulu-angel
File name:0d8ef6d15966eb940b00e078b0ae0bb1.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'628'672 bytes
First seen:2023-04-27 08:15:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d5d9d937853db8b666bd4b525813d7bd (40 x DCRat, 28 x njrat, 5 x RedLineStealer)
ssdeep 24576:Yv3+VeXk/DmHMhtQ6pmnQ4+LGddwLRjd4wbvla4ESuu2k9hs:K+JysLQ6pmaayjddb9VrQkzs
TLSH T11275339FB89269CED1AD5239027AA2AF6A7AF70021560CDF5347282DC50FDECC54391F
TrID 83.6% (.EXE) Win32 Executable MS Visual C++ 4.x (134693/65)
4.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.7% (.EXE) Win32 Executable (generic) (4505/5/1)
1.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 400c6b6b9b9a0092 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://188.120.226.231/wpLongpoll5Base/jsProcess/Geotest6multi/serverWp5Dle/36Pythonimage/7generatorprocessor6/wordpressMulti/central6/Datalife0/4dbjspoll/VideoHttpTestCentral.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0d8ef6d15966eb940b00e078b0ae0bb1.exe
Verdict:
No threats detected
Analysis date:
2023-04-27 08:15:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fb9fa1a2-fedb-49bf-a1d2-1d28a3d6f593

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PlugX
Create hunting rule
Link:
https://www.capesandbox.com/analysis/385170/
Detection(s):
Win.Trojan.Poison-8692
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/81610/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed poison shell32.dll
Link:
https://www.filescan.io/uploads/644a2f430bac81e8385a3c09/reports/33f3d12c-ebab-4cab-9426-02a6ac96688d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a468384b275c437d13c05d8433a2223910db37b9251fe0602752a7dc7664253c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cfac2f14-2fde-4d55-afac-7491f6b26a72
Result
Threat name:
DCRat, Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1222005
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 854958 Sample: Xk77tN6zAO.exe Startdate: 27/04/2023 Architecture: WINDOWS Score: 100 65 Snort IDS alert for network traffic 2->65 67 Found malware configuration 2->67 69 Antivirus detection for URL or domain 2->69 71 13 other signatures 2->71 9 Xk77tN6zAO.exe 10 2->9         started        13 OtJoSKEjZkwQhRzMZutOGGIoPql.exe 2->13         started        15 WmiPrvSE.exe 2->15         started        17 21 other processes 2->17 process3 file4 59 C:\Users\user\AppData\Local\...\Launcher.exe, PE32 9->59 dropped 61 C:\Users\user\AppData\Local\...\L0uncher.exe, PE32 9->61 dropped 89 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 9->89 19 L0uncher.exe 4 9->19         started        23 Launcher.exe 3 11 9->23         started        91 Multi AV Scanner detection for dropped file 13->91 signatures5 process6 file7 41 C:\Windows\svchost.com, PE32 19->41 dropped 43 C:\Users\...\OtJoSKEjZkwQhRzMZutOGGIoPql.exe, PE32 19->43 dropped 45 C:\Users\user\AppData\Local\...\L0uncher.exe, PE32 19->45 dropped 49 111 other malicious files 19->49 dropped 73 Creates an undocumented autostart registry key 19->73 75 Drops PE files with a suspicious file extension 19->75 77 Drops executable to a common third party application directory 19->77 79 Infects executable files (exe, dll, sys, html) 19->79 25 L0uncher.exe 3 19->25         started        47 C:\Users\user\AppData\...\hyperportinto.exe, PE32 23->47 dropped 28 wscript.exe 1 23->28         started        signatures8 process9 dnsIp10 87 Hides threads from debuggers 25->87 31 conhost.exe 25->31         started        63 192.168.2.1 unknown unknown 28->63 33 cmd.exe 1 28->33         started        signatures11 process12 process13 35 hyperportinto.exe 8 17 33->35         started        39 conhost.exe 33->39         started        file14 51 C:\Windows\...\WmiPrvSE.exe, PE32 35->51 dropped 53 C:\Users\...\OtJoSKEjZkwQhRzMZutOGGIoPql.exe, PE32 35->53 dropped 55 C:\Users\...\OtJoSKEjZkwQhRzMZutOGGIoPql.exe, PE32 35->55 dropped 57 3 other malicious files 35->57 dropped 81 Creates multiple autostart registry keys 35->81 83 Creates an autostart registry key pointing to binary in C:\Windows 35->83 85 Creates processes via WMI 35->85 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a468384b275c437d13c05d8433a2223910db37b9251fe0602752a7dc7664253c/
Threat name:
Win32.Trojan.VBinder
Create hunting rule
Status:
Malicious
First seen:
2023-04-22 20:17:55 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
22 of 22 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=urudqszhlrbx2e6alwcdhircheinwn5zeup6aybhkkt5y5teeu6a._file
Verdict:
malicious
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:dcrat family:neshta evasion infostealer persistence rat spyware stealer
Link:
https://tria.ge/reports/230427-j548ksee63/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Reads user/profile data of web browsers
Stops running service(s)
DCRat payload
DcRat
Modifies WinLogon for persistence
Neshta
Process spawned unexpected child process
Unpacked files
SH256 hash:
18fe48031a18449fab109af60ba11c09558d0a388962c14c1be453aff9126c0f
MD5 hash:
ad122d61ca248b162cc410a0d8220ee5
SHA1 hash:
c0c0f96efde22b527c90d8b3552f0a5584e317bb
Link:
https://www.unpac.me/results/51ae810f-005b-427b-b057-4ae7877016fa/
SH256 hash:
e16d31256434834519f0fc54095f9a5e03700adaba2e51a75dad1ab581441323
MD5 hash:
1edd3839f47ae345890b4dc71ba6cfe5
SHA1 hash:
0b6593476cd3f7a7292c1e5f63e137aebb147708
Link:
https://www.unpac.me/results/51ae810f-005b-427b-b057-4ae7877016fa/
SH256 hash:
ffe2511382eaef347d20e5482eb50babe18672aadeb479e2e960b4b1efcda5fa
MD5 hash:
237983cab05d288a6ce10c5a52817897
SHA1 hash:
23a88c708a18f0e513231357668075b112d366d0
Detections:
win_neshta_auto
Create hunting rule
Link:
https://www.unpac.me/results/51ae810f-005b-427b-b057-4ae7877016fa/
SH256 hash:
3b2d67c12fb9248a282b48b115ba3c3f339ee9d4e37c381793db4b1b64d88fd3
MD5 hash:
1dde40817b31fedcd414a7857387d8da
SHA1 hash:
b67f778e885d5957d4be981ff581104d77f6ab43
Link:
https://www.unpac.me/results/51ae810f-005b-427b-b057-4ae7877016fa/
SH256 hash:
fe9b06f8efd352674036543cb615db7a6e40a8c7802cfb4b5e064bf66800b275
MD5 hash:
793193bc4b137b27cab60d55e0a806ab
SHA1 hash:
161b921f9a91ee162f87cca4b7dbd85a876fa27c
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/51ae810f-005b-427b-b057-4ae7877016fa/
SH256 hash:
a468384b275c437d13c05d8433a2223910db37b9251fe0602752a7dc7664253c
MD5 hash:
0d8ef6d15966eb940b00e078b0ae0bb1
SHA1 hash:
dca3c3572947d17576f1530c9dc342bf0d9a70d8
Link:
https://www.unpac.me/results/51ae810f-005b-427b-b057-4ae7877016fa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Poison
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a468384b275c437d13c05d8433a2223910db37b9251fe0602752a7dc7664253c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/385170/

Comments