MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01890b0c69f77d95b535fe25ecabacd58d728e4a35bef959c41c1886dba50e8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01890b0c69f77d95b535fe25ecabacd58d728e4a35bef959c41c1886dba50e8d
SHA3-384 hash: 2094b6cc1e1243a21ad5e3c472ba0d54a4f6ff2640eddada10aac8b1bfb34510cf00adb0dc4bc76015558bd7f3b9cd57
SHA1 hash: c9772a3db677b2f70a4e9a2a774592affcddb9f4
MD5 hash: 3ba9ffc45ad7dcee17b186aa87448385
humanhash: wolfram-ink-bacon-robin
File name:3ba9ffc45ad7dcee17b186aa87448385.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:919'040 bytes
First seen:2024-09-17 20:05:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:OI+EyVYMD/n2w1r4khA8DoyXDQQICrG0:F+EqDe0k
Threatray 990 similar samples on MalwareBazaar
TLSH T10C1518057E46CE11F019123BC2EF45489BB09C516AE6E32B7DBA376E16223937C0D9DB
TrID 51.8% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
22.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.4% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://govnos3z.beget.tech/20061e37.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://govnos3z.beget.tech/20061e37.php https://threatfox.abuse.ch/ioc/1325716/

Intelligence

File Origin
# of uploads :
1
# of downloads :
478
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
3ba9ffc45ad7dcee17b186aa87448385.exe
Verdict:
Malicious activity
Analysis date:
2024-09-17 20:06:50 UTC
Tags:
loader rat dcrat remote darkcrystal netreactor susp-powershell wmi-base64
Link:
https://app.any.run/tasks/7f225d1e-7ae3-4842-8d93-df9986a56577

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Msilmamut-9950860-0
Create hunting rule

Win.Packed.Uztuby-9963900-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e9e12b5d6a2b58599a9d7b
Tags:
Execution Network Other Static Stealth Trojan Msil
Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
anti-vm cmd cscript explorer lolbin net_reactor obfuscated packed schtasks vbnet
Link:
https://www.filescan.io/uploads/66e9e12e043c09361a303f09/reports/9499aaba-1b84-4c1a-86d6-51fd3b7e424a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/01890b0c69f77d95b535fe25ecabacd58d728e4a35bef959c41c1886dba50e8d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DCRat
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d930194-7bb0-4c35-9b6f-a56274bdf819
Result
Threat name:
DCRat, PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1512802
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates processes via WMI
Drops executable to a common third party application directory
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Files With System Process Name In Unsuspected Locations
Suricata IDS alerts for network traffic
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AntiVM3
Yara detected DCRat
Yara detected Generic Downloader
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1512802 Sample: OR4zbcEK70.exe Startdate: 17/09/2024 Architecture: WINDOWS Score: 100 70 951499cm.nyashtech.top 2->70 72 govnos3z.beget.tech 2->72 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 16 other signatures 2->84 10 VuBzNSSFpFzjYE.exe 14 4 2->10         started        13 OR4zbcEK70.exe 18 18 2->13         started        17 VuBzNSSFpFzjYE.exe 3 2->17         started        signatures3 process4 dnsIp5 58 C:\Users\user\AppData\...\PJWDXCMFPFRVG4V.exe, PE32 10->58 dropped 19 PJWDXCMFPFRVG4V.exe 10->19         started        74 951499cm.nyashtech.top 80.211.144.156, 49732, 49733, 49734 ARUBA-ASNIT Italy 13->74 60 C:\Users\Default\Desktop\VuBzNSSFpFzjYE.exe, PE32 13->60 dropped 62 C:\Recovery\VuBzNSSFpFzjYE.exe, PE32 13->62 dropped 64 C:\Program Files\...\VuBzNSSFpFzjYE.exe, PE32 13->64 dropped 66 4 other malicious files 13->66 dropped 108 Creates processes via WMI 13->108 110 Drops executable to a common third party application directory 13->110 23 cmd.exe 1 13->23         started        76 govnos3z.beget.tech 5.101.153.31, 49735, 49737, 80 BEGET-ASRU Russian Federation 17->76 file6 signatures7 process8 file9 46 C:\...\WebReviewWinSvc.exe, PE32 19->46 dropped 48 C:\PortsurrogateWinhostdhcp\ya0aIw.vbe, data 19->48 dropped 86 Antivirus detection for dropped file 19->86 88 Multi AV Scanner detection for dropped file 19->88 90 Machine Learning detection for dropped file 19->90 25 wscript.exe 19->25         started        28 VuBzNSSFpFzjYE.exe 4 23->28         started        31 w32tm.exe 1 23->31         started        33 conhost.exe 23->33         started        signatures10 process11 file12 98 Windows Scripting host queries suspicious COM object (likely to drop second stage) 25->98 35 cmd.exe 25->35         started        68 C:\Users\user\AppData\...\HDKK97XBP8RD8R4.exe, PE32 28->68 dropped 37 HDKK97XBP8RD8R4.exe 28->37         started        signatures13 process14 signatures15 40 WebReviewWinSvc.exe 35->40         started        44 conhost.exe 35->44         started        92 Antivirus detection for dropped file 37->92 94 Multi AV Scanner detection for dropped file 37->94 96 Machine Learning detection for dropped file 37->96 process16 file17 50 C:\Users\user\Desktop\wgiRTVcw.log, PE32 40->50 dropped 52 C:\Users\user\Desktop\eZSmAixh.log, PE32 40->52 dropped 54 C:\Users\user\Desktop\bRUdeQCl.log, PE32 40->54 dropped 56 8 other malicious files 40->56 dropped 100 Antivirus detection for dropped file 40->100 102 Multi AV Scanner detection for dropped file 40->102 104 Machine Learning detection for dropped file 40->104 106 2 other signatures 40->106 signatures18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/01890b0c69f77d95b535fe25ecabacd58d728e4a35bef959c41c1886dba50e8d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01890b0c69f77d95b535fe25ecabacd58d728e4a35bef959c41c1886dba50e8d/
Threat name:
ByteCode-MSIL.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2024-09-12 09:18:00 UTC
File Type:
PE (.Net Exe)
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ageqwddj656zlnjv7ys6zk5m2wgxfdskgw7pswoedqminw5fb2gq._file
Verdict:
malicious
Label(s):
dcrat
Create hunting rule
Similar samples:
0cdd9cd133555f23cc30876c7ef36cca43834f4d6172a161436238cdc80c9e17
DCRat
2091f30ae284071301851cb735711b169ec5decc14539dab4d4176021d129524
DCRat
387d5d85440c9e1db680894c297350c26145221e3986ed01bd3b5bddd8cb923e
DCRat
e346f7ade392e3abaf8526a10c6c4f90b0aa758846767b7a4c17b1bf74239f4b
DCRat
+ 980 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat
Link:
https://tria.ge/reports/240917-yvdefasdnp/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Executes dropped EXE
Downloads MZ/PE file
DCRat payload
DcRat
Process spawned unexpected child process
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/04e1479c-5a33-469d-992b-48b1afdd729d
Unpacked files
SH256 hash:
b7e01b2a8820e74c6729c64be8a95021be1793821a95be26be0762fc9ae3b870
MD5 hash:
85581e592ca27c19ed1df1c86507a6cd
SHA1 hash:
072285d8317c0e9fa3edb6026be131aae1c0af3c
Link:
https://www.unpac.me/results/7fca648f-cf20-4dc6-9ecd-cb236e3bb79b/
SH256 hash:
01890b0c69f77d95b535fe25ecabacd58d728e4a35bef959c41c1886dba50e8d
MD5 hash:
3ba9ffc45ad7dcee17b186aa87448385
SHA1 hash:
c9772a3db677b2f70a4e9a2a774592affcddb9f4
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/7fca648f-cf20-4dc6-9ecd-cb236e3bb79b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01890b0c69f77d95b535fe25ecabacd58d728e4a35bef959c41c1886dba50e8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments