MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 049e79c4d019081cf5894cc565963f88f8a9e76ca0749d750242692e65b79710. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 049e79c4d019081cf5894cc565963f88f8a9e76ca0749d750242692e65b79710
SHA3-384 hash: c936f70395c8c1a15f91f0aa13477e705884bffa5cefe5d1ab4dc81fe57b499117ca1170cb74cf50e1fd6a302330a557
SHA1 hash: 33a5819b15bceb3809106b870bf85e7ec47b616e
MD5 hash: 2475be1a7b73399b745d5414379c097e
humanhash: wyoming-pluto-undress-gee
File name:2475be1a7b73399b745d5414379c097e.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:422'512 bytes
First seen:2021-09-21 19:45:52 UTC
Last seen:2021-09-21 20:56:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:h7/hpRa44ypHrt8phh37nXnBR1Wl3WaktC54b2sJqU6JlJHLtHQkgiU2:a7Uq2swUSlZlQxiU2
Threatray 73 similar samples on MalwareBazaar
TLSH T1F494E0FDB5D41A76E56E96F9D5F0001792FAF00B252CBF2704C84AF81A53F218C94E66
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://80.87.197.54/program/trace/ruledemocore/Server/prodlog/mobilephpPythonscreen/DjangosearcherDjangoframe/phpflowerAsynctrack.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://80.87.197.54/program/trace/ruledemocore/Server/prodlog/mobilephpPythonscreen/DjangosearcherDjangoframe/phpflowerAsynctrack.php https://threatfox.abuse.ch/ioc/224582/

Intelligence

File Origin
# of uploads :
2
# of downloads :
281
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2475be1a7b73399b745d5414379c097e.exe
Verdict:
Malicious activity
Analysis date:
2021-09-21 19:48:34 UTC
Tags:
trojan rat backdoor dcrat stealer
Link:
https://app.any.run/tasks/e0a9da49-2575-4c5f-8cd1-6ea53f059bfe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189987/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46985832.22504.19690.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/299485a9-ea6c-44aa-b5f9-ef80074bcac6
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/855182
Signature
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/049e79c4d019081cf5894cc565963f88f8a9e76ca0749d750242692e65b79710/
Threat name:
ByteCode-MSIL.Backdoor.LightStone
Create hunting rule
Status:
Malicious
First seen:
2021-09-17 19:31:00 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=asphtrgqdeebz5mjjtcwlfr7rd4ktz3mub2j25icijus4znxs4ia._file
Verdict:
malicious
Similar samples:
4b648c17bb169cf81da7a4d1182238b96463ed58474ef6b539818fdb19291a32
DCRat
89ff1cde233c8c94d22601a78eda7c67995c654817b03bdd975d24a0b9297715
DCRat
905fc6297517e940e073d09037ea044f2ba0ecf95f728abae8199bcc0ee2142d
DCRat
96f29dfb24c62e5c8053144b878b2fea14b29ee016f0fb0af344c2d0f13eca52
DCRat
cda25c8ae3f9249409a8674ff30f5fda761988147d9d4f8df6a8469de505ea92
DCRat
e206cdfadd769d8506f7dde22b1a3277075506810b455f491ff08fd42707a0a0
DCRat
+ 63 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210921-ygys8adbbq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
ea48278f0fe93706935e56ec196d04326bf9a7c55011ad4200c309874346ee49
MD5 hash:
93d1e4cbf6154446481084a8023b1076
SHA1 hash:
f9cdb2682c9ae7bb6f8f2e4ec91cb368b801a63a
Link:
https://www.unpac.me/results/12cb2d6e-a2ee-4939-b115-50991744bd04/
SH256 hash:
99bf2fd7d894d3dfcad73816989ea266e5812b4e1ace7228eff7324ab4804cab
MD5 hash:
390cd679113f52332f4d57fa56e71a06
SHA1 hash:
c94d19ae40abb7b2841a5ec778270503a2f9149e
Link:
https://www.unpac.me/results/12cb2d6e-a2ee-4939-b115-50991744bd04/
SH256 hash:
8063623fd33585184e865ac1f8685446c819841d212bc6c848f8dc4a137960be
MD5 hash:
4abff34e351e4e95514aecb515e8aea3
SHA1 hash:
742702e8c78e7cf19f19e56a6cdb2d1811759710
Link:
https://www.unpac.me/results/12cb2d6e-a2ee-4939-b115-50991744bd04/
SH256 hash:
049e79c4d019081cf5894cc565963f88f8a9e76ca0749d750242692e65b79710
MD5 hash:
2475be1a7b73399b745d5414379c097e
SHA1 hash:
33a5819b15bceb3809106b870bf85e7ec47b616e
Link:
https://www.unpac.me/results/12cb2d6e-a2ee-4939-b115-50991744bd04/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/049e79c4d019081cf5894cc565963f88f8a9e76ca0749d750242692e65b79710

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189987/

Comments