MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06d1a9fd3099cfb0cc829db930ab25f75a532e5e670e1704844cf7b1000d6314. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06d1a9fd3099cfb0cc829db930ab25f75a532e5e670e1704844cf7b1000d6314
SHA3-384 hash: 1d5e59bc42579e68c15c6afab276a3840618e80f7390b3b7b7423f84948356c5cc31333dd13231ca6af947b42d1329a0
SHA1 hash: fe11a17c1a403d6df28508d576c76ece07cce88b
MD5 hash: 7ea99740a913fd01ab5b6d630a65f501
humanhash: golf-cat-alaska-white
File name:06d1a9fd3099cfb0cc829db930ab25f75a532e5e670e1704844cf7b1000d6314
Download: download sample
Signature DCRat
Create hunting rule
File size:29'106'718 bytes
First seen:2024-09-02 14:48:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 72c4e339b7af8ab1ed2eb3821c98713a (48 x BlankGrabber, 26 x PythonStealer, 7 x LunaStealer)
ssdeep 393216:CUrTbCVFENlgdkQbaVxN2dAdpN7D9aJtW9dcGMBD2KSedViDKKeLQOshouIkPFt4:CUvRgdjtAd99dfGV6qLxwouZtRL
TLSH T1B4573304934868D5F282A03D86ADC607EA61F442778DC88E53ABCB695F635CC1D7BF8D
TrID 70.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.ICL) Windows Icons Library (generic) (2059/9)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 92e0b496a6cada72 (12 x RedLineStealer, 7 x RaccoonStealer, 5 x BlankGrabber)
Reporter adrian__luca
Tags:DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
417
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
06d1a9fd3099cfb0cc829db930ab25f75a532e5e670e1704844cf7b1000d6314
Verdict:
Malicious activity
Analysis date:
2024-09-02 14:51:17 UTC
Tags:
evasion github python pyinstaller telegram susp-powershell growtopia stealer discordgrabber generic exfiltration umbralstealer blankgrabber upx rat dcrat remote darkcrystal miner netreactor wmi-base64 api-base64
Link:
https://app.any.run/tasks/3de852a3-0663-4f7f-8504-904d60fbf097

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66d5d065f3d7ccf99f8f9314
Tags:
Discovery Execution Generic Network Stealth Trojan Multiple
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Running batch commands
Creating a process from a recently created file
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process with a hidden window
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Reading critical registry keys
Launching the process to change network settings
Using the Windows Management Instrumentation requests
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/06d1a9fd3099cfb0cc829db930ab25f75a532e5e670e1704844cf7b1000d6314
Result
Verdict:
MALICIOUS
Result
Threat name:
HackBrowser, DCRat, Discord Token Steale
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1503002
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Detected unpacking (creates a PE file in dynamic memory)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Found pyInstaller with non standard icon
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Infects executable files (exe, dll, sys, html)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Stop multiple services
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Sigma detected: WScript or CScript Dropper
Stops critical windows services
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Amnesia Stealer
Yara detected Costura Assembly Loader
Yara detected DCRat
Yara detected Discord Token Stealer
Yara detected Millenuim RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1503002 Sample: iqA8j9yGcd.exe Startdate: 02/09/2024 Architecture: WINDOWS Score: 100 161 api.telegram.org 2->161 163 raw.githubusercontent.com 2->163 165 ip-api.com 2->165 189 Suricata IDS alerts for network traffic 2->189 191 Antivirus detection for dropped file 2->191 193 Sigma detected: Capture Wi-Fi password 2->193 197 36 other signatures 2->197 15 iqA8j9yGcd.exe 13 2->15         started        19 cmd.exe 2->19         started        21 powershell.exe 2->21         started        23 2 other processes 2->23 signatures3 195 Uses the Telegram API (likely for C&C communication) 161->195 process4 file5 149 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 15->149 dropped 151 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 15->151 dropped 153 C:\Users\user\AppData\Local\...\python311.dll, PE32+ 15->153 dropped 155 8 other malicious files 15->155 dropped 169 Found pyInstaller with non standard icon 15->169 25 iqA8j9yGcd.exe 15->25         started        171 Multi AV Scanner detection for dropped file 19->171 173 Found direct / indirect Syscall (likely to bypass EDR) 19->173 175 Loading BitLocker PowerShell Module 21->175 27 conhost.exe 21->27         started        29 sc.exe 23->29         started        31 conhost.exe 23->31         started        33 sc.exe 23->33         started        35 sc.exe 23->35         started        signatures6 process7 process8 37 cmd.exe 1 25->37         started        40 Conhost.exe 29->40         started        signatures9 199 Wscript starts Powershell (via cmd or directly) 37->199 201 Very long command line found 37->201 203 Encrypted powershell cmdline option found 37->203 205 6 other signatures 37->205 42 Build.exe 6 37->42         started        46 conhost.exe 37->46         started        process10 file11 129 C:\ProgramData\Microsoft\hacn.exe, PE32+ 42->129 dropped 131 C:\ProgramData\Microsoft\based.exe, PE32+ 42->131 dropped 229 Multi AV Scanner detection for dropped file 42->229 231 Machine Learning detection for dropped file 42->231 48 hacn.exe 13 42->48         started        52 based.exe 22 42->52         started        signatures12 process13 file14 107 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 48->107 dropped 109 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 48->109 dropped 111 C:\Users\user\AppData\Local\Temp\...\s.exe, PE32 48->111 dropped 119 8 other files (7 malicious) 48->119 dropped 177 Multi AV Scanner detection for dropped file 48->177 179 Machine Learning detection for dropped file 48->179 54 hacn.exe 48->54         started        113 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 52->113 dropped 115 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 52->115 dropped 117 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 52->117 dropped 121 15 other malicious files 52->121 dropped 181 Very long command line found 52->181 183 Modifies Windows Defender protection settings 52->183 185 Adds a directory exclusion to Windows Defender 52->185 187 2 other signatures 52->187 56 based.exe 88 52->56         started        signatures15 process16 dnsIp17 60 cmd.exe 54->60         started        167 api.telegram.org 149.154.167.220, 443, 56193, 56194 TELEGRAMRU United Kingdom 56->167 221 Very long command line found 56->221 223 Found many strings related to Crypto-Wallets (likely being stolen) 56->223 225 Tries to harvest and steal browser information (history, passwords, etc) 56->225 227 6 other signatures 56->227 62 cmd.exe 56->62         started        65 cmd.exe 56->65         started        67 cmd.exe 56->67         started        69 14 other processes 56->69 signatures18 process19 signatures20 71 s.exe 60->71         started        75 conhost.exe 60->75         started        251 Wscript starts Powershell (via cmd or directly) 62->251 253 Very long command line found 62->253 255 Encrypted powershell cmdline option found 62->255 87 2 other processes 62->87 257 Adds a directory exclusion to Windows Defender 65->257 77 powershell.exe 65->77         started        79 conhost.exe 65->79         started        259 Modifies Windows Defender protection settings 67->259 81 powershell.exe 67->81         started        83 conhost.exe 67->83         started        261 Tries to harvest and steal WLAN passwords 69->261 85 getmac.exe 69->85         started        89 24 other processes 69->89 process21 file22 123 C:\ProgramData\svchost.exe, PE32 71->123 dropped 125 C:\ProgramData\setup.exe, PE32+ 71->125 dropped 127 C:\ProgramData\main.exe, PE32 71->127 dropped 207 Multi AV Scanner detection for dropped file 71->207 209 Drops PE files with benign system names 71->209 91 svchost.exe 71->91         started        95 setup.exe 71->95         started        97 main.exe 71->97         started        211 Loading BitLocker PowerShell Module 77->211 213 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 85->213 215 Writes or reads registry keys via WMI 85->215 100 csc.exe 87->100         started        102 Conhost.exe 89->102         started        signatures23 process24 dnsIp25 133 C:\Users\user\...\ChainComServermonitor.exe, PE32 91->133 dropped 135 pFG3Duil1NAbFHoInF...Rvb98S0ewJA0VkW.vbe, data 91->135 dropped 137 C:\Users\user\...\oGgyulsi03j6EO3sjCC.bat, ASCII 91->137 dropped 233 Antivirus detection for dropped file 91->233 235 Multi AV Scanner detection for dropped file 91->235 237 Machine Learning detection for dropped file 91->237 104 wscript.exe 91->104         started        139 C:\Users\user\AppData\...\wxyubnjmnlae.tmp, PE32+ 95->139 dropped 141 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 95->141 dropped 239 Detected unpacking (creates a PE file in dynamic memory) 95->239 241 Writes to foreign memory regions 95->241 243 Modifies the context of a thread in another process (thread injection) 95->243 249 3 other signatures 95->249 157 ip-api.com 208.95.112.1, 49706, 56191, 56214 TUT-ASUS United States 97->157 159 raw.githubusercontent.com 185.199.108.133, 443, 49707, 56192 FASTLYUS Netherlands 97->159 143 C:\Users\user\AppData\Roaming\...\Update.exe, PE32 97->143 dropped 145 C:\Users\user\AppData\...\sqlite.interop.dll, PE32+ 97->145 dropped 245 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 97->245 247 Found direct / indirect Syscall (likely to bypass EDR) 97->247 147 C:\Users\user\AppData\Local\...\sirtu5ev.dll, PE32 100->147 dropped file26 signatures27 process28 signatures29 217 Wscript starts Powershell (via cmd or directly) 104->217 219 Windows Scripting host queries suspicious COM object (likely to drop second stage) 104->219
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/06d1a9fd3099cfb0cc829db930ab25f75a532e5e670e1704844cf7b1000d6314
Gathering data
Threat name:
Win64.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2024-08-26 04:27:34 UTC
File Type:
PE+ (Exe)
Extracted files:
1446
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a3i2t7jqthh3btectw4tbkzf65nfgls6m4hbobeejt33caanmmka._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller spyware stealer upx
Link:
https://tria.ge/reports/240902-r61ksasfjk/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Detects videocard installed
Enumerates system info in registry
Gathers system information
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks BIOS information in registry
Checks computer location settings
Clipboard Data
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Stops running service(s)
Credentials from Password Stores: Credentials from Web Browsers
Modifies WinLogon for persistence
Process spawned unexpected child process
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3c417cab-8cef-47d7-a2bd-2f0c4e2b8701
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06d1a9fd3099cfb0cc829db930ab25f75a532e5e670e1704844cf7b1000d6314

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:Detect_Nimplant_PE
Create hunting rule
Author:daniyyell
Description:Detects malicious nimplant variant PE malware.
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::FindFirstFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments