MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 138905d6721c1e6b174b6f61154a938565c9bd5c6b5b0abe8274054bf151da9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 138905d6721c1e6b174b6f61154a938565c9bd5c6b5b0abe8274054bf151da9c
SHA3-384 hash: 20fbe207b55ea9171214b3b7e46393c090a2155723754aaa17aec615be2ac4b11921ddbffa24419a4b48f5d84fdf1088
SHA1 hash: cd4b6caab8b3762d3af3b7ad738f51d2e92c2d34
MD5 hash: 4164d5955c244ff266c1cc41013fe21a
humanhash: gee-bulldog-sixteen-hot
File name:4164D5955C244FF266C1CC41013FE21A.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:3'672'576 bytes
First seen:2024-03-29 06:35:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 98304:ce0NRfHctOXBignPFAfL7B71KHijptuNMsZ:c1lckBiKPJCVt4Z
Threatray 184 similar samples on MalwareBazaar
TLSH T11406E10696714E73C1A47F72C4E7082D92E09B667623EF1B371F50D9A8232718B571FA
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://89.23.98.225/8pollDbvoiddb/DatalifeFlowerWp/processbaseMariadb1/Defaultbigloadpython/Generator/videoLowUpdateDbasync.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
474
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
138905d6721c1e6b174b6f61154a938565c9bd5c6b5b0abe8274054bf151da9c.exe
Verdict:
Malicious activity
Analysis date:
2024-03-29 06:36:57 UTC
Tags:
rat backdoor dcrat remote stealer
Link:
https://app.any.run/tasks/67e09a3b-8904-4898-ba26-406e4b654e9e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Using the Windows Management Instrumentation requests
Launching a process
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Creating a process from a recently created file
Loading a suspicious library
Connection attempt
Sending an HTTP POST request
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
net_reactor packed packed
Link:
https://www.filescan.io/uploads/66066153eda319274611babb/reports/a1a887ae-a6c5-4205-bf29-ce9a3411fca9/overview
Verdict:
Malicious
Labled as:
Trojan.MSIL.Basic.8
Link:
https://www.hybrid-analysis.com/sample/138905d6721c1e6b174b6f61154a938565c9bd5c6b5b0abe8274054bf151da9c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5524839a-57d2-497c-9212-7533ecc0bb56
Result
Threat name:
DCRat, PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1417387
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates processes via WMI
Detected unpacking (creates a PE file in dynamic memory)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Snort IDS alert for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1417387 Sample: ZT3pxe2Tb4.exe Startdate: 29/03/2024 Architecture: WINDOWS Score: 100 187 Snort IDS alert for network traffic 2->187 189 Antivirus detection for dropped file 2->189 191 Antivirus / Scanner detection for submitted sample 2->191 193 9 other signatures 2->193 14 ZT3pxe2Tb4.exe 4 30 2->14         started        18 fontdrvhost.exe 14 27 2->18         started        21 fontdrvhost.exe 2 2->21         started        process3 dnsIp4 153 C:\Users\user\Desktop\zsrQNmVQ.log, PE32 14->153 dropped 155 C:\Users\user\Desktop\xvPIrmGV.log, PE32 14->155 dropped 157 C:\Users\user\Desktop\wHLAFYKX.log, PE32 14->157 dropped 165 20 other malicious files 14->165 dropped 205 Detected unpacking (creates a PE file in dynamic memory) 14->205 207 Uses schtasks.exe or at.exe to add and modify task schedules 14->207 209 Creates processes via WMI 14->209 23 cmd.exe 1 14->23         started        26 schtasks.exe 14->26         started        28 schtasks.exe 14->28         started        30 schtasks.exe 14->30         started        185 89.23.98.225, 49730, 49731, 49738 MAXITEL-ASRU Russian Federation 18->185 159 C:\Users\user\Desktop\ylQifTUJ.log, PE32 18->159 dropped 161 C:\Users\user\Desktop\uvZrYWTP.log, PE32 18->161 dropped 163 C:\Users\user\Desktop\pzYaRqdW.log, PE32 18->163 dropped 167 19 other malicious files 18->167 dropped 211 Antivirus detection for dropped file 18->211 213 Multi AV Scanner detection for dropped file 18->213 215 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->215 217 Machine Learning detection for dropped file 18->217 32 cmd.exe 1 18->32         started        file5 signatures6 process7 signatures8 197 Uses ping.exe to sleep 23->197 199 Uses ping.exe to check the status of other devices and networks 23->199 34 fontdrvhost.exe 26 23->34         started        37 conhost.exe 23->37         started        39 PING.EXE 1 23->39         started        41 chcp.com 1 23->41         started        43 fontdrvhost.exe 32->43         started        45 conhost.exe 32->45         started        47 PING.EXE 1 32->47         started        49 chcp.com 1 32->49         started        process9 file10 113 C:\Users\user\Desktop\zfzIrCEh.log, PE32 34->113 dropped 115 C:\Users\user\Desktop\sXAbZyyE.log, PE32 34->115 dropped 117 C:\Users\user\Desktop\phJkSByL.log, PE32 34->117 dropped 125 19 other malicious files 34->125 dropped 51 cmd.exe 34->51         started        119 C:\Users\user\Desktop\zntiAIEO.log, PE32 43->119 dropped 121 C:\Users\user\Desktop\yEAAOeyR.log, PE32 43->121 dropped 123 C:\Users\user\Desktop\xHZssejW.log, PE32 43->123 dropped 127 19 other malicious files 43->127 dropped 54 cmd.exe 43->54         started        process11 signatures12 195 Uses ping.exe to sleep 51->195 56 fontdrvhost.exe 51->56         started        59 conhost.exe 51->59         started        61 chcp.com 51->61         started        63 PING.EXE 51->63         started        65 fontdrvhost.exe 54->65         started        67 conhost.exe 54->67         started        69 chcp.com 54->69         started        71 PING.EXE 54->71         started        process13 file14 137 C:\Users\user\Desktop\zldaSYtH.log, PE32 56->137 dropped 139 C:\Users\user\Desktop\wsOrhbIJ.log, PE32 56->139 dropped 141 C:\Users\user\Desktop\nJvbxzCb.log, PE32 56->141 dropped 149 19 other malicious files 56->149 dropped 73 cmd.exe 56->73         started        143 C:\Users\user\Desktop\sihlzJJp.log, PE32 65->143 dropped 145 C:\Users\user\Desktop\rudcNvNr.log, PE32 65->145 dropped 147 C:\Users\user\Desktop\rmtKjMmm.log, PE32 65->147 dropped 151 19 other malicious files 65->151 dropped 75 cmd.exe 65->75         started        process15 signatures16 78 fontdrvhost.exe 73->78         started        81 conhost.exe 73->81         started        83 chcp.com 73->83         started        85 w32tm.exe 73->85         started        201 Uses ping.exe to sleep 75->201 87 fontdrvhost.exe 75->87         started        89 conhost.exe 75->89         started        91 chcp.com 75->91         started        93 PING.EXE 75->93         started        process17 file18 169 C:\Users\user\Desktop\zReaumVj.log, PE32 78->169 dropped 171 C:\Users\user\Desktop\xgyKnYKq.log, PE32 78->171 dropped 173 C:\Users\user\Desktop\xOrrZDRn.log, PE32 78->173 dropped 181 19 other malicious files 78->181 dropped 95 cmd.exe 78->95         started        175 C:\Users\user\Desktop\zuGjoWSN.log, PE32 87->175 dropped 177 C:\Users\user\Desktop\zTojkKNX.log, PE32 87->177 dropped 179 C:\Users\user\Desktop\uHokLZDZ.log, PE32 87->179 dropped 183 19 other malicious files 87->183 dropped 97 cmd.exe 87->97         started        process19 process20 99 fontdrvhost.exe 95->99         started        102 conhost.exe 95->102         started        104 chcp.com 95->104         started        106 w32tm.exe 95->106         started        108 conhost.exe 97->108         started        file21 129 C:\Users\user\Desktop\zzDSBAiP.log, PE32 99->129 dropped 131 C:\Users\user\Desktop\wOXBumXW.log, PE32 99->131 dropped 133 C:\Users\user\Desktop\sYhLnqXd.log, PE32 99->133 dropped 135 19 other malicious files 99->135 dropped 110 cmd.exe 99->110         started        process22 signatures23 203 Uses ping.exe to sleep 110->203
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/138905d6721c1e6b174b6f61154a938565c9bd5c6b5b0abe8274054bf151da9c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/138905d6721c1e6b174b6f61154a938565c9bd5c6b5b0abe8274054bf151da9c/
Threat name:
ByteCode-MSIL.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2024-03-25 15:32:42 UTC
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=coeqlvtsdqpgwf2ln5qrksutqvs4tpk4nnnqvpucoqcux4kr3koa._file
Verdict:
malicious
Similar samples:
0266dc2bf6eb73b5ef4770bedecadbffb0c35cd3b17c9a97e39712d92f17d199
DCRat
21db4cd681095da19d677cceaa96d61b988bbbc3be10bb834011c87c9641185c
DCRat
846646dae2f70ac644cd3420d1d465593f654b3f827e84b2ef421e701b37a72e
DCRat
aed6efbcad60ad52492ceb3f0da88bd7d457a7531cc43a7808c630cf5166bdbb
DCRat
d3a6e5b3d3282a3b47296defa8671c679d816470a80d4c2aa119fdcb97a4d026
DCRat
e434b8362b39f1202159b48a025eece729c54a2627c04fe927ece4566c2ca2b7
DCRat
fd013757b73bc051725a6cd214b5b5a4373ce97105404a7608226bb7e700fab5
DCRat
+ 174 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/240329-hcw6tscd38/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Detect ZGRat V1
Process spawned unexpected child process
ZGRat
Unpacked files
SH256 hash:
2b93377ea087225820a9f8e4f331005a0c600d557242366f06e0c1eae003d669
MD5 hash:
d8bf2a0481c0a17a634d066a711c12e9
SHA1 hash:
7cc01a58831ed109f85b64fe4920278cedf3e38d
Link:
https://www.unpac.me/results/783d05e4-4e36-4cde-8f08-fa4f48165495/
SH256 hash:
7a080d8bd178ec02c7f39f7f941479074c450c4fdd8e963c993d2fb5537c7708
MD5 hash:
16b480082780cc1d8c23fb05468f64e7
SHA1 hash:
6fddf86f9f0fbaa189f5cb79e44999a3f1ac2b26
Link:
https://www.unpac.me/results/783d05e4-4e36-4cde-8f08-fa4f48165495/
SH256 hash:
138905d6721c1e6b174b6f61154a938565c9bd5c6b5b0abe8274054bf151da9c
MD5 hash:
4164d5955c244ff266c1cc41013fe21a
SHA1 hash:
cd4b6caab8b3762d3af3b7ad738f51d2e92c2d34
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/783d05e4-4e36-4cde-8f08-fa4f48165495/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/138905d6721c1e6b174b6f61154a938565c9bd5c6b5b0abe8274054bf151da9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments