MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13b9b3ae4d0e94099f69c0968b770ad5651b6d23f043a6bc34a3475f5167fc6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13b9b3ae4d0e94099f69c0968b770ad5651b6d23f043a6bc34a3475f5167fc6d
SHA3-384 hash: cb4e2d3f71e98897cbd6d2ea45ddc7b5742b1e4c1d947c5d081a333b0396bf4bf31d872a8f2f4bd42948e6509710d7d0
SHA1 hash: aeebb9eec1ba7324f12f151e768e0b1e91ec9548
MD5 hash: d4c89ca639391f091d2ef4f2e0ecdd59
humanhash: jersey-march-network-cola
File name:d4c89ca639391f091d2ef4f2e0ecdd59
Download: download sample
Signature DCRat
Create hunting rule
File size:1'445'025 bytes
First seen:2021-11-10 02:51:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:U2G/nvxW3Ww0tSr6SsjYSoIjAdGdTU3v2gcSvx8VLpx+4l:UbA30ss8SxU3v20Apwm
Threatray 908 similar samples on MalwareBazaar
TLSH T1C56539827E46ED02C02A1637C9EF846407B8FD417B66CA1A7E9F335D64163E35D0D2EA
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter zbetcheckin
Tags:32 DCRat exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/204584/
Detection(s):
Win.Malware.Uztuby-9848412-0
Create hunting rule

Win.Packed.Uztuby-9851623-0
Create hunting rule

Win.Packed.Uztuby-9875336-0
Create hunting rule

Win.Packed.Uztuby-9877681-0
Create hunting rule

Win.Packed.Uztuby-9878629-0
Create hunting rule

Win.Packed.Uztuby-9892756-0
Create hunting rule

Win.Packed.Basic-9897090-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm greyware makop overlay
Link:
https://www.filescan.io/uploads/618b33d5175442ca93a9ff69/reports/3e2c7cc6-1fe2-422b-a7df-a09166847e40/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/aa0f469c-78bb-48c5-a7fc-dda2b9c0ed09
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/886427
Signature
Antivirus detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 518895 Sample: DabPFibJHn Startdate: 10/11/2021 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected DCRat 2->49 51 4 other signatures 2->51 9 DabPFibJHn.exe 3 6 2->9         started        12 spoolsv.exe 3 2->12         started        15 WmiPrvSE.exe 3 2->15         started        17 11 other processes 2->17 process3 dnsIp4 41 C:\...\savesHostNetwinPerfcommon.exe, PE32 9->41 dropped 20 wscript.exe 1 9->20         started        61 Antivirus detection for dropped file 12->61 63 Multi AV Scanner detection for dropped file 12->63 65 Machine Learning detection for dropped file 12->65 43 82.146.56.118, 80 THEFIRST-ASRU Russian Federation 17->43 file5 signatures6 process7 process8 22 cmd.exe 1 20->22         started        process9 24 savesHostNetwinPerfcommon.exe 6 16 22->24         started        28 conhost.exe 22->28         started        file10 33 C:\Windows\System32\elshyph\winlogon.exe, PE32 24->33 dropped 35 C:\Windows\SysWOW64\wbem\fdWSD\WmiPrvSE.exe, PE32 24->35 dropped 37 C:\Users\Public\Videos\spoolsv.exe, PE32 24->37 dropped 39 2 other malicious files 24->39 dropped 53 Antivirus detection for dropped file 24->53 55 Multi AV Scanner detection for dropped file 24->55 57 Machine Learning detection for dropped file 24->57 59 4 other signatures 24->59 30 RuntimeBroker.exe 2 24->30         started        signatures11 process12 signatures13 67 Antivirus detection for dropped file 30->67 69 Multi AV Scanner detection for dropped file 30->69 71 Machine Learning detection for dropped file 30->71
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13b9b3ae4d0e94099f69c0968b770ad5651b6d23f043a6bc34a3475f5167fc6d/
Threat name:
ByteCode-MSIL.Backdoor.LightStone
Create hunting rule
Status:
Malicious
First seen:
2021-11-08 17:43:57 UTC
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2e7c0e72ebe65df6ed44631550c14d1dfce5c0a540ed450df984802890b25c53
DCRat
4cced7c39444bc55a0cd79b0384b24517e355e0d70ab20019af96f2a7c181cd8
DCRat
51b8434c68594113a4036358e477fe1ae1b4cc0b99d653b224250e24537d87e2
DCRat
6e491124fc83eb50eae434f1aafe070f9dba30d2ed03d10abd7cc2d91fcfc4dd
DCRat
786cd9f43e76702fd26319d85239b17c6acf79e5afda1a3ab82d95e46bbceff7
DCRat
95155b1eb26b2f4d548de9b64239aa4339c191a56b9f1e61697351dced1c9bc7
DCRat
99b234ed5fcab5f1e2ebbc0a26fd5e94a3efa69fadb275065592ea7cba636e16
DCRat
+ 898 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer persistence rat suricata
Link:
https://tria.ge/reports/211110-dcq8csdcgk/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
DCRat Payload
DcRat
Process spawned unexpected child process
suricata: ET MALWARE DCRAT Activity (GET)
Unpacked files
SH256 hash:
d8df79e4de060223e7a193c74b30a22677fde01e974c72b9d9b74414ea5c9934
MD5 hash:
447fd8100f5df9f34057b66320f3d6e1
SHA1 hash:
4cdef420587e9682a3d61da83367b316a2a4e49c
Link:
https://www.unpac.me/results/02a994a2-45e5-45bd-930c-77ea027f8c8c/
SH256 hash:
763d159311bb5d609d21c94cb7d5e2c59c93409fc016a3bb6ffae50b8e2653aa
MD5 hash:
ee64c616c25e5c42125195bc2467122e
SHA1 hash:
09846768a76de676cc0e21cb637aa0a8340b30ca
Link:
https://www.unpac.me/results/02a994a2-45e5-45bd-930c-77ea027f8c8c/
SH256 hash:
13b9b3ae4d0e94099f69c0968b770ad5651b6d23f043a6bc34a3475f5167fc6d
MD5 hash:
d4c89ca639391f091d2ef4f2e0ecdd59
SHA1 hash:
aeebb9eec1ba7324f12f151e768e0b1e91ec9548
Link:
https://www.unpac.me/results/02a994a2-45e5-45bd-930c-77ea027f8c8c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13b9b3ae4d0e94099f69c0968b770ad5651b6d23f043a6bc34a3475f5167fc6d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 13b9b3ae4d0e94099f69c0968b770ad5651b6d23f043a6bc34a3475f5167fc6d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1771233/
Cape
Cape
https://www.capesandbox.com/analysis/204584/

Comments


Avatar
zbet commented on 2021-11-10 02:51:30 UTC

url : hxxp://82.146.56.118/output/_cached/EternalphpsecureProcessapi/1574bddb75c78a6fd2251d61e2993b5146201319.bin