MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13e063bc39be5c694f3bb67deead2b8a4781d98a0c26cc2d8ec68e0a72726dc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13e063bc39be5c694f3bb67deead2b8a4781d98a0c26cc2d8ec68e0a72726dc7
SHA3-384 hash: cbef97baa9824e20ec19769407bddf36840a520aace9cde457fab8eebb82209dc4ff600f42caebab6a7829da42b0ebf4
SHA1 hash: 157b9cec25720fcab4e98f1a517d3f31b7907988
MD5 hash: 15f1d514f044c09b23254d2c6a7afc30
humanhash: north-high-hot-iowa
File name:13e063bc39be5c694f3bb67deead2b8a4781d98a0c26c.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:4'146'936 bytes
First seen:2024-01-09 02:45:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (37 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 98304:N25Gespnnt0YKfTsz/E5LTZrKJWasLBAZTxgSHvPKejsJbO9VyjQ1R:N2n4t3O+wwJRxhHvyejrmk
Threatray 215 similar samples on MalwareBazaar
TLSH T161163343B7C0C5B6F5962634A4961B32D5B0BD242B0849CB1788FF012EBA7D7527E2E6
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
dhash icon ecd4bcf4d4dcccd4 (1 x DCRat)
Reporter abuse_ch
Tags:DCRat exe signed

Code Signing Certificate

Organisation:ESET NOD32
Issuer:ESET NOD32
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-07T00:00:00Z
Valid to:2025-01-07T00:00:00Z
Serial number: 18cb782f809d01f0
Intelligence: 6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 15e4263de8eba65a8668a6dafd9cf1b95d4aa42dfdb9ae73cda6e2a189663d42
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
DCRat C2:
http://185.251.91.215/3Cdn/base5Securepublic/dle7sqlLine/1Video/php_/SqlDump/8pipePython/dumpTempTrafficexternal/Defaultjavascript0/externalimagevmRequestpolllowLongpollServercentral.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
489
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
bomb.exe
Verdict:
Malicious activity
Analysis date:
2024-01-09 12:04:45 UTC
Tags:
opendir loader payload evasion stealer redline phorpiex trojan stealc
Link:
https://app.any.run/tasks/4e30dc17-a1da-425e-9ec5-7f43873f4b5d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469958/
Detection(s):
Win.Keylogger.Gencbl-9969771-0
Create hunting rule

Win.Malware.7zip-10013374-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Sending a custom TCP request
Replacing files
Creating a file
Loading a suspicious library
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Using the Windows Management Instrumentation requests
Moving a file to the Program Files subdirectory
Replacing executable files
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
hook installer keylogger lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/659cb36b99da41ccd7cb659b/reports/2403979f-a210-4ea5-9b16-0d1ced389504/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/13e063bc39be5c694f3bb67deead2b8a4781d98a0c26cc2d8ec68e0a72726dc7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/690ed19f-5727-4866-8120-4a0ccf924163
Result
Threat name:
DCRat, zgRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1371587
Signature
Antivirus detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Drops password protected ZIP file
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Sigma detected: Dot net compiler compiles file from suspicious location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1371587 Sample: 13e063bc39be5c694f3bb67deea... Startdate: 09/01/2024 Architecture: WINDOWS Score: 100 72 Antivirus detection for dropped file 2->72 74 Multi AV Scanner detection for dropped file 2->74 76 Yara detected zgRAT 2->76 78 5 other signatures 2->78 10 13e063bc39be5c694f3bb67deead2b8a4781d98a0c26c.exe 8 2->10         started        13 MschainblockRef.exe 2->13         started        16 Registry.exe 2->16         started        18 4 other processes 2->18 process3 file4 66 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 10->66 dropped 68 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 10->68 dropped 20 cmd.exe 2 10->20         started        88 Antivirus detection for dropped file 13->88 90 Machine Learning detection for dropped file 13->90 signatures5 process6 process7 22 MschainblockRef.exe 12 28 20->22         started        26 7z.exe 2 20->26         started        28 7z.exe 3 20->28         started        30 11 other processes 20->30 file8 56 C:\Windows\apppatch\Registry.exe, PE32 22->56 dropped 58 C:\Windows\...\MschainblockRef.exe, PE32 22->58 dropped 60 C:\Users\user\Pictures\...\WmiPrvSE.exe, PE32 22->60 dropped 64 10 other malicious files 22->64 dropped 80 Creates an undocumented autostart registry key 22->80 82 Creates multiple autostart registry keys 22->82 84 Creates an autostart registry key pointing to binary in C:\Windows 22->84 86 2 other signatures 22->86 32 csc.exe 4 22->32         started        36 cmd.exe 22->36         started        38 schtasks.exe 22->38         started        40 14 other processes 22->40 62 C:\Users\user\AppData\...\MschainblockRef.exe, PE32 26->62 dropped signatures9 process10 file11 54 C:\Windows\...\SecurityHealthSystray.exe, PE32 32->54 dropped 70 Infects executable files (exe, dll, sys, html) 32->70 42 conhost.exe 32->42         started        44 cvtres.exe 1 32->44         started        46 chcp.com 36->46         started        48 conhost.exe 36->48         started        50 w32tm.exe 36->50         started        signatures12 process13 process14 52 Conhost.exe 46->52         started       
Score:
89%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/13e063bc39be5c694f3bb67deead2b8a4781d98a0c26cc2d8ec68e0a72726dc7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13e063bc39be5c694f3bb67deead2b8a4781d98a0c26cc2d8ec68e0a72726dc7/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cpqghpbzxzogstz3wz665ljlrjdydwmkbqtmylmoy2hau4tsnxdq._file
Verdict:
malicious
Similar samples:
2767d4128fc88d587b6681fcff44a8694833e95da510eca60750540e42f2e418
DCRat
35b70fc462fe02d507a58c2b5a33ddd5e26aadc7ac8fe3beae2a82666c8b17c6
DCRat
4d689288fda075e937a5bc00afd4b2fb077d5aef8ac767fb415f8b7df31fadd6
DCRat
835bac52b5761a44059c23f0fde823d994443111189d2db8b3583cf68e35c998
DCRat
84f515bfed1a8fa9f055a9f3bddb3851618ce0b0b940a5d548aadc24c19362bb
DCRat
c728f7d571ce5633fe6c3ee6f2a66c6ba33a9ee8261e9a20bab7a9fccbc3fb42
DCRat
c89400e70500cd0faad8ea9d0c8d3cc2fc58408c1123dd3fbcd02e80d4bbed65
DCRat
f53626ef5370de09cfbc55c497ff9058066f3c5a18d9caead5ee4c594e2fb57a
DCRat
+ 205 additional samples on MalwareBazaar
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:zgrat rat
Link:
https://tria.ge/reports/240109-c9aq7scffm/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Executes dropped EXE
Loads dropped DLL
Detect ZGRat V1
Process spawned unexpected child process
ZGRat
Unpacked files
SH256 hash:
b8feeb6bfc11ac252aa6c1ee55eb069510a66a2924a04ff252cb515d50584db7
MD5 hash:
145e534ba5c7a97f9eeb4d1c90a7b841
SHA1 hash:
e6049078ce728bc36c8428f2fc05a2ee2d048adf
Link:
https://www.unpac.me/results/6e6fe31d-84f8-45f7-a455-16e635e63402/
SH256 hash:
13e063bc39be5c694f3bb67deead2b8a4781d98a0c26cc2d8ec68e0a72726dc7
MD5 hash:
15f1d514f044c09b23254d2c6a7afc30
SHA1 hash:
157b9cec25720fcab4e98f1a517d3f31b7907988
Link:
https://www.unpac.me/results/6e6fe31d-84f8-45f7-a455-16e635e63402/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13e063bc39be5c694f3bb67deead2b8a4781d98a0c26cc2d8ec68e0a72726dc7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 13e063bc39be5c694f3bb67deead2b8a4781d98a0c26cc2d8ec68e0a72726dc7

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/469958/
  
URLhaus
https://urlhaus.abuse.ch/url/2747561/
  
Delivery method
Distributed via web download

Comments