MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13ea07554dba891639dfd7da53ce65cae482b44655814a1792fcff4baf12ed05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13ea07554dba891639dfd7da53ce65cae482b44655814a1792fcff4baf12ed05
SHA3-384 hash: 8127597b68bfaa8d10f830d85580a289cd5f187e1f1e7236381ab989be129e4d071c80b542d4d221f4501d5e9cadb39d
SHA1 hash: e7fb5983ec4f103e0ab6524a41ca02b371cdb0af
MD5 hash: 19335fedfe70a38e1750d525c9872759
humanhash: seventeen-tango-butter-mobile
File name:19335fedfe70a38e1750d525c9872759.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:4'171'264 bytes
First seen:2022-08-01 18:30:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a9c887a4f18a3fede2cc29ceea138ed3 (33 x CoinMiner, 17 x AsyncRAT, 15 x BlankGrabber)
ssdeep 98304:j53yXmbw6gBRDOPJZyo3jhlQHO5oUeeWqe:jByWbcbVoNMEoUe
Threatray 2'338 similar samples on MalwareBazaar
TLSH T1FD16E06309264CCBCF4E157B75FC966A61766110CA623745B8CB8F9D88F6F2082B70E7
TrID 40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
12.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.0% (.EXE) Win32 Executable (generic) (4505/5/1)
5.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 58d8b26340809adc (7 x DCRat, 2 x XWorm, 1 x AsyncRAT)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://cheathub.space/servertrafficprivate.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://cheathub.space/servertrafficprivate.php https://threatfox.abuse.ch/ioc/840947/

Intelligence

File Origin
# of uploads :
1
# of downloads :
406
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295669/
Detection(s):
PUA.Win.Packer.Starforce-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a window
Creating a file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the Windows subdirectories
Searching for the window
DNS request
Creating a file in the %temp% directory
Running batch commands
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28009/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dcrat nitol packed tiny
Link:
https://www.filescan.io/uploads/62e81bf1bcf76fcb6cd91a65/reports/13dc272d-8561-4aa4-974a-db68fb72a545/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2d28248-bde1-4970-8ab0-3edbcb23fc4a
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1044400
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates processes via WMI
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected DCRat
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 676894 Sample: slxD20OiHQ.exe Startdate: 01/08/2022 Architecture: WINDOWS Score: 100 51 149.189.2.0.in-addr.arpa 2->51 53 raw.githubusercontent.com 2->53 55 2 other IPs or domains 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for dropped file 2->59 61 Antivirus / Scanner detection for submitted sample 2->61 63 13 other signatures 2->63 9 slxD20OiHQ.exe 4 2->9         started        13 Idle.exe 2->13         started        15 Java Update.exe 2 2->15         started        17 11 other processes 2->17 signatures3 process4 file5 45 C:\Users\user\AppData\...\Java Update.exe, PE32 9->45 dropped 47 C:\Users\user\...xtreme Injector v3.exe, PE32 9->47 dropped 49 C:\Users\user\AppData\Roaming\Client.exe, PE32+ 9->49 dropped 69 Encrypted powershell cmdline option found 9->69 19 Java Update.exe 4 12 9->19         started        22 Client.exe 9->22         started        25 powershell.exe 9 9->25         started        27 Extreme Injector v3.exe 2 9->27         started        71 Antivirus detection for dropped file 13->71 73 Multi AV Scanner detection for dropped file 13->73 75 Machine Learning detection for dropped file 13->75 signatures6 process7 file8 39 C:\Windows\DigitalLocker\...\Java Update.exe, PE32 19->39 dropped 41 C:\Users\Default\AppData\Local\...\Idle.exe, PE32 19->41 dropped 43 C:\MSOCache\All Users\...\smss.exe, PE32 19->43 dropped 29 cmd.exe 19->29         started        65 Antivirus detection for dropped file 22->65 67 Multi AV Scanner detection for dropped file 22->67 31 conhost.exe 25->31         started        signatures9 process10 process11 33 conhost.exe 29->33         started        35 w32tm.exe 29->35         started        37 Idle.exe 29->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13ea07554dba891639dfd7da53ce65cae482b44655814a1792fcff4baf12ed05/
Threat name:
Win32.Backdoor.Dcrat
Create hunting rule
Status:
Malicious
First seen:
2022-07-30 00:42:00 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cpvaovknxkermoo727nfhttfzlsifncgkwauuf4s7t7uxlys5ucq._file
Verdict:
malicious
Similar samples:
3e7cf8b2e3f6d13ecfccc5eb1cfb57dfe12303e3315500cecf37f53687a3c784
DCRat
95d4bef4559c26374dcc8193e1ea878e7c1675db0fb010598d56408704c63599
DCRat
975a57feee1242d2031e3f902b4f14ad7b9332c9dbb3f20863b119b00b5287d2
DCRat
ad8f12c1e6641d10ba6c2082668c34a30d4fd1886f207062e5526e2f58475da2
DCRat
bb55fcf1625411295d87059f3116db4109ef0783504fbce9c5eca05ef72d45e0
DCRat
cc6185c6a3594c435ceaf0cfa6404c0c632a18ae48b8bb1f17ca5b88572f2ca1
DCRat
+ 2'328 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat
Link:
https://tria.ge/reports/220801-w5175shbgm/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
DCRat payload
DcRat
Process spawned unexpected child process
Unpacked files
SH256 hash:
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
MD5 hash:
ec801a7d4b72a288ec6c207bb9ff0131
SHA1 hash:
32eec2ae1f9e201516fa7fcdc16c4928f7997561
Link:
https://www.unpac.me/results/f0806a7f-941d-444c-982d-5be29ef216bd/
Parent samples :
c332bac5bfa6b4e806dbe65ff8b4041c7d931e6709349218f361437e1ae52c2f
261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc
cc92c665e4e26f4bf880e69666f019f9d568533510d8ca3d5e4651c1e121231e
b99cd41e40fa63ebe8efc4f1263d9fe3c0151a05ac580ee5421ca365f163e5ea
709f5ad2bad14a2c881948f0ddb7b7f67e1b91ef981541f735c6a90e34c566fb
1691f0ab36468cfed1f7ebead04c3b46c11c4d8614aed53ff7060e7e7d669a4c
3847b2b3358e1367eea88ac614bcb5d760126b5a9fa59513966197b10b2f99a6
bdcdd7e8a1780076e09fa5f1635603ed07199a0f8a595e7ad5c089887d5a4cbf
dc8decaba2fbe09e0ca95485ed06376e65ba7e77869868beecf8f937747a213f
SH256 hash:
51779b33f2f4ff9942f3c747e91ad720792de63b1ed9ecc38ac978b927a59e42
MD5 hash:
e927fb8f22bcce02394aa2f920b7de9e
SHA1 hash:
056e19b41adebea147ca9fe2834a9cff29f45922
Link:
https://www.unpac.me/results/f0806a7f-941d-444c-982d-5be29ef216bd/
SH256 hash:
13ea07554dba891639dfd7da53ce65cae482b44655814a1792fcff4baf12ed05
MD5 hash:
19335fedfe70a38e1750d525c9872759
SHA1 hash:
e7fb5983ec4f103e0ab6524a41ca02b371cdb0af
Link:
https://www.unpac.me/results/f0806a7f-941d-444c-982d-5be29ef216bd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13ea07554dba891639dfd7da53ce65cae482b44655814a1792fcff4baf12ed05

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/295669/

Comments