MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 188ede1d0aebcbd326e9d7109e708e38b655134f0dcf3cb837e2446336aaeab7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 188ede1d0aebcbd326e9d7109e708e38b655134f0dcf3cb837e2446336aaeab7
SHA3-384 hash: 20529334b82d8ad46d48d9fb4ce6dacc636379f022a6bc3f7cdc78f5db8bca7c31925d9b918e23585ca1f5c42cca492a
SHA1 hash: e03aa103f4a43b7d5c50c56ecc61f3e5d5640d7b
MD5 hash: 84a806f02be2afa43787fa8654e4bf94
humanhash: paris-friend-wolfram-diet
File name:84a806f02be2afa43787fa8654e4bf94.exe
Download: download sample
Signature DCRat
Create hunting rule
File size:1'969'664 bytes
First seen:2022-10-27 13:30:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 49152:ZFfvXhy2aueloCfPnVlySVn7Z8nBsTYgAXc+jU9Gv:ZFXXhalloCHV7nKHg0cgU9G
Threatray 3'020 similar samples on MalwareBazaar
TLSH T1B795CF2825EB461CF43A5BB88FDBB8C64E9BF621212AF59E14ED03864533E45CDD3235
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:DCRat exe


Avatar
abuse_ch
DCRat C2:
http://135.181.164.113/external1cdn/TestBetterbigload/downloadslowWp/GeoToJavascript7/Todbprivateuploads.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://135.181.164.113/external1cdn/TestBetterbigload/downloadslowWp/GeoToJavascript7/Todbprivateuploads.php https://threatfox.abuse.ch/ioc/950871/

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
84a806f02be2afa43787fa8654e4bf94.exe
Verdict:
Malicious activity
Analysis date:
2022-10-27 13:31:06 UTC
Tags:
trojan rat backdoor dcrat stealer
Link:
https://app.any.run/tasks/f2bc67cc-ec01-4194-bc29-eddf6a24dfb1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/324909/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.61676221.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Searching for synchronization primitives
Reading critical registry keys
Running batch commands
Creating a process with a hidden window
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca042ab6-d420-4195-ad47-c0b50dc90bfb
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1099363
Signature
.NET source code contains very large strings
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/188ede1d0aebcbd326e9d7109e708e38b655134f0dcf3cb837e2446336aaeab7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-10-23 04:11:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dchn4hik5pf5gjxj24ij44eohc3fke2pbxhtzobx4jcggnvk5k3q._file
Verdict:
malicious
Similar samples:
198c4342d01c3a4e12ba3de4e1e78e9950d174ef10b0a3039e41c973022b8a1f
DCRat
2411d42daf12a01f127bd3bd9df51b1de96435ac11e0a44dee28e174e3c4bd65
DCRat
6bcf5705424ff9935c6dfd886e666af3cb2da930cfe82b0924b599f682b8f9bf
DCRat
8c7e227bdb4c0b55dfd41b29614bd1b852132c65ec90a564ebf67230d421abc8
DCRat
eccaec76c66960ba7245ac0b0d60c5f79ed52603a8333da79668ef4e78f42059
DCRat
+ 3'010 additional samples on MalwareBazaar
Result
Malware family:
dcrat
Create hunting rule
Score:
  10/10
Tags:
family:dcrat infostealer rat spyware
Link:
https://tria.ge/reports/221027-qsdnescdak/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
DCRat payload
DcRat
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3ada99b1-17c3-4bbf-92d0-fb7fec35fb9b
Unpacked files
SH256 hash:
150bc49f9755f25221bfc445c7a067615cdb8de797c6c6ba873e3f56e0036799
MD5 hash:
62e2e1875fed8255a355ad33978871f8
SHA1 hash:
cbd378e64a125ba6b0306d126eec6bd4cecda46c
Link:
https://www.unpac.me/results/1d9cddfc-d24b-4f42-9b2b-53a98d76b1a4/
SH256 hash:
a9924c25706ead84f8bfd652de54a0fd84c00f77dd5828244681aab66273ccaf
MD5 hash:
9d80c0a96560a366f6d907b680df5f93
SHA1 hash:
eba8f68824e441002fb7c56c313f54dc71442e62
Link:
https://www.unpac.me/results/1d9cddfc-d24b-4f42-9b2b-53a98d76b1a4/
SH256 hash:
225bb87befa2d452175c6cf85c9011eca6a3d71d2898adcb6ec36bac044a2b27
MD5 hash:
472174a472ed985552e7ea3281b7651d
SHA1 hash:
c1e0af649a53e01f1c57f895b5b560d4890111e5
Link:
https://www.unpac.me/results/1d9cddfc-d24b-4f42-9b2b-53a98d76b1a4/
SH256 hash:
4f80ddfe49b270f801ab44aa899153bbe2a0fb93abed0f9fc992f74ff6ab4fde
MD5 hash:
f4ba8570299eabf8fe2d02cc1dc0606a
SHA1 hash:
5d7add32313074f5a1e9b4ab379298dee8b6217e
Link:
https://www.unpac.me/results/1d9cddfc-d24b-4f42-9b2b-53a98d76b1a4/
SH256 hash:
188ede1d0aebcbd326e9d7109e708e38b655134f0dcf3cb837e2446336aaeab7
MD5 hash:
84a806f02be2afa43787fa8654e4bf94
SHA1 hash:
e03aa103f4a43b7d5c50c56ecc61f3e5d5640d7b
Link:
https://www.unpac.me/results/1d9cddfc-d24b-4f42-9b2b-53a98d76b1a4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/188ede1d0aebcbd326e9d7109e708e38b655134f0dcf3cb837e2446336aaeab7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/324909/

Comments