MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b01d984b376180d8ebe4b7fce444056438d233c9b5ed58f648409a545091d6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DCRat


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b01d984b376180d8ebe4b7fce444056438d233c9b5ed58f648409a545091d6a
SHA3-384 hash: 3a23d17cb8b0442e1e62a27d6b6b486ffd873423db0f44bcd18b12bc90c963f8372bc48dce5c790a623d133143743b27
SHA1 hash: 4c86b0b36747503d55c82189bf95ba2245c6e4fb
MD5 hash: d32aed7204ae5bf456dc9d1be2c53d9e
humanhash: nebraska-neptune-foxtrot-lemon
File name:d32aed7204ae5bf456dc9d1be2c53d9e
Download: download sample
Signature DCRat
Create hunting rule
File size:1'251'450 bytes
First seen:2021-11-04 16:30:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:U2G/nvxW3Ww0tZAanrdOl5tYbOba812a+4V:UbA30xdU
Threatray 1'130 similar samples on MalwareBazaar
TLSH T187455A12BA84CD12D169163BC9EF446447FCBD012A62CB5B7EEBB35D24113A35E0E1EB
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter zbetcheckin
Tags:32 DCRat exe

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://188.120.229.34/VideoWindowsPubliccdn.php https://threatfox.abuse.ch/ioc/244170/

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d32aed7204ae5bf456dc9d1be2c53d9e
Verdict:
Malicious activity
Analysis date:
2021-11-04 16:47:55 UTC
Tags:
trojan rat backdoor dcrat stealer
Link:
https://app.any.run/tasks/d96fc5cb-815b-4467-b656-5a83213abfa9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/202414/
Detection(s):
Win.Malware.Uztuby-9848412-0
Create hunting rule

Win.Packed.Uztuby-9851623-0
Create hunting rule

Win.Trojan.Uztuby-9855059-0
Create hunting rule

Win.Ransomware.Clinix-9868408-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
evasive greyware overlay packed packed
Link:
https://www.filescan.io/uploads/61840aca0621d706aea9f7d7/reports/9da52c5a-fa98-4ad1-9252-68c96299d20c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/14db2835-146f-42a5-9e75-eee37e012b8d
Result
Threat name:
DCRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/883383
Signature
Antivirus detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected DCRat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 515820 Sample: GRSdNq0R3i Startdate: 04/11/2021 Architecture: WINDOWS Score: 100 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected DCRat 2->49 51 Drops executables to the windows directory (C:\Windows) and starts them 2->51 53 2 other signatures 2->53 9 GRSdNq0R3i.exe 3 6 2->9         started        12 explorer.exe 3 2->12         started        15 explorer.exe 2->15         started        18 17 other processes 2->18 process3 dnsIp4 33 C:\refHost\refHostWinruntimemonitor.exe, PE32 9->33 dropped 20 wscript.exe 1 9->20         started        63 Antivirus detection for dropped file 12->63 65 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->65 67 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 12->67 69 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->69 45 188.120.229.34, 49752, 49753, 49754 THEFIRST-ASRU Russian Federation 15->45 71 System process connects to network (likely due to code injection or exploit) 15->71 73 Tries to harvest and steal browser information (history, passwords, etc) 15->73 file5 signatures6 process7 process8 22 cmd.exe 1 20->22         started        process9 24 refHostWinruntimemonitor.exe 7 22 22->24         started        29 conhost.exe 22->29         started        dnsIp10 43 192.168.2.1 unknown unknown 24->43 35 C:\Windows\splwow64\explorer.exe, PE32 24->35 dropped 37 C:\Windows\System32\wbem\...\WmiPrvSE.exe, PE32 24->37 dropped 39 C:\Windows\System32\raschapext\spoolsv.exe, PE32 24->39 dropped 41 4 other files (3 malicious) 24->41 dropped 55 Antivirus detection for dropped file 24->55 57 Creates multiple autostart registry keys 24->57 59 Creates an autostart registry key pointing to binary in C:\Windows 24->59 61 2 other signatures 24->61 31 wininit.exe 24->31         started        file11 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b01d984b376180d8ebe4b7fce444056438d233c9b5ed58f648409a545091d6a/
Threat name:
ByteCode-MSIL.Backdoor.LightStone
Create hunting rule
Status:
Malicious
First seen:
2021-11-04 13:52:43 UTC
AV detection:
22 of 45 (48.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dma5tbftoyma3dv6jn744rcakzby2iz4tnpnld3eqqe2krijdvva._file
Verdict:
malicious
Similar samples:
0757a3b97f39c1d8a6c3d94770762a3912304cfaffa0330761945acd7f236213
DCRat
3194e2fb68c007cf2f6deaa1fb07b2cc68292ee87f37dff70ba142377e2ca1fa
DCRat
4cced7c39444bc55a0cd79b0384b24517e355e0d70ab20019af96f2a7c181cd8
DCRat
51b8434c68594113a4036358e477fe1ae1b4cc0b99d653b224250e24537d87e2
DCRat
6e491124fc83eb50eae434f1aafe070f9dba30d2ed03d10abd7cc2d91fcfc4dd
DCRat
748f35be261019103aae31d43b1fa88fda9cbc99043122e76b5c0a0d94cb808f
DCRat
95155b1eb26b2f4d548de9b64239aa4339c191a56b9f1e61697351dced1c9bc7
DCRat
cba27621d4b7c92fd50bf37135e150b45097ca9306061ed7049f802047bbd1b9
DCRat
+ 1'120 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/211104-t1c9eahad5/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Process spawned unexpected child process
Unpacked files
SH256 hash:
7aed633d0fbdb996e34fba5d2dd3b1d903051fc3f5fda816d4c9478d4edb60fe
MD5 hash:
7ed155fd765c9bbe28fb4e0a480a7c81
SHA1 hash:
7a8ac3dcdfaefafed18f30174102e32502181470
Link:
https://www.unpac.me/results/ca4c4005-e13b-48bd-b1ac-00c3773b4e22/
SH256 hash:
1b01d984b376180d8ebe4b7fce444056438d233c9b5ed58f648409a545091d6a
MD5 hash:
d32aed7204ae5bf456dc9d1be2c53d9e
SHA1 hash:
4c86b0b36747503d55c82189bf95ba2245c6e4fb
Link:
https://www.unpac.me/results/ca4c4005-e13b-48bd-b1ac-00c3773b4e22/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1b01d984b376/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b01d984b376180d8ebe4b7fce444056438d233c9b5ed58f648409a545091d6a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DCRat

Executable exe 1b01d984b376180d8ebe4b7fce444056438d233c9b5ed58f648409a545091d6a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1752036/
Cape
Cape
https://www.capesandbox.com/analysis/202414/

Comments


Avatar
zbet commented on 2021-11-04 16:30:33 UTC

url : hxxp://host-host-file6.com/files/5334_1636030207_6453.exe