MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c22fc802845f881de088ba734ea7d78e0434451a08515875b6d4b2a57f4e90e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DCRat

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	1c22fc802845f881de088ba734ea7d78e0434451a08515875b6d4b2a57f4e90e
SHA3-384 hash:	95203527898ffec412045745d77dd634d79ef38f3c6e685a5956e7c8a8695838e365a34d95ae6c7cbe5e3689b58459b2
SHA1 hash:	5dbb79b326c015213350e48d74ac26a86adddbd2
MD5 hash:	40cced3355775814f3fe0a8284b5b995
humanhash:	green-carolina-alabama-beer
File name:	r3try hack.exe
Download:	download sample
Signature	DCRat Create hunting rule
File size:	1'646'080 bytes
First seen:	2021-07-15 12:53:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep	49152:Cs+A40dOw3xU/47HKwHET+pj6fg0ZcFCXGGM:Cs5hdOs3FpQZnX
Threatray	71 similar samples on MalwareBazaar
TLSH	T1607533F602808775D6DB63B8E4E3E9287849C174ADC8BF04A4D646B174F07B95C7B82E
Reporter	Anonymous
Tags:	DCRat exe

Intelligence

File Origin

# of uploads :

# of downloads :

136

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

r3try hack.exe

Verdict:

Malicious activity

Analysis date:

2021-07-15 12:56:30 UTC

Tags:

trojan rat backdoor dcrat

Link:

https://app.any.run/tasks/9a105123-7b62-494d-83a7-b66aadfef181

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/171986/

Detection(s):

PUA.Win.Packer.EnigmaProtector-19

PUA.Win.Packer.EnigmaProtector-1

Win.Dropper.Nanocore-9863301-0

PUA.Win.Packer.EnigmaProtector-9852682-0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/aa357098-441a-41c7-99eb-40ef197ff425

Result

Threat name:

DCRat

Detection:

malicious

Classification:

troj.adwa.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/816910

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Hides threads from debuggers

Machine Learning detection for sample

May check the online IP address of the machine

Modifies the hosts file

Multi AV Scanner detection for submitted file

PE file has nameless sections

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to evade analysis by execution special instruction which cause usermode exception

Yara detected DCRat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1c22fc802845f881de088ba734ea7d78e0434451a08515875b6d4b2a57f4e90e/

Threat name:

ByteCode-MSIL.Backdoor.LightStone

Status:

Malicious

First seen:

2021-07-08 15:01:13 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Verdict:

malicious

DCRat

5f3d5f1a734020dabc57565c29f60194eb2a0fd1eba8fd7a041c6329d5803f78

DCRat

6718c04021467956503e7c53e7a6597fad77eafe88b080442d4168ab1081f32c

DCRat

844b9f86c1708ac12367aeef61e3116207fc430734449781d663755f9b4ffad8

DCRat

95f5464f22e6bbe285c912f7afd00836c7253babdf6b608cbbb5a063bb1f868f

DCRat

aebfeecd15596e7b6b4a739157229d3a0e1ea320e9352e4e725663b5a4f367b1

DCRat

d700e68d1c067c7bb297805d8429aa95cde9b6ec484c490ebdb01fc9689b1a31

DCRat

dec05061330cdd96419eb3cddade5f8198f6c30e17551842a0c644e1642ddea1

DCRat

+ 61 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/210715-kdw6zrh4ce/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Looks up external IP address via web service

Reads user/profile data of web browsers

Drops file in Drivers directory

Unpacked files

SH256 hash:

1c22fc802845f881de088ba734ea7d78e0434451a08515875b6d4b2a57f4e90e

MD5 hash:

40cced3355775814f3fe0a8284b5b995

SHA1 hash:

5dbb79b326c015213350e48d74ac26a86adddbd2

Link:

https://www.unpac.me/results/86818671-9725-4cf4-b42c-9b40f5a40fe8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.62

Link:

https://yomi.yoroi.company/submissions/1c22fc802845f881de088ba734ea7d78e0434451a08515875b6d4b2a57f4e90e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/171986/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample